Labyrinth have a documented security baseline standard, which contains a set of minimum controls that we believe all businesses should have in place as a minimum. We regularly review and update this standard and update our security audit templates to reflect this. This standard is developed in line with Cyber Essentials (a government data security standard which we are certified against internally).
This page contains some of the key controls that every organisation should implement, along with some of the specific technologies that we recommend
Information Asset Register
Put together an information asset register, detailing all data that your organisation processes. This is essential for the GDPR (General Data Protection Regulation) and will also help you asses the security of your data. This document should include:
- Where your information is stored
- Where your information came from
- Your legal grounds for processing it
- Your processing activities
- Who has access to your data
- How long your data will be retained for
- Install business anti-virus on all computer systems. We supply Bitdefender to our clients
- Ensure anti-virus is updated on all devices daily
- Carry out routine anti-virus functionality checks, ideally using a central management console
- Implement a dedicated email security solution such as Symantec Email protection to filter all inbound email before it is delivered to your on-premise mail servers, or services such as Office 365. Symantec will detect threats such as malware and phishing attacks and prevent them from reaching your inbox
- Ensure staff are aware how to spot phishing email
It is crucial that all organisations have a dedicated hardware Firewall in place with active security subscriptions (such as intrusion prevention, web filtering and updates). This will act as a strong first line of defence to your network perimeter.
We use WatchGuard for the majority of our clients as WatchGuard have an excellent reputation and in our experience build reliable products which are easy to manage.
Encrypt all data at rest, or in transit using tools such as Bitlocker, Filevault or Veracrypt. This will help ensure if your data falls into the wrong hands it is not decipherable.
This also helps you prevent a GDPR breach if your computer systems are lost or stolen.
Mobile Device Management
Implement a mobile device management system, such as the free one built into Office 365. This allows you to:
- Enforce encryption of mobile devices
- Enforce password protection on mobile devices
- Remotely wipe devices if they are lost or stolen
Passwords and Authentication
- Implement password policies in Windows, Office 365 and other systems to enforce routine password updates and password complexity requirements
- Use multi-factor authentication where possible, particularly on cloud based systems such as Office 365, Dropbox and Xero
Implement network based and/or hosted based web filtering to ensure all web traffic on company devices is filtered when employees are working inside or outside of the office.
Web Filtering is not just about increasing employee productivity or preventing access to inappropriate content, it is also essential for preventing access to harmful phishing websites
Guest WIFI Access
Do not allow guests access to your staff WIFI network. Implement an isolated guest WIFI network and use a proper managed system such as Ubiquiti Unifi.
Need help implementing security controls? Get in touch with us.