I started working in the I.T industry 20 years and in that time things have really moved at a fast pace and the technology changes are hard to believe. In most cases, it has been a positive improvement but there is always another side to the coin.
We didn’t get the volume of threats that we do now and the rate at which threats are appearing has increased. Life certainly has got more complicated when it comes to securing our systems.
There is a lot at risk , consider a few of the following:
- Loss of business and downtime whilst your systems are recovered.
- Loss of company assets and company data.
- Your reputation may be affected.
- Litigation around lost customer data (upto 5% of turnover).
- Additional unexpected costs improving security and systems.
This isn't an all-encompassing document on cyber security but merely an observation of some of the common problems and best practices. So if you are interested in maintaining a secure system and avoiding some pitfalls then read on.
Consider a good anti-spam solution or vendor, this is one of your security layers, its good to have one of these in place outside of your network. We want to filter as many e-mail threats as well as junk emails before they get to you. We see spam detection around 90%+ in many cases, a lot of threats will be removed at this stage.
Office 365 for example has many layers in its detection system including 3 antivirus engines.
Watch our for impersonated e-mails, these are e-mails that appear to come from one source but actually they come from someone else.
We see fraudsters trying to manipulate employees by sending e-mails from the senior managers and directors with an important transfer that needs to be made immediately. These are often made to look very realistic. We have seen accounts departments receive e-mails from the Financial Director requesting an emergency payment to ensure a supplier doesn’t withhold goods. We have seen e-mails from suppliers with fake invoices, so take care, check the email addresses and agree on some form the security process that gives you time to check and identify if this is real.
Have a good antivirus product and please don’t just accept that if something says it is free it will do. Be aware that many of the free products are licensed for home use only if you intend to use it in a business they nearly always require a license. You will find in some cases that your anti-virus product comes with an anti-malware product. Anti-virus software is aimed at protecting against threats that are replicating between systems, the aim of a virus is to spread itself, it is a form of malware. Anti-malware is aimed at stopping threats that are there to cause problems such as adware, ransomware, and nagware. Vendors often mix the two terms so don’t assume that what you have is going to cover you against everything.
Make sure your antivirus is set to automatically update and check that it does so.
Ransomware is probably one of the calls that we hate the most especially one of the Cryptolocker style threats. You turn on your PC and are suddenly prompted with a warning that if you want your data back you need to follow the instruction and pay $500. These crypto style threats basically start to encrypt your data and can do so at a dramatic rate on a modern PC. Thousands of files in a few minutes can be encrypted and they are designed to target data areas first.
Don’t pay to get your data , wipe the PC and restore the data. Paying just perpetuates the problem.
Take note of your bank's security requirements. If they want you to install a security product such as Rapport its for a reason and if you decide not to you could find yourself without much support from them on a financial or legal basis. Many banks suggest that you install Rapport, this will stop malware from taking a screenshot and stealing confidential data as you log on to your bank.
If you do get compromised you will need a good backup, don’t scrimp on this and make sure it's tested regularly. I suggest monthly as a good start for testing.
Make sure you backup your key data and applications, remember that protecting the data is great but you need to get the systems running again as soon as possible. You could be waiting for days to figure out how to get your reporting system back online or how to get your end users connected and working at full speed.
Consider taking application backups as well as whole system backups especially for business systems such as Sage accounts. In the event of reloading the application we want to get your data and reports, layout back as quickly as possible.
Consider a Disaster Recovery and Business Continuity Plan, if all your data is lost to a security threat this is just as damaging as a major system failure or disaster. The end effect is the same.
Please don’t use the same password for everything, make sure passwords are complex and contain a mixture of alphanumeric characters and special characters such as #@!”£ . I always suggest to customers they consider using phrases as these can easily be remembered but are often quite long and difficult for someone or a system to crack.
Change your passwords frequently , this is painful but for key systems change the passwords every 90 days. Don’t share passwords and don’t stick them on post-its left on your desk for all to see.
Ensure you have a good firewall, don’t leave devices with default setups and passwords these are easy for outside attackers to compromise.
Have a security scan completed of your firewall and repeat these, we suggest these are done at least annually so ask if you are unsure.
If you have any customer data stored on an external service then please make sure you meet all regulatory compliance. Get the web server or service scanned for security flaws and holes.
If you maintain wireless services lock these down where possible to specific devices, change passwords and keys regularly.
Don’t let untrusted people plug or connect devices to your network.
It's important that systems are kept up to date, many threats can be stopped be removing the flaws and vulnerabilities in your system.
Train your employees to look for threats, it seems the biggest security risk in most systems is us, we get an e-mail offering us something for free and we open that attachment. We weren't expecting a tax rebate so why to open the attachment or click on the link. Think twice and if you are unsure ask for second opinion.
Remember phishing attacks come in many forms and not all of them are electronic. If someone calls you and asks for your details make sure you know who they are and they can verify that to you. Your I.T company may ring and tell you they have detected a problem on your system but Microsoft won't. We have seen on several occasions customer receive phone calls from “Windows” or “Microsoft” and they ask you to check your system and look for errors or download the support tool.
Be suspicious and don’t just let someone you don’t know access your systems, don’t give out security information.
Test your systems and monitor them. We monitor customer systems for unusual login activity for example.
Remove old software and decommission old equipment, this will reduce the number of possible areas that can be attacked.
Have a process for reviewing security access for employees, don’t give more access than required. Have a process for disabling user accounts when employees leave.
Review any compromises or failures and understand the nature and cause of the issue.
Contact the police via the Action Fraud website if you are subject to an online fraud. You may need to notify your customers and suppliers if their data has been compromised or lost.