Endpoint security best practices and policies to mitigate risks

Endpoint security is a broad subset of IT security that covers the protection and security-related monitoring of end-user devices. The devices include not just consumer gadgets such as desktop PCs, laptops, smartphones, and PoS equipment, but also network access paths like website logins and open ports. While antivirus apps are a critical component of any endpoint security strategy, there’s a wide range of tools that can be used to mitigate endpoint risks. The tools will usually have several mechanisms for intrusion detection such as behavior analysis and multiple logins from the same IP. Overall, the goal of endpoint security is to protect confidential business data by sealing the loopholes attackers may exploit to gain unauthorized access. Endpoint security has always been a big deal, but it has taken on much greater enterprise significance following several spectacular, large-scale cyberattacks in recent years. There’s a realization by business leaders that failure to adequately secure endpoints can have catastrophic results. There are perhaps dozens of endpoint security best practices but we’ll cover the ones that are the most important.

Define and disseminate endpoint security policy

Endpoint security begins with the definition of policy. Take time to think about what applications and devices you’d want to allow on your network and which ones you’d like to keep away. Prevent the installation and use of high-risk systems such as torrents, file sharing apps, IP anonymizing software, and social media applications.

Develop an overarching policy that sets up the parameters needed to consistently enforce these controls. Disseminate the endpoint security policy to all employees and detail what comprises acceptable use of the organization’s digital assets. Monitor for policy violations and firm up controls each time to limit recurrence.

Password complexity

Passwords are what stands between an unauthorized individual and your confidential business data. The weaker your passwords are, the greater the possibility of an attacker getting through. Develop and implement a robust password policy that sets out a minimum set of rules that define what qualifies as an acceptable password.

From the get-go, prohibit dictionary words and common passwords such as 123456789, password1, and abc123. Hackers and brute force tools will start with these when they are trying to crack a password. Set length (at least eight characters but preferably 10 or more), character diversity (numbers, lower case, upper case, and symbols), and password reuse rules.

Two-factor authentication

Shutterstock

Password complexity raises the barrier for entry substantially. Nevertheless, even a complex password can fall into the wrong hands (for example, if an employee writes it down). To make it much harder for an attacker to access your systems, deploy two-factor authentication.

This would mean that a user would not only need a valid username and password to sign in but an additional element such as a fingerprint, face ID, retina scan, or a one-time password sent via text. Even if a cybercriminal knows the password, it would be much harder for them to have access to the one-time password and impossible to replicate the biometric aspects (fingerprint, retina, or face).

Secure all entrances

Your endpoint security plan is only as effective as your weakest link. If you leave one open door in your security infrastructure, all other efforts in securing the rest of your network will be futile. You’d only consider your home secure if you have locked the front door, back door, garage door, and all windows. An endpoint security best practices plan operates much the same way.

Think about all the possible ways an intruder could penetrate your network and set up controls that ensure only authorized individuals get through. That means strong login passwords for desktop computers, laptops, tablets, smartphones, and WiFi access points. Use firewalls, anti-malware, anti-spam, and anti-phishing tools. Block USB flash drives.

Patch systems promptly

When a technology vendor releases a security update for their application, chances are that the vulnerability it seeks to fix is already public knowledge (or at the very least, is known in underground hacker forums). Attackers prefer to focus their time, resources, and energies on targets where they have the highest chances of success and where they will run into least resistance. Targets bedeviled by a known vulnerability will, therefore, be low-hanging fruit.

You can considerably limit the chances of a successful cyberattack by promptly applying security updates when they become available. Updates should be applied to all systems including network systems, central software systems, and end device firmware. Since the average enterprise runs at least dozens of systems and hundreds of devices, manually checking for and updating all systems is impractical. Security updates are most effective when the process of checking for and running them is automated.

Social media-conscious

Shutterstock

A glance at the most popular mobile apps on the planet would show how pervasive social media use is. Social media has certainly played an enormous part in connecting businesses and people around the world.

However, social networking sites have inadvertently become an information gold mine for cybercriminals seeking confidential personal data on a target individual or organization. Such information can be used for identity theft or provide valuable hints when guessing passwords. Social engineering attacks such as phishing heavily rely on knowing some personal information about the target such as their supervisor’s name, area of residence, pet name, or car make.

You could counter social media risks by adopting the nuclear option — blocking access to all social media sites. But that will only prevent employees from sharing sensitive information using the company’s network. It’s more effective to combine this with employee education advising on security-conscious social media use in and outside the workplace.

Train staff on configuring privacy settings in a way that makes it harder for a malicious third party to see any sensitive personal information they share on their private social media accounts.

An endpoint security best practices starting point

With employees relying on a diverse range of hardware and software tools to execute everyday tasks, the need for endpoint security is greater than it has ever been. These best practices do not cover all there is to know about endpoint security but provide a useful starting point for organizations looking to move their IT security strategy in the right direction.

Featured image: Pixabay

Stephen M.W.

Stephen regularly writes about technology, business continuity, compliance and project management. He's worked with companies such as Canva.com, EnergyCentral.com, and Citibank.

Share
Published by
Stephen M.W.

Recent Posts

How to check the VM sizes available on your Azure Region

If you want to check VM sizes available to any given region, Azure Portal is…

41 mins ago

Cybersecurity 101: Close the door on open network shares

If you have open network shares on your network, you are opening the door to…

17 hours ago

Spear-phishing email results in U.S. gas pipeline ransomware attack

A spear-phishing email has resulted in a U.S. gas pipeline ransomware attack. Making the attack…

22 hours ago

Planning your Azure reserved instances and flexibility groups

To really lower your Azure costs, you need actionable information. Get info on flexibility groups…

1 day ago

MGM Resorts customer data breach still being utilized by hackers

Data stolen from breaches often live on forever, as appears to be the case with…

2 days ago

Arranging and organizing pages in an Azure DevOps Wiki

If you have set up an Azure DevOps Wiki, there are two ways to organize…

2 days ago