Table of Contents

Security Best Practices

Develop Security Strategies & Policies

Building a home is best achieved when following a blueprint. The written security policy of the organization serves as the organization’s blueprint for compliance and governance. When IT develops policy in a vacuum, enforcing that policy will be challenging. You should facilitate policy discussions amongst the various stakeholders. Using a template such as that defined by NIST (below) will improve the process.

  • Develop and Publish Baseline IT Security Policies.
  • Use executive and HR sponsors to get support for the policy. If you need their input, keep the questions you ask them short and simple.
  • Update existing policies for new technology and risk. Very few organizations have updated their security policies for SaaS or PaaS, even though these services increase the risk of loss.
  • Ensure employees are aware. Make review of the appropriate use policy, MDM, and password strength a part of new employee on-boarding material, and in your security awareness campaign.


Classify & Protect Data

A common void in information security is a definition, driven by the business, of the data
within the organization and how it should be handled. Doing so is the foundation for
so many downstream decisions (i.e. who should have access, the retention rate, what
happens if the data is compromised), yet it’s very rare that an organization classifies its
data. Policies can be a great driver for getting the Data Classification process going.

  • Start with a Records Retention Policy and by defining data types.
  • Agree upon the language the organization will use for defining the data (i.e. restricted, private, public). While Data Loss Prevention tools like Azure Information Protection have additional default definitions, they can be changed to match.
  • Determine data owners (“stewards”) and ideally make them the “ambassadors” for that department/document.
  • Get Leadership Support.
  • Set a timer on when a document or content type should be revisited, so as to change its classification as needed.


Changing the Culture

The C-Suite will understand the need for security initiatives due to compliance regulations and news about breaches. But it’s rare when line workers share that sense of responsibility. It’s important to find the right blend of training and communications to get employees to understand their pivotal role. It can be a struggle to master the softer side of security: the human.

  • Create a plan, with preplanned messages about relevant topics.
  • Think like a marketer. The goal is to get engagement. Think about your brand and how the organization views IT. If you’re seen as the department of “No,” and you then make your program playful and humorous, it’ll be so far from expected culture that it’ll get more attention.
  • Make your messages timely, with lessons people can relate to their personal lives.
    Be consistent. For instance, do lunch and learns at the same time each quarter (or month), and for the same length of time.
  • Mature programs are run by small teams of at least 1.9 employees, and have taken several years to make it through the phases defined by SANS (to the right).

Schedule a Free Security Workshop

 

Our Focus

Our Focus Strategy

Identify

Our Focus Policy

Protect

Our Focus Awareness

Detect

Our Focus Response

Respond

Our Focus Compliance

Discover

"Enabling really came in and spent time trying to understand what we had done well already and where the gaps were. They then walked through the process of how their managed service solution, PhishHunter, was going to be able to solve the problem for us."

John-Michael-Gross-Cascade-Environmental-square

Michael Gross CIO at the Cascade Environmental


Process72_Introduction

Introductory Meeting

  • Your team meets with our engineers and project managers. 
  • Discuss your current security strategies. 
  • Discover current vulnerabilities 
  • Walk us through how you would like to see your employees take-action.
Process72_Technical Review

Technical Review

  • Our engineers assess your current security tools.   
  • We look at your infrastructure to see if it’s ready for specific security transformations. 
  • We discover how your team works together. Are they mobile? Do they work from home? What tools are they using? 
Process72_Planning and Design

Planning and Design

  • Our team provides recommendations based on insights we’ve gathered from your organization.  
  • Work collaboratively to write and edit your IT security policies. 
  • Develop a strategy to balance both productivity and security for all departments. 
  • Create an incident response plan.
Implementation

Project Deployment

  • You’re provided with a dedicated engineer from our team. 
  • They follow our plan. 
  • They track milestones and deadlines based on our deployment details.
Support

Managed Services

  • The solution is verified through a formal testing process by your dedicated engineer.  
  • Training is provided to both administrators and end-users to ensure adoption of new technologies as well as new security policies. 
  • Our engineers work with you to ensure on-going satisfaction with any applications or tools implemented. 

Customer Security Journey

Volusia-2
EnablingBlue72-01

Company Profile

Industry: Education

Global Headquarters:  Deland, FL

Students: 63,000+

Employees: 3,700+

We enabled PhishHunter at exactly the right time. Otherwise, we were going to have a potential catastrophe on our hands.
Alex Kennedy

Alex Kennedy Director of Infrastructure & Technical Services at Volusia County Schools

Volusia County Schools

A common scenario we encounter is a customer that has invested in securing their on-premises data and devices. As they move to the cloud they come to us for security guidance. After partnering with us, Volusia County Schools is using Microsoft Cloud App Security and Advanced Threat Protection to mitigate attempted attacks. Assisted by Enabling Technologies, Volusia is seeing immediate results of the customized PhishHunter configurations.

 

The Results

7 Hours
1 Hour

Before

Four teams were involved in each phishing incident, totaling ~7 hours of labor.

After

One person alerts the user and helps reset their password, totaling just 1 hour.  “Overall, by solving the phishing issue, the IT team members involved have ~15% of their time back” said Alex Kennedy.


24 Hours
7 Minutes

Before

“It would take up to 24 hours to remediate.” In that time, the phish would be replicated around the organization.”

After

“Within 7 minutes of a compromise, the account is automatically disabled. No human could detect or respond that fast."

Resources

The Cloud for Non Profits

Microsoft Tech for Social Impact (TSI) presented its vision for the Microsoft Cloud for Non-Profits March 30, 2021. It is designed as an affordable solution for non-profits that covers a broad range...

Takeaways from Senate hearing with SolarWinds, FireEye, and Microsoft

During the Senate hearing on the software supply chain attack that corrupted SolarWinds and its ~17,000 Orion customers, there were several salient themes and many fascinating details. Enterprises,...

Patch, then Pursue Hybrid Exchange Vulns

By now you've patched your Exchange Servers to mitigate the vulnerabilities exposed on 3/2/21. Now it's time to shut the back door that might have been set up before the patch. The backdoor has been...

Start Your Journey to a More Secure Environment

ref:_00D80KtFf._5000y1WwWQD:ref