The 10 Essential Cybersecurity Controls
Have you established a cybersecurity plan that you believe to be robust? “Expect a breach anyway, and always assume that a malicious action can occur.” This is how our IT security expert, Francis Venne, approaches each project in order to prevent the worst and anticipate even the slightest event. To help you strengthen your response plan, here are his 10 recommendations to actively combat cyberthreats.
These validation points will allow you to establish a solid foundation on which to build all your other cybersecurity measures. This is just a starting point, a checklist to ensure that your foundations are well protected.
This is a rigorous and continuous process that our team in charge of IT security, headed by Francis Venne, strengthens and accentuates in a preventive and reactive way on a daily basis. Our meticulous procedures protect both nventive and our clients in order to develop secure digital solutions together that are resistant to cyberattacks.
- Have an incident management plan
Although you may feel safe from attacks, it is essential to know how to anticipate them. Establishing an incident response plan to allow your team to identify a wide range of potential cyberthreats ahead of time —and understanding how to properly take the lead if they occur — is therefore essential.
You will then be better equipped to establish a Business Continuity Plan to remain operational during the incident, including a Disaster Recovery Plan to better defend the affected infrastructure and react faster.
Taking a complete inventory of the IT system and the measures in place is essential, as is keeping an up-to-date log of past incidents with information on how they were resolved.
- Establish a risk management policy
By knowing what the risks are, it is much simpler to minimize them. Establishing a risk management policy guarantees you not only greater vigilance, but also a manual of best practices to consult in the event of a breach, doubt, or question.
This document must then become a living document: when a missing element is noticed or an update is carried out, they must be recorded, then communicated to the whole team.
- Train the employees
Most of the time, cyberattacks occur through negligent internal actions that compromise the security of the systems, such as phishing or unintentional data leaks.
«A chain is only as strong as its weakest link. If you have armoured doors but your employees leave them wide open, you can’t be protected.»
Francis Venne, head of IT security
With the implementation of regular training, the staff will be even more aware and alert to malicious threats, allowing your organization to avoid careless mistakes.
- Conduct the right checks upon hiring
Beyond the internal measures during the onboarding of a new employee, it is essential to put controls in place during recruitment. This is why a criminal record check is one of the necessary steps in the hiring process in the technology field.
The company must also ensure that the measures in place are not disclosed to malicious sources. It is therefore strongly recommended to have all your staff sign a non-disclosure agreement to ensure that any confidential information remains confidential.
- Control access to the building, devices, and network
It goes without saying that the security of your company goes beyond IT security. It should start with the physical security of the building and the devices that operate your system.
Limiting access to the office using cards, keys, or turnstiles helps ensure that only the right people are allowed to enter. Once inside, it is essential to control who can have access to the secure WiFi and the software shared with clients.
In the era of hybrid work mode, remote access must also be secured by protecting the company with robust remote work policies. Only controlled devices can be used in development.
- Apply the principle of least privilege
Identity and access management (IAM) must be a fundamental pillar of your cybersecurity plan. This is a process that makes it possible to properly designate which roles require certain levels of access and which can do without them.
This is the idea of role-based access control (RBAC), which greatly reduces the probability of an accident. It is therefore essential to properly define the roles and regularly re-evaluate them if there is turnover in the team.
Limiting the downloading of software and restricting the use of machines for work become essential elements to avoid serious errors. In addition, if complex multi-factor password and encryption policies are simultaneously introduced, solid bricks are added to our fortress.
- Secure the software development cycle
Any IT company must also make sure to have a secure development process that is respected internally to guarantee voluntary actions and prevent flaws in the supply chain.
By following AGILE methodology, the code can be peer reviewed to identify design flaws, while optimizing it so that it is up to date and secure. Then, the applications are deployed in pipelines to minimize the risk of human error during production. Thanks to static code analysis (SAST) with reputable tools such as Snyk, it is possible to automatically identify vulnerabilities that may have escaped the vigilant eyes of the developers. This type of tool also allows you to scan project dependencies and infrastructure as code (IaC).
Before even writing a line of code or embarking on data collection, our team considers the most secure and efficient way to proceed. During the development of digital solutions, access to the code repositories is limited and assigned to authorized experts. If a transition occurs within the team, the employee should no longer have the ability to modify the source code of a project if their role no longer requires it. The IT and security teams should conduct an internal audit every six months to clean up access.
A developer therefore cannot choose to make a modification without it being documented, reviewed by their peers, and approved by the client. The same goes for the online release: a digital solution will never be deployed without being validated and properly evaluated by the client beforehand.
- Keep your antivirus, firewall, and computer equipment up to date
For Francis Venne, updating the systems is stating the obvious. “Having good IT hygiene is essential. Updates exist due to vulnerabilities discovered by researchers.” The fortress is only as strong as the defence of its perimeter.
In addition, these measures are often external options for which a certain amount of money is paid. Properly configuring your tools allows you to avoid paying for a feature that only works halfway.
- Create backups (and don’t forget to test them!)
Establishing backups is good, but ensuring that they work and are accessible in case of an emergency is better! How long does it take to download it? And for critical data, how long can you live without it? Can the company operate while it is being recovered?
Once the backup has been created, it is obviously necessary to ensure that it is properly secured and encrypted. It is also helpful to provide an estimate of the system’s value by detailing the purchase of new hardware, the time it takes to operate it, and the value of the data that it contains. That way, you will be in a better position to determine which system to prioritize in the event of an outage or attack.
- Managing the end of life of devices
To ensure an effective digital solution, it is essential to properly equip our experts and to be able to test it on state-of-the-art devices. It then becomes necessary to acquire new devices and get rid of obsolete machines.
Before depositing them at the collection point, it is imperative to ensure that they are empty and that no client data remains stored on them. Once you are sure of this, you can do business with a certified supplier and obtain a certificate of destruction.
It goes without saying that the same principle must be applied to paper documents! It is essential to have a shredder to properly dispose of confidential documents.
Cybersecurity procedures cannot be an afterthought. This is a continuous process where they must be constantly improved, optimized, and updated. What was secure yesterday may no longer be secure today. Our daily internal validations are based on these main principles, so our clients can work with us to create their digital solutions in total confidence.