10 Fundamental IT Security Best Practices for Your Staff

securityIn 2014 you will see a dramatic increase in media reporting IT security related breeches and more businesses data being held to ransom with variants of the Ransomware malware.

Just have a look at the latest headlines in the first 2 weeks of January!

Hackers Steal Card Data from Neiman Marcus

Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen

Theft of business data has always been a money winner for criminals but now as the technology used to hack into systems and create all kinds of nasty malware is basically free and easy enough for a non-technical person to use any business is now a target including small business.

As we have seen with Ransomware all it takes is for one staff member to click on an infected email attachment to risk the potential encrypting of all your business data not just on the staff members machine but throughout your business network including online backups. The encryption process is unbreakable and an antivirus tool cannot do anything to help get your data back. The only way to “unlock” the data is with a “key” that the hacker holds.

Imagine all your business data – billing accounts, client records, documents, spreadsheets, images, videos unusable until you pay the ransom asked by the hackers – does that make you sweat?

Applying the 10 fundamental security practices below will help to reduce your businesses vulnerabilities to attack substantiality – I am not saying this is the end-all list that will guarantee your business IT systems will not get hacked but it will knock out the most common attack vectors that make up 95% of the successful hacks.

1. Acceptable Use of the Internet

Your staff should use the Internet for business purposes only. The websites they frequent should be directly related to the tasks they must perform. Now that sounds like a great idea but I have yet to see a business that does not allow staff some downtime to check their social media profiles or read the news online. What staff need to be aware of is that some websites are bad and when visited will attempt to attack their computer. Educate your staff to only visit websites that are well known and trusted such as the major social media sites and news sites. A good way to help them behave is to tell them in writing that all Internet usage is monitored and appropriate alerts have been set for misuse.

2. Email Attachments

Never-ever EVER click on an attachment within an email that you did not expect from the sender. If your staff stick to this rule alone you will dramatically reduce your vulnerability to a successful attack! Even if the sender is known but the attachment is unexpected contact the sender and ask if they sent it. The risk to your business is massive if your staff click on any attachments without checking first. Of course you should virus check every attachment before opening it as well. Just note though that not checking with the sender first about the unexpected attachment and relying on the antivirus check will not be 100% full proof as most antivirus software cannot keep up-to-date with the latest viruses and malware of which 100’s of new variants are being created every hour.

3. Links within Emails

Just like attachments do not click on any links within emails unless you can see the “real link” and it looks legit. By “real link” I mean the URL that will be visited if the link is clicked – that is hidden sometimes in HTML emails. The easiest way to see the “real link” is to hover your mouse over the link in the email – either a pop-up window or in a status bar will show the “real link”. Again if the staff member is unsure about the link check with the sender before clicking.

4. Password strength and reuse of passwords

Make sure your staff member, when creating a password or the applications which generate passwords, makes the password strong. A strong password contains lowercase and uppercase characters, numbers and symbols and should be at least 8 characters long. Also never re-use a password in another application or website. For example – if the staff member has a favourite password that they use everywhere and registers on a website using their business email address and that website’s database is stolen then most hackers know that 85% or more people reuse the same password so now they have the passwords and a reference to their place of work is known via the email address so the hacker will next try and locate any business systems online and use that stolen data to access your business systems.

5. Report breaches ASAP

Make sure that the staff member feels that they can report any breach in the security policy ASAP to management. This includes accidentally clicking on an email attachment or visiting a dodgy website. The quicker the breach is known to IT staff the more the threat can be contained. Some malware and viruses can go into hiding or stealth mode and create havoc before alerting the victim to their presence so reporting breaches ASAP is vital.

6. Screen Saver Activated with Password Prompt

The screen saver on the staff members computer needs to be activated and include the password prompt when access is attempted. The screen saver should activate after a maximum of 10 minutes inactivity. It is not well known but more crimes such as theft are committed by employees than strangers. It makes sense when you consider that employees have more ability to bypass security and have passwords/keys already at hand. A screen saver helps block illegal access to a computer.

7. Foreign Devices must never be connected to Business Computers

By foreign devices I mean USB sticks and other removable storage devices. A common tactic by hackers is to leave infected USB sticks around the target businesses common areas or if possible within the private area of the business on a desk or in the mailroom. Many people are curious and want to know what is on the USB stick or attempt to locate information on the owner. A virus or malware can immediately enter a computer as soon as the device is plugged in. Another trick is to add the infected devices into “goodies bags” at events and seminars – most people would not think twice about connecting a USB stick to their computer if it was located within an official “goodies bag”. If unsure of the origin of a device such as a USB stick don’t connect it to a business computer – hand it over to management.

8. Never Access Internal Systems using non-business Computers

Its a classic mistake I here about all the time. A staff member is overseas on holiday and the boss contacts him for something urgent. The staff member needs to log into his business account and locates the nearest Internet Cafe and logs into the system. Bang!! It will be no surprise by now that doing this is a sure way to expose your systems. Either the staff member will forget to clear the cookies and history of the web browser when done or there could be a key logger or other nasty recording the details of the login on the Internet Cafe computer. Never-ever use public or non-business devices to access sensitive business systems.

9. Unknown Callers seeking Action

I would be surprised if you have not read about the Microsoft support scams that have been running for years now. This is where they ring a person up on the phone and state they are from Microsoft and that their machine is infected. Of course “Microsoft support” will help out and direct the person to a website to download a “patch” which is in fact a malware or virus. You need to educate your staff on “social engineering” which is basically very slick professional con artists making out their someone in the business or a supplier and getting the staff member to do a task such as install a “patch”, resetting their password, or providing sensitive information. A good security policy rule to have is that all changes to systems are done by the IT administrator and he/she will never get you to do it yourself or all changes must be supplied in written form with your managers signature on it etc…

10. Never use Public Wifi

This topic is so important to your business that I have written a separate post on it here. Please read it and make sure no one in your business uses public wifi on any device be it personal or business. Using Public WiFi Risks Your Clients Data

,