TIPS & BEST PRACTICE 23. JAN 2019
How can companies protect themselves and their employees against hacking?
After private data belonging to politicians and public figures was published online in December 2018, we did not have to wait long for new security recommendations at the start of the New Year. It seemed information about secure passwords couldn’t be spread often enough, and you could barely browse anywhere without coming across the tip that confidential emails should be encrypted.
You should take note of this advice for your personal communication, since the security tips in the media are designed to protect individual PC or smartphone users. However, corporations also have to take other things into account and some solutions aimed at private users are completely unsuitable for companies.
Recommendation for company-wide security regulations
It is important for all employees to demonstrate a high level of security awareness. This is particularly effective when it is put into practice across all hierarchy levels and departments of a business. There should not be any privileges in IT security.
Additionally, we recommend that you establish at least the following rules and that you require signatures from all employees demonstrating their compliance as an appendix to their employment contracts. This data then becomes part of personnel records; the more official the process, the more sustainable the effect.
Security policies:
- Passwords used for private accounts may not be used for company accounts.
- Private email accounts may not be used for business email correspondence.
- Employees may not use private cloud services for company data.
- With the exception of the IT department, no one is authorized to create data transfer accounts for the company.
What the company needs to do
“Shadow IT” can only be prevented when company-wide solutions exist for typical communication scenarios. Shadow IT includes company accounts for free cloud services which are registered by individual employees or departments for ease of transferring data. The company’s own IT department remains unaware of these and the firm’s security is compromised.
Security solutions for a secure exchange of emails and data must be chosen so that they are easy to use and create little or no additional effort. These include a central email encryption solution which works automatically in the background without any need for user control, and a secure transfer service for large files which employees can use without any training.
Encryption as standard
Companies’ IT strategies should not aim to encrypt individual sensitive emails. Every email is potentially security-related. It seems to be a little-known fact that the entire unencrypted email traffic of a company can be diverted without being noticed by those affected. Even if an individual email does not seem to be highly sensitive, full email history across a few days or weeks is a rewarding basis from which cyber criminals can draft a highly individual and convincing phishing attack. Encryption should therefore be the standard.
Read more blog posts from this series:
