It's OK to be paranoid about every last detail when it comes to security.
Tighten that cybersecurity belt
When you setup your network's security plan, quite often you have the big picture covered but some times there are those minute details that get shelved or forgotten. Here are a few items IT security officers should make sure they have covered.
Your own people are an APT - advanced persistent threat.
The weakest link in the security chain is always the end user. There is always someone who believes they know better or a policy doesn’t apply to them. To the extent that compliance with security policies can be automatically enforced even for the professionals, they should.
Have a clear escalation plan when trouble is suspected.
A major retailer had warnings there was trouble with a point of sale system, but the timing of the alerts coincided with critical shopping periods. The staff that were concerned did not have the authority to take the systems offline and investigate, nor could they locate anyone with the authority. Subsequently, a disaster ensued. The problem could have been contained had someone acted when they first suspected trouble. Be sure your staff knows who has the authority to make the hard call at the first sign of trouble or give them the authority to do so themselves.
Consider building additional fail-safe into your processes.
The military is famous for redundancy when something irreversible is about to be set in motion. Two officers are required to activate a missile launch. If one officer isn’t certain, that officer does not enter their launch codes. Consider adding dual authentication to any updates being made to a critical system. A second “officer” must also authenticate and click on the install button.
Be cautious and control what can be downloaded.
Do not allow employees to install their own software. This can be accomplished by limiting admin rights on laptops, desktops and servers. There are plenty of commercial products out there that do this very well and still allow the machine to run properly in a work environment. Don’t be influenced by the company size or number of employees. The effort you spend helping manage company owned and connected devices is smaller than a breach recovery or the impact of a network infection.
Document and keep track of where any open source is used.
Everyone thinks of a white list, but also have a proper request and vetting process for newly requested software products or applications to be installed. Track the open source components. Many software pieces are partially or fully based on open source code. If you don’t know where those components are, you won’t be able to assess your risk if a vulnerability is discovered later.
Control how company equipment is used, even when it goes home.
A corporation must control the Web browsing capabilities of its users inside and outside the premises when using company property. Web filters may not be popular with employees, but many compromised sites seem innocent enough. The only way to protect your network is to be strict about Web browsing, no exceptions. If someone wants to view the latest Internet fail they can do it on their own machine.
Lock down browsers on take home computers.
Perhaps 90% of enterprises have Web filters on their corporate networks. Far fewer have client side Web filtering to restrict computer use when a laptop or tablet travels home and is connected to a private network. It’s not popular with employees, but it is your equipment.