Picture this… you’re about to leave the house ready for your holiday and you check that all of the doors and windows are locked, and perhaps even set a burglar alarm. Why? Well, that’s obvious. Our homes contain personal and costly belongings that we don’t want other people to get access to, therefore we implement security measures to keep people out and insurance to restore our worldly belongings should the worst happen.
The same applies with your backup and security solution. If protecting your home is such a natural and common concept – then why wouldn’t you protect your business too?
Securing your home and purchasing home insurance is a daunting challenge. However, backup and security needn’t be. Following our five quick steps under each category below could save time, money and even your business reputation.
Step 1 - Backing up your data
Take regular backups of your important data and test they can be restored. This will reduce the inconvenience of any data loss from theft, fire, other physical damage or ransomware.
Normally this will be comprised of documents, photos, emails, contacts and calendars, kept in a few common folders. Make backing up part of your everyday business.
Ensure the device containing your backup is not permanently connected to the device holding the original copy, neither physically nor over a local network.
Consider backing up to the cloud. This means your data is stored in a separate location (away from your offices/devices), and you’ll also be able to access it quickly, from anywhere.
Not all service providers are the same, but the market is reasonably mature and most providers have good security practices built-in. By handing over significant parts of your IT services to a service provider (like us!) you won’t have anything to worry about.
We know that backing up is not a very interesting thing to do (and there will always be more important tasks that you feel should take priority), but the majority of network or cloud storage solutions now allow you to make backups automatically, so don’t ignore your responsibility.
Step 2 - Protecting your organisation from malware
You can protect your organisation from the damage caused by ‘malware’ (malicious software. including viruses) by adopting some simple and low-cost techniques.
Use antivirus software on all computers and laptops. Only install approved software on tablets and smartphones, and prevent users from downloading third party apps from unknown sources .
Download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). You should prevent staff from downloading third party apps from unknown vendors/sources, as these will not have been checked.
Staff accounts should only have enough access required to perform their role, with extra permissions e.g. for administrators only.
Patch all software and firmware by promptly applying the latest software updates provided by manufacturers and vendors. Use the ‘automatically update’ option where available.
Control access to removable media such as SD cards and USB sticks. Consider disabling ports or limiting access to sanctioned media. Encourage staff to transfer files via email or cloud storage instead.
Switch on your firewall (included with most operating systems) to create a buffer zone between your network and the Internet.
Step 3 - Keeping your smartphones (and tablets) safe
Smartphones and tablets (which are used outside the safety of the office and home) need even more protection than ‘desktop’ equipment.
Switch on PIN/password protection/fingerprint recognition for mobile devices.
Configure devices so that when lost or stolen they can be tracked, remotely wiped or remotely locked.
Replace devices that are no longer supported by manufacturers with up-to-date alternatives.
Keep your device software (and all installed apps) up to date, using the ‘automatically update’ option if available.
When sending sensitive data, don’t connect to public Wi-Fi hotspots – use 3G or 4G connections (including
tethering and wireless dongles) or use VPNs.
Step 4 - Using passwords to protect your data
Passwords – when implemented correctly – are a free, easy and effective way to prevent unauthorised people from accessing your devices and data.
Set a screenlock password, PIN or other authentication method (such as fingerprint or face unlock).
Make sure that your office equipment (laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up.
Use two factor authentication (2FA) for important websites like banking and email, if you’re given the option then use it!
Avoid using predictable passwords, such as family and pet names. Avoid the most common passwords that criminals can guess (like password). most common passwords
Consider using a password manager to avoid ‘password overload’. If you do use one, make sure that the ‘master’ password (that provides access to all your other passwords) is a strong one.
Change the manufacturers’ default passwords that devices are issued with, before they are distributed to staff.
Step 5 - Avoiding phishing attacks
In Phishing attacks, scammers send fake emails asking for sensitive information (such as bank details) or containing links to bad websites.
Ensure staff don’t browse the web or check emails from an account with administrator privileges. This will reduce the impact of successful phishing attacks.
Consider how someone might target your organisation and make sure your staff understand normal ways of working (especially regarding interaction with other organisations) so that they’re better equipped to spot requests that are out of the ordinary.
Common tricks include sending an invoice for a service that you haven’t used so when the attachment is opened, malware is automatically installed (without your knowledge).
Another is to trick staff into transferring money or information by sending emails that look authentic.
Make sure that your staff are encouraged to ask for help if they think that they might have been a victim of phishing, especially if they’ve not raised it before. It’s important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
Do not punish staff if they get caught out. It discourages people from reporting in future, and can make them so fearful that they spend excessive time and energy scrutinising every single email they receive.
Attackers use publicly available information about your organisation and staff to make their phishing messages more convincing. This is often gleaned from your website and social media accounts (information known as a ‘digital footprint’).
CPNI’s Digital Footprint Campaign contains a range of useful materials (including posters and booklets) to help organisations work with employees to minimise online security risks.