Approaching enterprise technology with cyber security in mind

This guidance is based on the following key principles:

• The security solutions instituted should be practical and reasonable, facilitating a seamless experience for technology users. Security that disrupts user interactions is not effective.
• Decisions regarding the security of enterprise technology should involve risk management, validated by appropriate governance frameworks.
• Recommendations should be adapted to align with specific circumstances and should be viewed as a foundational guideline rather than a strict checklist.
• Devices are likely to be mislaid or stolen; inappropriate access control measures should prevent unauthorized users from accessing sensitive information or systems connected to the device.
• Lifecycle vulnerabilities are expected; an effective security approach should mitigate the risk that a single vulnerability could compromise overall security.
• While perfect protection against zero-day attacks is unattainable, measures should be in place to limit damage from such threats, with prompt mitigation of identified vulnerabilities.
• Many malicious websites and applications may intentionally mislead users or impact their devices. Expecting users to inherently recognize threats is often unrealistic. Strategies should focus on minimizing both the occurrence and potential damage from such risks.
• As the reliance on untrusted networks grows, protecting sensitive information during transmission becomes crucial. Approaches must secure data as it moves between different services and devices while warding off network-based threats.
• Security measures, while essential, may not be fail-proof. Establishing detection mechanisms for cyber attacks and effective recovery strategies will prove beneficial in the long term.

Securing enterprise technology begins with the careful selection and configuration of devices used daily by staff.

Different operating systems (e.g., Microsoft Windows, Apple iOS) have varying security features, and configurations can significantly influence the level of security. Our End User Device guidance provides insights into the security characteristics of numerous devices and offers configuration recommendations for initial deployments.

In addition to organization-provided devices, employees might want to utilize their own devices for accessing enterprise services, commonly referred to as ‘Bring Your Own Device’ (BYOD). Considerations regarding BYOD implementations are discussed in our BYOD guidance.

The primary function of networking is to connect devices with available services. Generally, networks should not be trusted and must be treated as an untrusted bearer.

To safeguard sensitive data, encryption must be implemented between devices and the corresponding applications, as well as the services accessed. Although there are scenarios where trusting a network may be necessary—such as integrating legacy services within a data center—physical and personnel security are crucial here.

• If comprehensive protection is needed for all data traversing between network points (for instance, between remote devices and the corporate network), we suggest implementing IPsec by following our guidance on Network Encryption.
• To secure individual data streams (e.g., from an application to a service), using Transport Layer Security (TLS) is more suitable. Please refer to our TLS configuration guidance for further details.
• While peer-to-peer enterprise applications may utilize TLS, certain applications—like Voice over IP (VOIP)—often require purpose-built solutions such as MIKEY SAKKE for secure real-time media encryption.

Over-reliance on any specific network service or provider increases the risk of service interruptions, some of which may stem from cybersecurity issues.

Enterprise services act as the backbone of your organization’s IT; these include the locations where data is stored and accessed by users for various processes. This term encompasses common services like email, document storage, file storage, communication tools, alongside customized services tailored to fit your organization’s requirements (such as internal web applications, databases, and workflow management systems).

When deciding on hosting approaches, options include in-house (on-premises) solutions, commercial cloud environments, or a hybrid model that combines elements of both. Security concerns play a significant role in determining the best hosting strategy.

Managing services internally offers the advantage of direct responsibility over security protocols but requires appropriate resources and expertise. On the other hand, leveraging a proficient cloud service provider may furnish valuable security capabilities and scale. When selecting cloud services, we recommend assessing them against our cloud security principles to better grasp how they will help safeguard your data.

Investing in securing your devices, networks, and services is futile if ongoing maintenance and enhancement of security measures are neglected during the deployment period.

Security should not be perceived as a one-time initiative; it demands continuous investment. Security operations pertain to the actions essential for safeguarding an organization’s enterprise technology against current threats, including the continual monitoring and management of security incidents as they arise.

The foremost measure to thwart common cyber attacks is to keep enterprise technology updated and promptly apply the latest security patches. Our guidance on patching provides insight into the importance of staying current and how to prioritize patching efforts.

Security operations can be managed internally or outsourced to a third-party provider. Our security operations guidance offers recommendations for making this decision and outlines the key tasks an effective operations team should undertake.