Table of Contents

Security Best Practices

Develop Security Strategies & Policies

Building a home is best achieved when following a blueprint. The written security policy of the organization serves as the organization’s blueprint for compliance and governance. When IT develops policy in a vacuum, enforcing that policy will be challenging. You should facilitate policy discussions amongst the various stakeholders. Using a template such as that defined by NIST (below) will improve the process.

  • Develop and Publish Baseline IT Security Policies.
  • Use executive and HR sponsors to get support for the policy. If you need their input, keep the questions you ask them short and simple.
  • Update existing policies for new technology and risk. Very few organizations have updated their security policies for SaaS or PaaS, even though these services increase the risk of loss.
  • Ensure employees are aware. Make review of the appropriate use policy, MDM, and password strength a part of new employee on-boarding material, and in your security awareness campaign.

Classify & Protect Data

A common void in information security is a definition, driven by the business, of the data
within the organization and how it should be handled. Doing so is the foundation for
so many downstream decisions (i.e. who should have access, the retention rate, what
happens if the data is compromised), yet it’s very rare that an organization classifies its
data. Policies can be a great driver for getting the Data Classification process going.

  • Start with a Records Retention Policy and by defining data types.
  • Agree upon the language the organization will use for defining the data (i.e. restricted, private, public). While Data Loss Prevention tools like Azure Information Protection have additional default definitions, they can be changed to match.
  • Determine data owners (“stewards”) and ideally make them the “ambassadors” for that department/document.
  • Get Leadership Support.
  • Set a timer on when a document or content type should be revisited, so as to change its classification as needed.

Changing the Culture

The C-Suite will understand the need for security initiatives due to compliance regulations and news about breaches. But it’s rare when line workers share that sense of responsibility. It’s important to find the right blend of training and communications to get employees to understand their pivotal role. It can be a struggle to master the softer side of security: the human.

  • Create a plan, with preplanned messages about relevant topics.
  • Think like a marketer. The goal is to get engagement. Think about your brand and how the organization views IT. If you’re seen as the department of “No,” and you then make your program playful and humorous, it’ll be so far from expected culture that it’ll get more attention.
  • Make your messages timely, with lessons people can relate to their personal lives.
    Be consistent. For instance, do lunch and learns at the same time each quarter (or month), and for the same length of time.
  • Mature programs are run by small teams of at least 1.9 employees, and have taken several years to make it through the phases defined by SANS (to the right).

Schedule a Free Security Workshop


Our Focus

Our Focus Strategy


Our Focus Policy


Our Focus Awareness


Our Focus Response


Our Focus Compliance


"Enabling really came in and spent time trying to understand what we had done well already and where the gaps were. They then walked through the process of how their managed service solution, PhishHunter, was going to be able to solve the problem for us."


John Michael Gross CIO at the Cascade Environmental


Introductory Meeting

  • Your team meets with our engineers and project managers. 
  • Discuss your current security strategies. 
  • Discover current vulnerabilities 
  • Walk us through how you would like to see your employees take-action.
Process72_Technical Review

Technical Review

  • Our engineers assess your current security tools.   
  • We look at your infrastructure to see if it’s ready for specific security transformations. 
  • We discover how your team works together. Are they mobile? Do they work from home? What tools are they using? 
Process72_Planning and Design

Planning and Design

  • Our team provides recommendations based on insights we’ve gathered from your organization.  
  • Work collaboratively to write and edit your IT security policies. 
  • Develop a strategy to balance both productivity and security for all departments. 
  • Create an incident response plan.

Project Deployment

  • You’re provided with a dedicated engineer from our team. 
  • They follow our plan. 
  • They track milestones and deadlines based on our deployment details.

Managed Services

  • The solution is verified through a formal testing process by your dedicated engineer.  
  • Training is provided to both administrators and end-users to ensure adoption of new technologies as well as new security policies. 
  • Our engineers work with you to ensure on-going satisfaction with any applications or tools implemented. 

Customer Security Journey


Company Profile

Industry: Education

Global Headquarters:  Deland, FL

Students: 63,000+

Employees: 3,700+

We enabled PhishHunter at exactly the right time. Otherwise, we were going to have a potential catastrophe on our hands.
Alex Kennedy

Alex Kennedy Director of Infrastructure & Technical Services at Volusia County Schools

Volusia County Schools

A common scenario we encounter is a customer that has invested in securing their on-premises data and devices. As they move to the cloud they come to us for security guidance. After partnering with us, Volusia County Schools is using Microsoft Cloud App Security and Advanced Threat Protection to mitigate attempted attacks. Assisted by Enabling Technologies, Volusia is seeing immediate results of the customized PhishHunter configurations.


The Results

7 Hours
1 Hour


Four teams were involved in each phishing incident, totaling ~7 hours of labor.


One person alerts the user and helps reset their password, totaling just 1 hour.  “Overall, by solving the phishing issue, the IT team members involved have ~15% of their time back” said Alex Kennedy.

24 Hours
7 Minutes


“It would take up to 24 hours to remediate.” In that time, the phish would be replicated around the organization.”


“Within 7 minutes of a compromise, the account is automatically disabled. No human could detect or respond that fast."


Compliance As Security Technology

One of my favorite security analogies is that enterprise information security is like an onion. Each layer of the onion represents a different control that secures the data at the center. Common...

New Microsoft Defender security tools: MDEASM and MDTI

Cybersecurity is ever-changing. New attacks and techniques are practically created every day. Organizations are getting more complex with multi-cloud environments. Data is exponentially growing. And...

Start Your Journey to a More Secure Environment