IT security has been a hot topic for organizations for many years now. But, given that the corporate IT Security team is often disconnected from the IT service management team(s), what should IT service and support professionals know about IT security? Especially in light of the global pandemic, during which the number of IT security incidents has increased dramatically. For example, at the height of the pandemic’s first wave, the World Health Organization (WHO) reported a five-fold increase in attacks against its personnel.
As an IT service and support IT professional, the need for basic IT security knowledge is two-fold. With not only the need to provide related advice and support to fellow employees but also the need to actively follow one’s own cyber-safety advice. Especially with remote working arrangements still in place for many IT service and support professionals and the colleagues they serve.
To help, here are eight IT security tips aimed at IT service and support professionals such as yourself.
1. Practice what you preach about IT security
It’s important for IT service and support professionals to realize that everyone is vulnerable when it comes to IT security. With even the longest-serving IT service management (ITSM) professionals not immune to a determined cyber-attacker.
There’s always going to be a “bad actor” who’s well prepared, well equipped, and experienced enough to circumvent the basic IT security defenses. With many different IT security risks in play from phishing and account takeover to DDoS attacks.
2. Get real-time insight into the security status of network-connected IT assets
Asset monitoring and tracking will help to mitigate the risks of a cyber-attack by ensuring that IT assets are running the most up-to-date versions of the operating system and applications. It’s very much a case of proactively keeping on top of the potential for software-based vulnerabilities by continually finding and fixing them. Ideally via automated patch management capabilities.
3. Make passwords a priority
If you read the IT media, then you’ll have likely seen one of the many articles that call out that the use of weak, default, and common passwords is still rampant in the corporate world. But having the system-based controls in place to prevent this from happening is just the start.
There’s also a need for employee education on corporate password security policies and the risks of non-compliance. For example, where passwords are written on post-it notes attached to a monitor. Or reusing the same password in numerous use cases.
4. Employ multi-factor authentication
The use of multi-factor authentication – requiring the use of more than one credential for proof of identity in granting access – is not only a great way of preventing security breaches but also for identifying when the password-based credentials have been compromised.
5. Make VPN use mandatory on open networks
We’ve all done it, connecting our laptop to a coffee shop’s free Wi-Fi so we can work there. Or using the free Wi-Fi that’s available in a mobile-network blackspot. But this is an unnecessary IT security risk.
So, ensure that everyone sharing corporate data (for instance, in emails) or accessing the corporate network and resources has a VPN installed – with this used without fail when an open network is connected to. This is not just for corporate assets, but potentially also for personal devices used for work purposes.
Thankfully, the corporate availability of VPN software is more likely after the mass employee migration to home working during the pandemic, but it’s only any good when it’s used!
6. Employ endpoint security for remote workers
Remote staff – whether they’re IT service and support personnel or the employees they serve – are particularly vulnerable to phishing scams and malicious websites. The use of endpoint security controls will help them from becoming a victim of these and other IT security risks.
7. Leverage device identity and application identity capabilities
Client-side certificates help to establish device identity and server-side certificates help with establishing application identity. It’s not a one-time thing though, you’ll also need mechanisms in place to alert people to, or to automatically refresh, expiring certificates. Plus, mechanisms to identify and educate end users who repeatedly click past warnings.
8. Never assume that you and your organization are fully protected
IT security issues will never go away, nor will they remain static. So, there’s a constant need to stay up to date on the latest cyber scams and other hacking techniques. Plus, the available protection. It’s why your organization invests in its IT Security professionals. Who can, with effective communication channels, provide IT service and support personnel such as yourself with the right knowledge and tools to keep everyone safe from the unwanted results of IT security breaches.
Effective IT security means educating everyone on what’s needed and validating compliance with corporate policies across all employees, including IT service and support personnel. And we need to practice what we preach – from using a VPN to ensuring that accounts have multi-factor authentication enabled by default. If you have any IT security questions or would like to add to this tips list, then please use the comments sections below.