Q: We recently brought on a new customer who doesn’t have any security policies in place. What are the best ways to help them set up security policies for their network?
Ransomware and malware attacks are continually on the rise, so it’s important for every organization to implement security policies and procedures to keep their network and their data safe. Businesses of all sizes need to take the time to develop formal, documented IT security policies to govern their operations, and more importantly they need to revisit these policies and procedures on a yearly cadence to adjust to changes in their business environment.
Develop a security policy
With today’s sophisticated threat landscape and recent breaches making headlines, most customers understand that they need some sort of security protection, and policies are just a way to enforce the steps they want to take to stay secure. Before you implement any policies or procedures, assess the company for any current security risks. Are there any best practices they need to start following? For example, are employees regularly changing passwords? Do they have any policies around BYOD, system patching, or employee termination procedures? Ask your SMB customer on what they’re doing now so you can get a better understanding of what policies need to go into effect to keep the network secure. To help set you up for success, Chris Crellin, the senior director of product management at Barracuda MSP shared some best practices for developing a security policy with your customers. Here’s his advice:
1. Identify roles and responsibilities
Find out who currently has access to critical data, infrastructure, and applications. Note your findings and then assess whether each person needs the level of access they’ve been granted. To do this, you need to interview key stakeholders and management to fully understand each employee’s role relative to this data.
Once you have a better idea of individuals’ roles in the organization, you can begin to limit or reinstate permission to access sensitive information and assets. Often, companies give users more privileges than they need to perform their job function, which can leave the network or application open to vulnerabilities. Try to limit the number of users who have admin privileges so that you can control who can access and edit sensitive business information. For example, system administrators should have access to things that contractors should not. As an MSP provider, it is your mission is to ensure that there will be no uncertainty about who has access to what.
2. Define data retention parameters
You’ll also need to help your SMB customer implement a document retention policy. These types of policies are especially important in certain regulated industries that require specific retention parameters. Defining a data retention policy is business-critical because there’s an increased risk of data being stolen or compromised when it’s kept beyond those defined dates.
3. Verify robust encryption technology is being utilized
Setting standards for encoding your customer’s information is another important part of a security policy. You can implement encryption policies like military grade 256-AES (Advanced Encryption Standard) encryption technology to secure customers’ data stored in the cloud and use SSL (Secure Sockets Layer) encryption technology for their data in transit. To make your security policy even stronger, look for a data protection solution that uses private key encryption (PKE) technology.
4. Adhere to compliance regulations
When developing a security policy for your customer, be sure to adhere to their industry’s compliance regulations. Certain industries are more regulated than others, but you should always inform your customers of any pertinent regulations and make sure their security policies address all issues to help them stay compliant. HIPAA, for example, requires all covered entities to encrypt all their storage technologies for data at rest. As their IT service provider, you’ll need to determine what they’re liable for and make sure they comply with all requirements.
By applying these four security measures, you’ll contribute significantly to preventing attacks and protecting your customers’ businesses. Keeping customers safe from sophisticated threats starts with implementing the right policies and procedures. A security policy shouldn’t be the only way your SMB defends their network, but it is a step in the right direction. Helping them implement new policies and procedures will also give you the opportunity to introduce robust products and services to further protect your customers from advanced threats.
Photo: Rawpixel.com / Shutterstock.