We have all been thrust into this new way of working with no warning and not a huge amount of planning.
The same basic rules apply with regards to using technology. I’m hoping the following will give clarity on what is needed and will be useful to you.
Here is a list of the things you really MUST have in place to keep you safe against data or financial loss.
Video text for those who prefer reading…
1 – Patching and updating machines
All operating systems and all software. This is one of the most important things you can do and is imperative.
Microsoft, Apple and all the other software manufactures are constantly fixing security weaknesses in their products. This should be done as soon as they come out – every day to be sure.
BUT – your IT company will (should!) be doing this for all your work machines. What about your home machines if they are now accessing your corporate data? Check your operating system’s settings and turn it on right now if you need to.
Don’t forget to update third-party applications such as Adobe products etc. This includes tablets and mobile devices too by the way
2 – Endpoint Protection
This is antivirus and a lot more. Viruses are almost a thing of the past.
Good products (and that usually means not free I’m afraid) provide real-time cloud based protection for a whole raft of elements including identity theft protection, a certain amount of ransomware protection, plus protection against malware embedded in websites, phishing, spyware, keystroke logging, clipboard grabbing and more.
Whatever you use it MUST be up to date and from a reputable recognised brand.
Do NOT think Apple Macs are exempt from this – they are not.
Don’t forget all your mobile devices and tablets too. They are just as important.
3 – Email Security
Email is one of the main routes of data into your organisation. Trusting in Microsoft, Google or any other companies’ very basic background scanning for viruses, malware or spam is not enough really.
Ransomware, CEO or MD fraud, a thing called Whaling (going after the Big Fish) and other phishing attempts are ramping up and relentless.
You really need to invest 2-3 quid in a full email security filtering product that will catch most of this nonsense. Endpoint Protection (antivirus) does not do a good enough job of catching or filtering it out.
4 – Backups
You do have backups of your data don’t you?
All of it?
Even Microsoft 365 or G-Suite data?
This goes without saying really. Ransomware is a real success for the criminals out there if you don’t. I don’t mean to scaremonger but this could be a matter of when and not if it will happen.
5 – Web Content Filtering and Security
Also known as DNS filtering. This is beautifully simple. Its stops your machine from pulling in anything dodgy from the Internet via an email link or from you visiting numerous web sites or other services out there that are hiding malware or ransomware.
When we rolled this out to all our clients 7 or more years ago it cut virus and malware interceptions by 95% – yes 95%.
This is one of the most effective protection elements. What Endpoint Protection simply cannot catch is some of the more sneaky things that you may pull into your systems. This is how most ransomware works.
6 – Strong/Complex Passwords
And not the same one everywhere! This is really really, really important. Use a well known password manager secured with a very strong password and/or biometrics if you can’t remember them all.
Change them regularly as well.
7 – MFA
This stands for multi-factor authentication. More than one way of authenticating. Usually an app such as Microsoft or Google Authenticator, Authy, Duo and more.
This adds another layer to secure your access to online services as well as your machines. You use your password and then yourself to unlock a smartphone (PIN or fingerprint) to retrieve a code to put in as well as the password. Several levels and hence the ‘multi’.
You can also use token devices like Yubikey and biometrics such as fingerprint scanners on PCs and Macs
8 – No Local Admin Rights
This gives you the ability to install software unwittingly on your machine. And if this can be done with no input from you so can the hackers.
You should not have local administrative privileges on any machine you use.
Enough Surely? – Not Really
So that is a long list isn’t it! I’m afraid a have a few more that we consider a bare minimum too. But we are a little bit finicky when it comes to security…
9 – User Security Awareness training
…and Phishing simulations. This is a system that sends out light-hearted videos and training content that teaches you how to watch out for all the scams and trickery you are exposed to on a daily basis.
It also sends out very compelling emails to test your ability to spot the bad ones and educate you on what went wrong.
This sort or learning is hugely important.
10 – Dark Web Scanning
I’m sure you have heard it on the news several times – such and such company has been hacked and personal information stolen. This is not just the larger companies out there – this is you too.
Simple tricks such as a convincing link asking you to log into something that then doesn’t work, so you shrug it off. You have just had your credentials stolen.
The hacker will then go off and sell this information on the Dark Web – a place where all sorts of bad behaviour is taking place.
Dark Web scanning for PII (personally identifiable information) and user credential alerts you to any data out there that you may need to worry about or passwords you may need to change immediately.
11- Remote Access to your Office
How is this restricted? Is it a VPN? If so can any old device connect in? If so what stops malware from entering your business via a back door? This needs to be secured as well.
There is more I’m afraid but I will cover this in another video as this is probably a little too much for one sitting!
As always please contact me directly for any more information or advice on any of the above topics.
Happy to help with no strings attached.