Be Prepared For Anything
13 Best Practices for Information Security
1. What Is Information Risk Management?
Three Areas Your Information Security Strategies Should Cover
Threats
Incidents or events that could compromise the security of your network, including natural threats, intentional threats and unintentional threats
Vulnerabilities
Weaknesses in your systems — whether physical or digital — that leave your company open to damage
Risk
The potential for damage you face when threats find vulnerabilities, including financial loss, operations disruption, reputational damage and more
Did You Know?
According to the FBI’s Internet Crime Report, over $3.5 billion was lost to cybercrime in 2019.
2. Performing an IT Risk Assessment
Unfortunately, compliance does not equal security. Cybersecurity threats are evolving as quickly as the technology itself and regulatory bodies are simply not agile enough to keep up with new threats.
So how do you determine what risks your organization is facing? Performing an IT risk assessment can help you get a clear picture of threats, vulnerabilities and risks in four easy steps.
Catalog Assets
Identify Threats and Vulnerabilities
Assess Impacts
Prioritize Risks
Did You Know?
Businesses that make information security a part of regular operations are 4.3 times better at preventing cybersecurity incidents.
The full version of “13 Best Practices for Information Security” is available to download here.
3. Remote Work Cybersecurity Risks

Unsecured Networks
Most home wifi networks have weaker security protocols than those in office environments

Unsecured Devices or Programs
Did You Know?
You can measure the maturity of your information security program by seeing how well you handle the 4 Ps: Protection, Prevention, Preparation, and Preemption.
4. Developing Your Information Security Program
Understanding the need for a cybersecurity strategy is one thing. Developing a comprehensive information security program is quite another.
Where do you even start? If the prospect seems unduly daunting, consider the cost of not having one. Some 445 million online cyber fraud and abuse claims were reported in the first quarter of 2020, and the average data breach costs $3.92 million.
Prediction
Use risk assessments and pen testing to identify threats and vulnerabilities.
Prevention
Close security gaps and implement policies to minimize risk.
Detection
Deploy monitoring systems to identify data breaches as soon as they occur.
Response
Create a clear action plan so that breaches are quickly contained and remediated.
Did You Know?
Juniper Research predicts that the total number of IoT connections will reach 83 billion by 2024. Having a comprehensive strategy will make it easier to adapt to new developments and technology.
5. The Importance of Cybersecurity Governance
As the complexity of your systems increases with the adoption of new technological solutions, so must the measures you take to keep those systems secure against intruders. But the most carefully designed information security program will fail without adequate leadership. Some two-thirds of organizations ignore more than 25% of security events.
Did You Know?
A survey conducted by Forrester Consulting found 77.4% of respondents report a poor relationship between IT and security departments.
6. Implementing Information Security Training
A good cybersecurity awareness training program can help improve compliance with information security policies that, if not clearly explained, may appear inconvenient and unnecessary to your team. Make sure your employees understand policies that govern:
Physical Access
Passwords
Identifying Threats
Reporting
Did You Know?
80% of organizations have experienced at least one successful cyberattack. Most cite worrisome employee behavior as their greatest challenge.
The full version of “13 Best Practices for Information Security” is available to download here.
7. Maintaining Availability

Hardware or System Failure

Employee Error

Theft

Natural Disaster or Power Outage

Malware
Fortunately, you can dramatically decrease your risk of downtime — and associated disruptions and losses — by developing an availability strategy and employing a disaster recovery strategy. Identify your current continuity capabilities and the impact of any potential disruption, and then develop a clearly outlined plan of action. You can’t necessarily prevent a downtime incident, but you can make sure you’re not one of the 43% of businesses that never reopen afterward.
Did You Know?
The Ponemon Institute reports that only 24% of cybersecurity pros actually focus on preventing incidents, rather than reacting to them.
8. Responding to an Information Security Incident
The odds are fairly high that at some point your organization will fall victim to an information security incident. There are more than one billion identified malware programs in existence and a cyberattack occurs once every 39 seconds. (And that’s assuming that your incident is the direct result of an attack, rather than a hardware failure or employee negligence!) Think of your systems being compromised as a “when” not an “if.”
Detection
Identify and document the details of the incident.
Containment
Contain the breach, quarantine affected systems and remove anyone involved.
Remediation
Remove any malware, repair damage and test systems and backups.
Recovery
Restore systems from backups and resume operations cautiously.
Assessment
Determine how, when and why the incident occurred and how to prevent it from recurring.
Did You Know?
The average data breach costs $3.92 million — $150 per record compromised.
9. Router and Network Firewall Security
Devices
Create use policies, establish controls and assign the task of enforcing standards to guard against intrusion via any of your physical devices.
Operating Systems
Regularly patch, update and test operating systems, control access privileges and log any changes to keep operating systems secure.
Traffic
Limit and monitor traffic that can enter and exit your network and regularly inspect for unguarded access points.
Don’t make the mistake of thinking your organization is too big or too small to be a target. More than 15 billion records were exposed by data breaches in 2019, and the targets were companies of all sizes.
Did You Know?
Each of the 15 largest recorded data breaches compromised the records of more than 100 million people.
10. Penetration Testing
Internal
Testing vulnerabilities from within your organization
External
Testing vulnerabilities that outside actors could access
White Box
The tester has some knowledge of the security you have in place
Black Box
The tester has no knowledge of the security you have in place
Covert
Your team is unaware of the test (and therefore can’t prepare for it)
Penetration testing under a variety of scenarios can help you identify holes in your security and provide a complete picture of the potential damage that would result if they were exploited. This is especially useful when prioritizing which vulnerabilities to address first.
Did You Know?
Experian’s Seventh Annual Data Breach Preparedness Study found that 57% of companies regularly conduct security assessments with the assistance of outside experts.
11. What Is a vCISO?
The information security risks your business faces are continually increasing as your organization grows and adopts new technology solutions. And experts estimate that more than 60% of businesses are operating with understaffed cybersecurity teams.
The best way to ensure that you’re prepared for existing and evolving threats to your expanding systems is to employ a Chief Information Security Officer, or CISO.
Did You Know?
The US cybersecurity workforce would need to increase by 62% to meet current demand levels.
But what if you simply don’t have the budget for a full-time cybersecurity executive? A vCISO — an expert who can head up your information security program while operating much like a consultant — might be the answer. What does a vCISO offer?
“Could Your Business Benefit From a vCISO?” Read our blog post for more on the benefits of working with a vCISO.
12. Cyber Forensics Consulting
When most people think of information security risks, they focus on financial losses, operational disruptions and reputational damage. But a data breach can also leave you vulnerable to legal action from clients or partners. Understanding your legal rights and responsibilities is vital to protecting your organization from harm.
If your cybersecurity attorney works with a cyber forensics consultant, they can help shape your information security program with an eye toward your legal obligations and shield you from lawsuits in the event of a breach.
Identify Issues
Pointing out legal strengths and weaknesses in your information security strategy
Oversee Operations
Ensuring security measures, policies and standards comply with legal obligations
Guide Security Leaders
Assisting with governance and incident response efforts with an eye towards legal issues
Did You Know?
A Gartner survey found that the recent move to remote working during the pandemic increased most cybersecurity leaders’ concerns about legal and compliance issues.
13. Avoiding Data Breaches
Employee Error
Social Engineering
Visitor Access
Hackers
Ransomware
Disgruntled Staff
Physical Theft
Did You Know?
The average cost of a data breach is $3.92 million. But breaches contained within 200 days cost $1.2 million less on average than longer incidents.
A Partner You Can Trust
At AISN, we don’t believe that “one size fits all” is the way to offer cloud solutions. Our business model is built on the belief that our clients deserve customized cloud platforms designed to meet their specific compliance, security and operational needs.
If you have questions about the cloud or cloud enablement services, we have answers. Our experts are always happy to discuss your needs, so get in touch with us today.