Table of Contents

    Security Best Practices

    Develop Security Strategies & Policies

    Building a home is best achieved when following a blueprint. The written security policy of the organization serves as the organization’s blueprint for compliance and governance. When IT develops policy in a vacuum, enforcing that policy will be challenging. You should facilitate policy discussions amongst the various stakeholders. Using a template such as that defined by NIST (below) will improve the process.

    • Develop and Publish Baseline IT Security Policies.
    • Use executive and HR sponsors to get support for the policy. If you need their input, keep the questions you ask them short and simple.
    • Update existing policies for new technology and risk. Very few organizations have updated their security policies for SaaS or PaaS, even though these services increase the risk of loss.
    • Ensure employees are aware. Make review of the appropriate use policy, MDM, and password strength a part of new employee on-boarding material, and in your security awareness campaign.


    Classify & Protect Data

    A common void in information security is a definition, driven by the business, of the data
    within the organization and how it should be handled. Doing so is the foundation for
    so many downstream decisions (i.e. who should have access, the retention rate, what
    happens if the data is compromised), yet it’s very rare that an organization classifies its
    data. Policies can be a great driver for getting the Data Classification process going.

    • Start with a Records Retention Policy and by defining data types.
    • Agree upon the language the organization will use for defining the data (i.e. restricted, private, public). While Data Loss Prevention tools like Azure Information Protection have additional default definitions, they can be changed to match.
    • Determine data owners (“stewards”) and ideally make them the “ambassadors” for that department/document.
    • Get Leadership Support.
    • Set a timer on when a document or content type should be revisited, so as to change its classification as needed.


    Changing the Culture

    The C-Suite will understand the need for security initiatives due to compliance regulations and news about breaches. But it’s rare when line workers share that sense of responsibility. It’s important to find the right blend of training and communications to get employees to understand their pivotal role. It can be a struggle to master the softer side of security: the human.

    • Create a plan, with preplanned messages about relevant topics.
    • Think like a marketer. The goal is to get engagement. Think about your brand and how the organization views IT. If you’re seen as the department of “No,” and you then make your program playful and humorous, it’ll be so far from expected culture that it’ll get more attention.
    • Make your messages timely, with lessons people can relate to their personal lives.
      Be consistent. For instance, do lunch and learns at the same time each quarter (or month), and for the same length of time.
    • Mature programs are run by small teams of at least 1.9 employees, and have taken several years to make it through the phases defined by SANS (to the right).

    Schedule a Free Security Workshop

     

    Our Focus

    Our Focus Strategy

    Identify

    Our Focus Policy

    Protect

    Our Focus Awareness

    Detect

    Our Focus Response

    Respond

    Our Focus Compliance

    Discover

    "Enabling really came in and spent time trying to understand what we had done well already and where the gaps were. They then walked through the process of how their managed service solution, PhishHunter, was going to be able to solve the problem for us."

    John-Michael-Gross-Cascade-Environmental-square

    John Michael Gross CIO at the Cascade Environmental

    Process72_Introduction

    Introductory Meeting

    • Your team meets with our engineers and project managers. 
    • Discuss your current security strategies. 
    • Discover current vulnerabilities 
    • Walk us through how you would like to see your employees take-action.
    Process72_Technical Review

    Technical Review

    • Our engineers assess your current security tools.   
    • We look at your infrastructure to see if it’s ready for specific security transformations. 
    • We discover how your team works together. Are they mobile? Do they work from home? What tools are they using? 
    Process72_Planning and Design

    Planning and Design

    • Our team provides recommendations based on insights we’ve gathered from your organization.  
    • Work collaboratively to write and edit your IT security policies. 
    • Develop a strategy to balance both productivity and security for all departments. 
    • Create an incident response plan.
    Implementation

    Project Deployment

    • You’re provided with a dedicated engineer from our team. 
    • They follow our plan. 
    • They track milestones and deadlines based on our deployment details.
    Support

    Managed Services

    • The solution is verified through a formal testing process by your dedicated engineer.  
    • Training is provided to both administrators and end-users to ensure adoption of new technologies as well as new security policies. 
    • Our engineers work with you to ensure on-going satisfaction with any applications or tools implemented. 

    Customer Security Journey

    Volusia-2
    EnablingBlue72-01

    Company Profile

    Industry: Education

    Global Headquarters:  Deland, FL

    Students: 63,000+

    Employees: 3,700+

    Security Tools Implemented

    PhishHunter

    Advance Threat Protection

    Cloud App Security

    Azure Active Directory

    O365 Intune

    We enabled PhishHunter at exactly the right time. Otherwise, we were going to have a potential catastrophe on our hands.
    Alex Kennedy

    Alex Kennedy Director of Infrastructure & Technical Services at Volusia County Schools

    Volusia County Schools

    A common scenario we encounter is a customer that has invested in securing their on-premises data and devices. As they move to the cloud they come to us for security guidance. After partnering with us, Volusia County Schools is using Microsoft Cloud App Security and Advanced Threat Protection to mitigate attempted attacks. Assisted by Enabling Technologies, Volusia is seeing immediate results of the customized PhishHunter configurations.

     

    The Results

    7 Hours
    1 Hour

    Before

    Four teams were involved in each phishing incident, totaling ~7 hours of labor.

    After

    One person alerts the user and helps reset their password, totaling just 1 hour.  “Overall, by solving the phishing issue, the IT team members involved have ~15% of their time back” said Alex Kennedy.

    24 Hours
    7 Minutes

    Before

    “It would take up to 24 hours to remediate.” In that time, the phish would be replicated around the organization.”

    After

    “Within 7 minutes of a compromise, the account is automatically disabled. No human could detect or respond that fast."

    Resources

    October 10, 2022

    Compliance As Security Technology

    One of my favorite security analogies is that enterprise information security is like an onion. Each layer of the onion represents a different control that secures the data at the center. Common...

    October 10, 2022

    New Microsoft Defender security tools: MDEASM and MDTI

    Cybersecurity is ever-changing. New attacks and techniques are practically created every day. Organizations are getting more complex with multi-cloud environments. Data is exponentially growing. And...

    For our latest tools to help you stay up to date, click the button below to visit our tools page.

    More Tools and Resources

    Start Your Journey to a More Secure Environment

    ref:_00D80KtFf._5000y1WwWQD:ref