A beginner's guide to business IT security
This beginner's guide explains the most critical security levers that should be addressed for your business to be compliant and safe.
IT security is critical to any organization, especially for companies with a remote or hybrid culture that relies heavily on SaaS solutions.
Business IT security balances cost, convenience, and protection. Many businesses avoid or delay implementing strong security, and while it often works because data breaches are rare, security by obscurity is a faulty tactic.
For companies that are new to IT security, this beginner's guide explains the most critical security levers that should be addressed for your business to be compliant and safe.
Email security
Email is the easiest way for employees to connect for most organizations and the most vulnerable entrance to the company’s networks and data.
Is Gmail or Outlook more secure?
The two leading business email and productivity providers both provide world-class security. However, once you’ve selected one of these top providers, you still have some work to ensure secure usage.
The first step is to enforce strong, non-reused, changing passwords.
The second, more important step is to enable and implement multi-factor authentication.
How to implement secure passwords
Email and password authentication are ubiquitous. However, they are prone to many security issues.
Passwords are often weak, guessable through shared libraries, re-used by users, and susceptible to phishing attacks.
For your organization, you can implement some basic password policies to help reduce risk. Consider a secure password manager like Dashlane, 1Password, or LastPass.
These are safe browser extensions to enable the auto-filling of passwords. They also have team functionality for secure password sharing. If you already have a password manager and are interested in moving, see our guide on how to migrate from LastPass to 1Password.
Employing multi-factor authentication
Using only email and password to log into an account is a poor business security practice. Instead, consider Multi-factor authentication (MFA) for all software that contains sensitive information and important customer data.
Most top products support multi-factor authentication. So implementing MFA can be Tools like Okta, 1Password and LastPass have integrated support, and there are many additional free tools like Authy and Google’s authenticator app.
Employee onboarding and offboarding security
Efficient employee onboarding is vital for any organization.
In the desire for haste and ease of use, many services are set up and shared ad-hoc during onboarding.
Additionally, many companies share single accounts with shared passwords that are easy to remember – and easy to guess.
However, having an ill-defined off-boarding process is worse, leaving former employees with access to critical applications, information, and services.
Compromised onboarding and offboarding are critical business security risks.
One way to deal with this is to have a strictly defined onboarding and off-boarding checklist. Still, a unified identity and authentication management system is an even better way to manage this.
Unified identity and authentication management
Implement simple business security measures with a unified identity and authentication management platform.
In the old days of IT, Windows Active Directory typically handled all software access. This legacy service created users, groups, and permissions. It granted easy and tightly controlled access behind the firewall on the company’s physical network and on-premise servers.
This controlled environment is no longer feasible with SaaS services, roaming laptops, and remote-first culture.
To help solve this issue, companies offer cloud-enabled identification and authentication management.
Two of the leading identification and authentication management platforms are OneLogin and Okta. These solutions provide unified user and identity management through cloud platforms.
With these services, you can centrally set and enforce your business IT security policies. For instance, this will allow you to require all users in a given department to use multi-factor authentication for all authentication.
These platforms will enable you to view and manage which cloud-based applications all employees use centrally. They also offer employees a single place to access their company apps. You can securely share authentication to shared services without sharing insecure passwords.
Unified identity and authentication management solutions also create a centralized place to efficiently onboard new employees and remove access from terminated employees. For more information on Okta, check out our guide to Okta's pricing and plans.
Hardware security and management
With employees no longer tethered to a desktop computer in an office, the risk of losing a company-owned device is significant.
The most important and easiest way to protect devices is to require password protection. This requirement is hard to enforce when the company does not own the devices but should be encouraged if not required.
The second step that will help further protect devices is to turn on device encryption, which will protect the information on the drives even if accessed directly.
Since iOS 8, Apple iPhones are encrypted by default. They also include a hardware failsafe on models after the 5S. Android phones, Mac and Windows computers can have encrypted turned on.
With any hard drive encryption, you can choose to have a backup key stored with your provider. This gives you a failsafe in case you forget your password, but can also allow you to access employee data as needed.
You can also manage your remote employee hardware with a mobile device management tool, like Jamf Pro, Kandji, or JumpCloud.
Anti-virus, malware, and threat management solutions
In general, and especially on Windows machines, computers with sensitive information should include anti-virus and anti-malware. Some of the leading solutions include Crowdstrike, Symantec and Norton.
Public Wi-Fi, proxy servers, and VPN
Employees using the web with public Wi-Fi can leave your company data exposed. Malware can snoop on unencrypted traffic on computers within an insecure public-access network.
A simple way to eliminate this exposure is for employees to use a VPN to encrypt all traffic every time they’re on public Wi-Fi. Our recommended VPN is SurfEasy, backed by Opera.
Ongoing security monitoring, management, and responses
These recommendations are just a start. Business IT security is a continuing process that requires dedicated management and commitment from the entire organization, especially senior leadership.
A great way to continue building on security is by implementing a framework for the whole organization to manage and respond to security risks. Leading security models include SOC 2, NIST Cybersecurity Framework, and ISO 27001/27002.
How Vendr can help with SaaS security
Software is bought under the radar because it tends to be faster. With Vendr, you can buy SaaS fast AND compliantly while assessing purchases and risks from one platform.
Vendr can help your company with security and compliance management. Support your compliance program with a system of record for all your SaaS applications that always stays updated with SaaS codex: SOC 2, GDPR, ISO 27001, and more.
Mistakes happen when people scramble. Move from reactive to proactive with better predictability and a centralized SaaS management platform.
Learn more about how Vendr helps you buy SaaS faster without sacrificing security.