Best Cybersecurity Practices

I knew almost nothing about cybersecurity when I finished University twelve years ago. However, I started working at Ariadnex where I’ve been working for lots of projects till now. I’ve been installing lots of security systems such as firewall, IPS, antivirus, vulnerability scanners, antispam, etc. In addition, Ariadnex was certified in ISO 27001 & ISO 20000, and I was working on it. Therefore, I’ve been working last days in a speech for the FAROTIC project where a training about best cybersecurity practices has been carried out.

When I have to speak about best cybersecurity practices, I always like to speak about ISO 27001 because we have 114 security controls, which are really interesting, in this international standard. The first group is about information security policies. It’s really important. However, most companies don’t have any security policy. Organization of information security is another group which should be taken into account. For instance, companies should force segregation of duties to reduce the opportunities for unauthorised modification.

When we speak about best cybersecurity practices, the human resource security is also a best practice because companies should ensure that all employees are qualified for the job as well as employees understand their roles and responsabilities. Asset management and access control are also two best practices but I think both are increasingly known by most companies. Most of us have an asset inventory and users have the minimum privileges.

Encryption is well known by most employees. They know it is a requirement for sending and receiving information on the net but they forget saving their passwords in a secure way with a password manager. Physical and environmental security is also well known by most companies. We are used to seeing guards at the doors and rooms locked. However, operations security is very important and there are still companies who forget to schedule backups.

I don’t understand how there are companies that they don’t have any VLAN on the network. There is no communications security. There are also lots of companies without a policy for system acquisition, development and maintenance. However, this is usual for companies who has almost no security controls. What’s more, supplier relationships is another group of security controls that few companies take into account.

All of these are some groups of security controls, although we should also add incident management, business continuity and compliance, that companies should take into account for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Maybe, it seems 114 security controls are too many but it’s important to start small, but most of all, start.

Regards my friends! What kind of best cybersecurity practices are you applying.