Since internal websites usually keep sensitive employee and client information, intranet security is a high priority, especially for regulated industries like banking or healthcare that may get hefty fines because of security vulnerabilities.
We’ve been developing secure intranets based on SharePoint for 12 years and we’d like to share with you the most common threats and best practices to handle them in this article.
Intranet security risks and ways to handle them
Intranet security risks are divided into two groups: internal vulnerabilities and external threats.
To internal vulnerabilities belong:
- Weak passwords. 80% of hacking-related breaches are tied to weak, compromised or reused passwords.
Your IT team should introduce the policy of creating strong passwords and the necessity to reset them regularly, for example, after every 60 days of use. Also, admins should enable automatic logoff after a certain period of user inactivity and prevent logins from saving on computers and mobile devices.
- Non-restricted access. If any user is able to view any information on the intranet, including sensitive data, it can often lead to information leaks.
Your IT specialists need to configure role-based permissions that determine who can view, edit, or share certain files. Also, they can enable two-factor authentication. What’s more, an audit trail can be used to track all content-related user activities like uploading and modification.
- Unprotected data. While not encrypted, intranet data may be susceptible to security breaches.
Your admin should encrypt intranet data at rest and in transit. For example, in SharePoint intranets, BitLocker offers two-level encryption of data at rest: it encrypts all data on a disk and provides a unique key for each file. And data in transit is protected due to SSL/TLS connection.
- Unsecured remote access. Employees can enter cloud intranets remotely via their mobile devices. These devices usually don’t have reliable antiviruses or firewalls capable of protecting corporate information within public 3G, 4G or Wi-Fi networks.
Your IT professionals should arrange employee training on the importance of securing their mobile devices, especially if they use them to reach the corporate intranet. What’s more, the IT team should have remote access to work-related data on these devices. It will help them to monitor users’ activities, collect log info and implement remote wipe of sensitive data in case the devices are lost or stolen. As a result, a device is restored to default configuration with all intranet-related data, apps and settings removed.
To external threats belong:
- Malware. Viruses, ransomware, and spyware can attack an intranet and seriously affect its performance, for example, cause slow operating and technical errors.
The IT team should regularly conduct intranet event monitoring, which helps to detect such issues as an unusual activity or an uncommonly large data inflow. Since the malware threat is constantly changing, it’s crucial to timely update anti-malware tools.
- Social engineering (phishing). Phishing attacks using tools integrated with an intranet (e.g. email, chat) can lure employees to disclose sensitive information like customers’ contacts or account numbers, which can damage the reputation of the company concerned.
Your IT team needs to install anti-phishing software. Also, the team should encourage users to be hyper-aware of emails asking for personal and financial information, inspect URLs and links for odd characters or misspelled words, and more.
- Distributed Denial of Service (DDoS) attacks. These attacks are aimed at overwhelming an intranet with data requests, which makes it inoperable.
To protect against DDoS attacks, your IT professionals should utilize such tools as firewalls, and load balancers to control the volume of traffic reaching your intranet.
Protect your intranet
Using a variety of technical tools and preventive measures like security analytics taken by your IT team is half of the battle for a secure internal website. The other half rests with intranet users who should undergo security and compliance training and follow corporate security policies.