An intranet, which is an internal online environment that houses company resources, can be highly useful for employees. An intranet may have areas to download important documents, perform research, access HR resources, communicate and collaborate with other employees, and more. The following video highlights the difference between intranets and the internet.
Intranets face many of the same security challenges as other online environments, as well as some unique ones. So, what is intranet security? Why is intranet security important? And how do you protect an intranet?
What Is Intranet Security?
A common myth is that intranets are safe because the data is stored on a company’s network. However, threats, unfortunately, come not just from outside sources, but from within companies, from employees who may or may not be intentional in the harm they cause. In the sections below, we examine intranet security best practices to help you gain and maintain protection from risks, including those employees, network security threats, security breaches, and viruses.
Use Intranet Security Best Practices
While much of intranet security is dependent on behind-the-scenes processes that users will never see, some of them require user participation. Operators can set up security protocols like those listed here to provide another layer of protection.
Passwords. Despite repeated warnings from the IT community, weak passwords are still commonly used. Ensure your intranet forces employees to choose strong ones that are at least 12 characters long and include both upper- and lower-case letters, numbers, and special characters.
Secure log-in protocols. These protocols enable smooth, centralized authentication management and secure mobile access. They include Single Sign-on (SSO), Active Directory (AD), and Lightweight Directory Access Protocols (LDAP).
Digital signatures/certificates. This technology helps operators ensure that a person is who they say they are. Documents that use digital signatures/certificates are encrypted and can only be used if both sender and receiver have the right password.
Transaction confirmation. This process involves sending a paper or electronic message confirming that a transaction is legitimate and has been completed.
Limit What Data Is Allowed
Intranet operators should be aware of what data is on their intranet. Employees should be limited in what information they can post. For example, some intranets get bogged down with classified information, opinions and statements not supported by the company, or games and other unauthorized programs. These applications present liability and security risks and should be weeded out.
Access control means limiting who in your organization has access to what information. Employees should only be able to access data they need to perform their jobs. To enact it, ensure your intranet platform enables strong roles and permissions capabilities.
That is, each team member should be assigned roles based on their functions and then assigned permissions based on those roles. This method has the added advantage of reducing the amount of superfluous information each worker has access to, reducing the possibility of getting lost in irrelevant data.
Managers should also be limited in what information about employees they can access. In worst-case scenarios, they can use this information to enhance bias against certain employees or be perceived as doing so. Either way, it’s a liability threat to the organization.
To further limit access to certain information, documents can be encrypted through the browser. This kind of protection is essential when enabling employees to view sensitive information such as 401(k) statements or pay stubs, or medical information through their company-provided insurance. Operators should also set browser controls to ensure they don’t display data stored in the cache.
While it’s easy to conceive of cyber attacks as happening only in the digital world, it’s important to remember those digital assets are housed within physical hardware. That hardware must be protected just as much against intrusion and theft. If cyber criminals can get access hard drives or thumb drives, they can gain access to data and passwords. If they can get access to routers or servers, they can gain access to networks. Access control systems as well as video surveillance can prevent unauthorized access to physical equipment.
No matter what processes or procedures are in place, they won’t help if team members don’t know how to properly use them. Therefore, employers should make intranet security part of their overall cyber security training. Employees should understand why certain process are in place and how to make the best use of them. For example, they should be trained on developing effective passwords, proper logging on and off, and the use of digital certificates.
Remember that much of the common advice for general cyber security also applies to intranet security, including not sharing login credentials, not clicking links or opening attachments from unknown sources, and double-checking unusual instructions from anyone claiming to be a company executive or other authority figure. In addition to holding courses and seminars, assign an IT-employee liaison to answer team member questions and continuously check their progress.
Unfortunately, employees often find education about cyber security, including intranet security, uninteresting. If possible, finds ways to pass along this information in an engaging way, such as through gamification or quizzes. You can even create employee teams to see which ones can get the highest scores over time. The best education is interactive and ongoing.
Document Intranet Policies
To be most effective, these strategies should be documented within a comprehensive guide that includes who is in charge of operations and how they will be carried out. The guide should include protection for remote workers who have access to the company intranet as well as any mobile devices connected to it. It should also include steps to take in the event of a breach and instructions for revisiting actions based on current threats.