Online data privacy and security is a particularly important topic when most of us work remotely. There are plenty of traces that we leave behind on the Internet, and we encounter cybercrime daily. We should, therefore, consider how we can protect ourselves against the loss of both personal data and key company information.
First of all, it is worth realizing that the ICT audit is a certain component of the entire security policy. It is most often carried out to prevent threats that may occur in the future.
Depending on the nature of the IT environment, we can distinguish two types of organizations:
In the earlier, it is worth carrying out an audit as a response to a given change. In some situations, this may even happen more than once a year.
In the latter, where relatively less is happening, a cyclical approach, i.e. conducting an audit once a year, is a good practice.
An audit can cover many aspects of infrastructure and cybersecurity. Penetration testing is an active form of searching for vulnerabilities in the network and in IT systems. The search is followed by proving that identified vulnerabilities do exist, i.e. they are not so-called false positives.
Penetration testing consists of several stages.
The first element, and perhaps the most important, is the human factor, i.e. the employee. They should be vigilant in their daily work with data, e-mail messages, and attachments they receive. They should be careful about which links they click on and where they redirect them. User training and education, like testing and auditing of the infrastructure itself, should be cyclical. Users should be reminded to handle their data properly.
Another element is DLP (Data Loss Prevention) systems. Their task is to prevent data leaks, including leaks of sensitive data. The aforementioned DLP system should analyze whether what a given employee wants to send is not confidential information. It should state whether or not this is legitimate and possibly inform the security department that such a breach is taking place.
The last aspect that should help with data protection is a whole set of good practices related to network configuration, filtering, and enabling relevant mechanisms of the so-called application layers.
Wireless networks in 802.11 standards, like Wi-Fi you mentioned, are in fact relatively easy to penetrate due to their nature, i.e. working on freely available frequencies. These are not licensed frequencies, so every potential attacker or user who has a device with access to a network with a Wi-Fi interface is able to check, for example, if there are networks available in their vicinity.
We achieve security today through the use of 802.1x mechanisms, which allow users to connect to the network in a granular manner. It involves authentication by entering your login and domain password or presenting a user / machine certificate, which is also issued by a given organization, which makes a given computer and user a trusted person for the network.
Secondly, a Wi-Fi network should be based on some central source of identity system for communicating with e.g. Active Directory databases, which are able not only to confirm the user’s identity by verifying permissions. Such a set of permissions may also be assigned to a specific user or functional group in which they are located, e.g. employees of the R&D department will have access to other systems than employees of the financial department.
The ease of this connection lies in the fact that after the first connection to the network, a given end user’s computer remembers the network and always uses the same login and password or the user’s certificate in the background. The user does not have to enter a login and password or link a certificate each time they come to work and connect to a given network. This happens transparently.
It is worth asking yourself a question at the very beginning: what do we want to secure? Different companies have different requirements. Some companies are based on the e-commerce segment, others run production processes, and thus the burden of security in individual organizations may be located in a different place. However, if we are talking about the mechanisms and technologies that are worth choosing when securing the infrastructure, we must think about the access security we already mentioned.
Above all, we should constantly educate and remind users not to write passwords on the desk and stick them onto computers. Educational campaigns among employees of a given company are very important. And if we are talking about the Internet and computer users in general, we should always be aware of where our data may go, who can obtain it, and for what purposes.
Any excessive publication of your actions or private data, activities, and photos should be minimized if we also want to avoid the risk of our private data leakage. The media say more and more often than sharing your activities and vacation plans on social media such as Facebook, LinkedIn, and Instagram is information that can be easily used.
It is also important not to send sensitive data such as Personal Identification Numbers (PIN), ID card numbers, and address data in open forums and chat rooms with consultants. It is worth verifying the information that consultants are trying to obtain from us, for example at a bank. There has been a long discussion about the fact that the bank verifies us by making a phone call. The question arises how can we say that the person calling and claiming to be a bank employee is actually one. This discussion will probably go on for a long time. If I can make a suggestion, we should simply use common sense.
Leave a Reply