This is the age of information, and providing your users with Internet access enables them to access the information they need to help the company remain competitive, aware, and responsive to customer needs. It can also present significant risks to the security of your IT systems, the safety of your critical data, the privacy of your customers, and the productivity of your coworkers. Supporting a strong web security posture is imperative and a key component of your information security program. Web security is more than just software or hardware. There are three pillars of web security, and all three must be equally strong to support your company’s safe and secure access to the Internet.
The first pillar of any web security program must be a well thought out, written, and promoted policy. Whether you incorporate the company’s wishes into the Acceptable Use Policy or create a separate Internet Access Policy, you must have a written document which provides you with a clear and authoritative source of information for what is, and is not, considered acceptable by the company. While this document does not list by name every single website that can or cannot be accessed by an employee, it should lay out in a clear and easy to understand language what is considered acceptable and unacceptable use of the Internet. It must be supported by management, vetted by HR, and should be reviewed with all new hires and every employee annually.
The weakest link in any security program will be the human element, and this holds true for web security as much as any other aspect of security. To have a successful web security program, it is not enough to have users read the Acceptable Use Policy and sign a piece of paper saying that they understand it. Don’t get me wrong; that is very important, but it is not enough. No matter what sort of security solutions you implement, there is always the chance that something will get through your defenses and that is where user education comes into play. When users assume that nothing bad can happen because there’s a firewall in the datacenter, they are much more likely to click suspect links, open suspicious attachments, and visit questionable sites because they think the firewall will protect them. You must educate your users on a continuous basis about the risks Internet access presents, how to recognize phishing messages and spam, and why unexpected attachments can be so dangerous. When your end-users understand web security, even if only at a superficial level, they become an additive part of your web security program and contribute to the overall safety of your network.
While your users are the last line of defense, they are not the best line of defense, and definitely should not be considered the only line of defense. Your web security program must be anchored by good web security software. The software is the technical implementation of the policy, and should be backed up by the knowledge users gain through education. Good web security will include anti-malware protections that can scan not only file downloads but also for malicious code and scripts in webpages; that can block access to phishing sites; that can allow or deny access to web sites based on category, reputation, and explicit permit and deny lists; and that offers robust logging and reporting.
The successful web security program will include three pillars: policy, education, and technology. Each of these is equally important, and complements the other two. By having a well written policy supported by management, you have the baseline for determining what is and is not acceptable. By educating your users, you are much more secure against threats that might get past your other protections. By implementing good web security software, you can protect your users while also enforcing and supporting what is spelled out in policy. One goal, three pillars – good web security is as easy as that.
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on what should be included in your web security strategy.
All product and company names herein may be trademarks of their respective owners.