IT security isn’t just important, it’s essential! Often it isn’t a case of if you will be infected or the target of nasty cybercrimes, but when. Let’s not be defeatist though, there are certainly things you can do to weather a cyber-storm.
Mark James, IT security specialist at ESET UK, helps guide us through some essential security tips for the office.
Educate your staff
“In current threats, good password practice, do’s and don’ts when on the internet.”
Your staff are your first and last line of defence against the perils of the internet: even the most advanced and secure Internet security can’t defend against someone unwittingly entering company banking details into a compromised website.
What’s the solution? Education, education, education. If your staff don’t know what a phishing email looks like, how to create a strong password, or how to install updates then how can they be that first line of defence?
Review your user access rights
“Correct physical and virtual access will help lock down the areas that are vulnerable.”
Not everyone needs to be running their terminal with admin rights and not everyone needs access to your most confidential and important files. Reducing the number of people who know the password to something instantly reduces the chance of a leak.
“Make sure your desktops and mobiles are using the most up to date OS and regular updates are being performed.”
If there is a zero-day vulnerability in an OS or another piece of software you can do very little about it. All you can really do is ensure that you update and get it patched ASAP. This means every machine which uses that software or OS: from the terminals your staff use every day to the lesser used systems for printing or presentations etc. If a zero-day can be exploited on one machine on your network, chances are it could let something else in. Every machine is important!
Also update your Internet security
“Ensure your internet security is updating regularly and capable of dealing with today’s threats.”
Malware is constantly evolving and changing, it’s a fact that the IT security industry deals with on a daily basis with small signature updates frequently as opposed to large updates on a weekly or monthly basis. It’s essential that these updates are installed and on every machine that’s connected to your network: it’s only ever as strong as its weakest link.
Avoid Java like the plague
“Remove Java on all machines except those that need it, to be honest these days that should not be many.”
Java and Adobe Flash are constantly in the press and more often than not for all the wrong reasons. At times it seems as if there is a new zero-day for one or the other week on week. Java or Java Script is used to serve up content on some websites and can be disabled extremely easily on all widely available browsers. Flash you can certainly disable and is pretty much only used to serve up video, like YouTube for example, and there are alternatives that seem to be much more secure, for example HTML5 or Silverlight.
Installing programs: Who and What?
“Have policies for not only who can install software on machines but also WHAT can be installed on machines.”
This also makes sense from a licencing point of view. If you only have a limited number of licences for, say, a piece of accounting software then you want to make sure the people who need them have them. You have to ask yourself: I know everyone loves solitaire, but does everyone need solitaire?
Who gets remote access?
“Only allow remote access to those that absolutely have to use it, always use a VPN as the means to get that access.”
Everything and everyone that can access your network from outside is a potential security problem. Keep this number to the absolute minimum and for those that do have it make sure that they can tunnel in securely and use multi-layered authentication (see “Two Factor Authentication”).
Firewalls will help protect your sensitive data
“Make sure they are configured correctly and lock them down, less is definitely more.”
Firewalls go hand-in-hand with web control. Who in your company needs access to which websites? Obviously your social media guy or gal needs access to Facebook and Twitter, but does everyone? Unlikely.
“Can help secure remote access if granted.”
Use this on everything you can! Particularly for accessing your network remotely but many websites offer one, two or even more multi factor options. These could take the form of an app which produces a one-time password (OTP) or you might be sent a code via SMS or email to enter when you want to login.
“Will protect your data if or when you lose it.”
Although certainly not as widely used as other forms of IT security, encryption is growing quickly and becoming an essential part of doing business. You can encrypt files, emails, texts, even your clipboard. If it can be read you can encrypt it and turn it into gibberish for anyone except the desired recipient.