Everyone wishes his or her organization could be more secure. With the number of hackers and other threats to your cybersecurity out there, there’s always a new security practice to enact. This can be incredibly overwhelming, especially for smaller organizations that lack resources or security focused staff. Often, the most effective strategy for keeping organizations, users, and customers safe is to focus on the fundamentals. Here are OATI’s Top Seven Security Best Practices for entities in the energy industry. 

1. Minimize the surface area for attacks

• Disable unused protocols and services
• Only open necessary components through firewalls
• Isolate public facing systems through the use of DMZ networks

2. Create a comprehensive access control system to ensure the confidentiality of your data

• Use centralized authentication systems such as RADIUS/TACACS or Active Directory/LDAP
• Enforce a strong password policy including password length, types of characters, age, and history requirements
• Consider the use of dual factor authentication using certificates, tokens, or biometrics
• Use role-based access controls and practice the principle of least privilege 
• Use logging, auditing, and accounting to gain visibility and have a record of the actions taken on information systems

3. Practice defense in-depth

• Multiple layers of security stop unwanted traffic at multiple points
• Firewalls, intrusion detection systems, server hardening, and endpoint security software all play a role in stopping attacks
• End user systems are often the weak link – secure them with antivirus and antispyware tools and don’t allow sensitive information to be stored on mobile devices

4. Develop a plan for ensuring your operating systems and applications are secure

• Routinely patch operating systems and applications using automated mechanisms with reporting capabilities
• Perform firmware upgrades
• Consider performing vulnerability scans and penetration tests

5. Ensure the availability of your critical systems

• Right sizing hardware and network capacity
• Employ redundancy in network, servers, and storage 
• Perform backups and test recoveries 
• Incorporate this into your business continuity plan 

6. Don’t forget about physical security

• Servers should be in a secure location with physical access controls 
• PCs should be shut down or locked when not in use
• Laptops, smartphones, and portable hard drives should be physically secured and also password protected or encrypted 
• Data backups or replicas should be stored off-site

7. Keep your employees informed about cybersecurity best practices

• Train them to understand phishing tactics and avoid clicking on unsolicited links or attachments 
• Teach them to be equally cautious on the phone and avoid giving out personal information, corporate information, or passwords over the phone
• Develop acceptable use policies and incorporate them into the company’s employee handbook

By staying current on these best practices, you can be confident that you are laying a strong foundation to protect your organization from security threats. To learn more about OATI and our commitment to security, visit oati.com/about/security.