Many people ask our engineers for Information Security advice, so we decided to put together a list. Started at 5, grew to over 20 so thought we would limit to 10 to give some focus. We will share the other 10 with you next month!
You are a Target
Never say “it won’t happen to me” – everyone is a target. We are all at risk and the stakes are high for your personal and financial well-being and that of your company or organisation.
Beware of any “official looking” suspicious emails looking to trick you into divulging personal information or asking you to transfer or make payments.
Maintain strong unique passwords; your password policy should enforce this based on the complexity and change cycle. Choose a good password at least 12 characters long, mixture of numbers, special characters, small and capital letters to create a mental image or an acronym that is easy for you to remember.
Multi Factor Authentication
Multifactor authentication is the most proactive way for securing online information. Passwords can be compromised, so once they are, it is easy for criminals to gain access to your account. Multifactor authentication requires an extra step to authenticate your identity; be it an App or text message on your phone. It is important to have Multifactor factor authentication on all web-based applications e.g. Office 365, Salesforce, Xero, Dynamics 365, SharePoint – Examine which of your applications are web based and implement Multifactor on all. Two-factor authentication is recommended by ENISA.
Protect Your Data
Make sure your data is encrypted on laptops, desktops and servers. Not only is it a good thing, GDPR rules state that all data containing personal information needs to be encrypted. See how Microsoft 365 can simplify GDPR.
Use of Mobile Devices
Make sure pin codes are enforced, mobile phones are enrolled on your network if receiving email or company data so that you can control the security settings and wipe the phone or your organisations data if phone is lost or stolen.
All information should be saved to Fileserver drives or Cloud storage (SharePoint) which in turn should be backed up. No important data should be stored on local devices.
If your company or organisation has a data breach, or data is accidentally exposed on a phishing scam, what do you do? Put a plan in place; examine your information security policy. Is it up to date? Do you have one?
The human factor in Information Security is something you cannot ignore. Add IT cyber security awareness to you onboarding process. Carry our regular IT security awareness training to include; Anti Phishing, Ransomware Prevention, Security Training for mobile computing and Data Protection training for all staff.
Limit Employee Access
Ensure that only those employees that need access to sensitive data, files, and documents have access. When every employee has access to every resource, you run a higher risk of exploitation.
You might recall last month we posted 10 security tips. Hopefully these are all in hand and you have shared them with your colleagues and implemented the best practice advice. Following up; here is the next 10!
Security Starts at the Top
Information Security starts at the top, organisations should work towards proactive risk management rather than reactive compliance. So, include Information Security Risk Management into your business planning and staff induction.
Tell your users to read emails carefully, hover over the links to fully read URLs exchanged on email. Spelling errors, suspicious redirects and implied urgency are tell-tale signs that the email is from a suspicious source. Carry out simulated Phishing attack training. Read our guide on how to spot phishing emails for more information.
Use Multiple Lines of Communication
If you are sent a request for sensitive information via email, contact the sender to verify by telephone; never just email back as the sender’s email may be compromised.
Browsers and Other Software
Use Google Chrome as a browser. This browser receives the most frequent automatic security updates. An insecure web browser can lead to spyware being installed on your computer without your knowledge, attackers taking control of your computer, stealing your information, or even using your computer to attack other computers. Also make sure browser plug-ins such as Flash and Java are up to date.
Avoid using non business websites and don’t download software from untrusted sources. These sites often host malware that will automatically and silently compromise your computer.
Disposal of Media
It is important to make sure data is erased and electronic equipment is disposed of correctly in order to protect confidential and sensitive data from accidental disclosure.
Check regularly if your email account has been breached. If you have been caught up in a breach, changing your password and not using the password for anything else should resolve the issue. We can help with this.
Also check if rules have been set up to run in your mailbox.
Turn on ad blocking to reduce the number of ads that show when browsing. Ads can contain malicious code which may compromise your computer.
Don’t leave your PC or Laptop unlocked, it is an unnecessary security risk. Set up screen locks on all devices.
Beware of what you plug into your computer, Malware can spread though infected USB keys and external hard-drives and even smart phones.