With a staff awareness program in play, companies should look at the network and system operation. For example, no one in a company other than trained IT administrators should have administrative privileges (and not just servers but all company PC’s, laptops and tablets).
Administrators should have two accounts, one for system administration and one for day-to-day use. No person should have access to all files in a company’s system, not even the chief executive or IT director.
People should only be able to access and perform actions on the files absolutely necessary for them to perform their job function – for example, if only “read” access is required, that is all that should be given.
Office products should be configured not to run macros automatically, and internet front-end systems while running antivirus processes should be configured to only allow regular office files as email attachments (such as .rtf and .doc) and block executables and double zipped files.
While disarming emails with scripting is recommended, this might not be acceptable to some companies and an informed decision based on risk needs to be taken. Similar protection is also needed for internet browsing.
Additional protection for servers should include running a local firewall on the server while whitelisting applications is a strong recommendation, therefore only known whitelisted applications can run.
Ensure proof of due diligence in the protection of data by keeping up to date with protection legislation or other laws, therefore minimising liability should the company be hit by stealthy malware.
Roles need to be formally established defining what files and database fields those roles can access and what action on those files and fields can be taken. File and database systems also need to be configured to effectively support only those roles.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.