Approaching enterprise technology with cyber security in mind

The development of this guidance is based on several key principles:

• Enterprise technology demands practical security that supports the users and their interactions. Security that disrupts user experience is considered poor security.
• Security choices for enterprise technology should stem from risk management strategies validated through appropriate governance structures.
• Any recommendations should be adapted to meet specific needs and serve as a reasonable starting reference rather than a strict checklist.
• A percentage of devices will inevitably be lost or stolen; proper measures must be in place to ensure unauthorized access does not result in data breaches.
• Vulnerabilities will be uncovered in products and services during their operational lifecycle; ensure that security strategies minimize the impact of any single vulnerability.
• Though perfect protection against new (zero-day) threats is unattainable, a robust strategy will mitigate the damage caused by such threats as quickly as possible.
• Some websites and applications are designed to deceive users or compromise their devices. It is unrealistic to expect users to always identify unsafe content. Measures should be taken to reduce occurrences and their consequences.
• As reliance on various networks increases, it is essential to regard these networks as untrusted mediums. The strategy must safeguard sensitive information as it travels and protect connected devices and services from network-related threats.
• Cybersecurity solutions are not foolproof; occasionally, attackers will succeed. Establishing detection mechanisms and a quick recovery protocol is vital for long-term resilience.

The primary step in securing enterprise technology is the careful selection, configuration, and management of the devices employed by staff daily.

Various platforms, such as Microsoft Windows or Apple iOS, offer different security features, and their configurations can significantly impact security. Our End User Device guidance assists you in understanding the security characteristics of numerous devices, guiding informed decision-making regarding your device deployment.

Aside from organization-provided devices, you may consider allowing staff to use their personal devices for accessing certain enterprise services, a concept known as ‘Bring Your Own Device’ (BYOD). Our BYOD guidance addresses additional considerations pertinent to this practice.

The primary role of networking is to link devices with services. A fundamental principle is that networks should be treated as untrusted conduits.

To protect sensitive information, it is crucial to implement encryption between devices, their applications, and the services accessed. While trusting a network can be advantageous in certain scenarios, like connecting legacy services within a data center, it is wise to implement physical and personnel security controls for enhanced protection.

• To safeguard all data traversing a network (e.g., between a remote working device and your enterprise network, or between two locations), we endorse the implementation of IPsec, referring to our guidance on Network Encryption.
• For securing individual data streams, such as communications from an application to a service, Transport Layer Security (TLS) is preferable (for more information, refer to our TLS configuration guidance).
• Peer-to-peer enterprise applications may leverage TLS; however, specialized solutions such as MIKEY SAKKE are frequently better suited for real-time media encryption needs.

An exclusive dependence on specific network services (or providers) increases vulnerability to disruptions, including those stemming from cyber security incidents.

Enterprise services are integral to your IT framework; these are the locations where your data is stored and made accessible for processing and action. This term encompasses common services such as email, document storage, file repositories, communication services, as well as custom business solutions tailored to your organizational requirements (e.g., internal web applications, databases, and workflow systems).

Organizations can choose between hosting these services internally (on-premises), using commercial cloud services, or adopting a hybrid model. Security considerations represent just one aspect of deciding on the implementation approach for these services.

Hosting services internally grants you total oversight of security measures, which is advantageous when the necessary skills and resources are present. Opting for a reputable cloud service provider may allow you to leverage their extensive capabilities and security expertise. When engaging cloud services, we recommend evaluating them against our cloud security principles to understand how they will aid in safeguarding your information.

Investing in the security of your devices, networks, and services is futile without ongoing maintenance and enhancement of cybersecurity practices.

It is crucial to perceive security as an ongoing commitment rather than a one-time action. Security operations involve the continuous activities required to safeguard an organization’s enterprise technology against emerging threats and managing security incidents effectively.

The most effective preventive measure against prevalent cyber attacks is to keep your enterprise technology updated and promptly apply the latest security patches. Our guidance on vulnerability management provides insight into the significance of this practice and prioritizing patching activities.

Security operations can be executed internally or outsourced to third-party providers. Our guide on security operations can assist in making this choice and outlines the key activities an effective security operations team should undertake.