I'm new to my role and juggling quite a few responsibilities. I've been tasked with enhancing our security practices and convincing users who are resistant to change—sticking to the old 'that's how we've always done it' mindset—to modernize. What are some foundational security policies or best practices we can adopt? Currently, the only rule I'm aware of is prohibiting personal devices on the network, but it seems like there's a more extensive starting point or reference I could use to build from.
6 Answers
For a comprehensive list of best practices and technical controls, you should look into the CIS 18. It outlines essential actions categorized into implementation groups, with Group 1 being the highest priority.
Remember, the key to implementing changes is to take it one step at a time. Rushing everything at once will lead to chaos, especially from those who aren’t tech-savvy—they'll come to you every day with questions until the end of the year! Also, document everything in straightforward language to avoid confusion. Simple instructions reduce the number of small queries you’ll receive.
Here's a few best practices to kick things off: Implement multi-factor authentication everywhere, designate a monthly patch day, and stick with your established "no personal devices" rule. Consider creating a simple one-page cheat sheet for staff with reminders like 'Lock your screen,' 'Report phishing attempts,' and 'Test your backups.' Roll this out in a short all-hands meeting branded as 'Security Basics'—people hate changes but tend to accept checklists. This can cover a large portion of security issues without overwhelming anyone.
I agree with everything that's been suggested. It’s tough to give tailored advice without knowing what equipment you have. Generally, focusing on password policies, MFA enforcement, patching, and email security will yield the best results. It sounds like you have support from your leadership, which really helps. The main challenge will be rolling everything out smoothly. Make sure to inform everyone of any user-impacting changes. It’s best to have your new policies documented and approved by management to minimize pushback. Using recognized standards like NIST and CIS will help legitimize your changes as well.
You can find a ton of valuable resources at nist.gov. For example, check out their publication at https://csrc.nist.gov/pubs/sp/1308/2pd.
This looks useful! I’ll dive into these resources and the associated videos this week. Thanks a lot!
If you’re primarily using Microsoft products, their secure score guidelines at https://learn.microsoft.com/microsoft-365/security/defender/microsoft-secure-score are a solid starting point.
Great idea calling it 'Security Basics.' We have some older staff who might resist change otherwise.