Believe it or not, there are IT Security improvements you can introduce to your network that are seamless, low-cost , don't present a new burden to your users, and/or are easy to implement. So, in between your major IT Security projects that may or may not happen, why not improve you security posture and lower your overall risks?
Warning: These suggestions may cause your IT staff to work a little harder.
Implement email TLS encryption between business partners, others
Enabling opportunistic TLS on your email servers is really just a matter of turning on a switch. Hit the "ON" radio, set it to opportunistic mode so that TLS will be negotiated when available between hosts. It's really that simple and no one even notices, except you.
If you have a large enough network, implement VLANs within your network
Help contain the spread of broadcast-based viruses. The key here is to decrease the size of your broadcast domains. Look, implementing VLANs on an existing flat network is not a big deal and you can always move things gradually to their own assigned VLANs. All you need are switches/routers that support VLANs and VLAN routing/trunking. Follow these simple ITSEC segmentation guidelines for your internal network:
- Workstations in their own VLAN (could also be divided, depending on your size)
- File Servers in their own VLAN
- Internal Web Servers in their own VLAN
- Database Servers in their own VLAN
- SOX, PCI, HIPPA and/or other "servers containing sensitive information" servers in their own VLAN (this makes it much easier to implement additional security controls and logging, AND because it makes it easier for everyone to identify those "kid gloves" resources)
- You know, VLANs are free so, use them.
Prevent rogue wireless access points and other rogue LAN devices/computers
Implement port security, or at least turn off the ports that are not in use. You only want your company devices on your network, not personal devices, personal hubs or switches or wireless access points. This will lessen your risk of malware infection or even malicious intent significantly. No one should be able to walk into your business and plug something in without your permission. Just as well, no one should be able to connect to your private wirelsss.
Put at least ONE Intrusion Prevention/Anti-Malware appliance in-line
Put an IPS on your Internet edge, and put it in blocking mode! I installed IPS appliances ten years ago and turned on blocking right at the start. I never had any serious issues. But WOW! the things that were blocked... This will add a significant security layer to your network and even allows you to decrease your overall risk score. IPS appliances are not very expensive and yet here is a device that can lower your risk score overall. Just remember it wouldn't be very effective against internal malware versus internal targets, but it helps mitigate the risks associated with any malware reaching the internal network in the first place.
Develop a patching process/procedure that works for all machines, all operating systems, all services. The more you stay patched, the less chances there are of being exploited. Again, this just takes time and effort, and not really a whole lot of money.
Not a really high risk, but just for best practices, no one should be running telnet, ftp, or anything involving clear-text logins. Even on the internal network. Use the encrypted alternatives.
Do not make your users local admins of their workstation.
And if users are already admins, plan to move them out.
This is probably the most annoying, ugly, and/or nasty recommendation I would make. It can be highly burdensome on the users. It may also be annoying, but sometimes that is necessary. If you value your company data, your customers' data, you would heed this advice. You can save your company a lot of money and heartache by making this simple, necessary, step, if it's feasible (and usually it is). You can easily take your time and migrate the users gradually.
Get checked out
And finally, you wouldn't believe how many things I find wrong with customers' websites and even internal networks that have allowed me to just waltz right in... You can never know how easy or difficult it is to get into your network unless you hire reliable people to occasionally scan you, internally and externally. And it's not very expensive at all. Hire a reliable, third-party, penetration testing organization (such as the company I work for Redspin.com, or make your own choice) that will put your controls to the test. With the results, you can prioritize and concentrate on the areas that need the most work.