We have a whole separate post planned to discuss secure email, as it’s a big topic in its own right, but here is a quick preview of some of what we’ll be covering:
- Your users are your first line of defence – train them in using email appropriately
- Be alert to suspicious emails – unknown senders, unusual formatting, poor spelling, etc.
- Never give out passwords via email, and don’t enter details into a website you’ve accessed via a link in an email (type the correct address into your browser instead, just to be sure)
- Don’t open attachments from unknown senders
- Check with the apparent sender if in any doubt – call your bank, or the customer, or whoever sent the email, if you’re not sure whether it’s legitimate or not
- Use secure email, such as through Office 365 or via an Outlook plugin
You should also consider email filtering, to prevent infected content and spam from reaching employee inboxes in the first place. If you have on-premise servers, your filtering platform can provide business continuity in the event of server or internet outages.
Linked to email, but important in isolation too, having a robust password policy is an important part of your IT security. All devices should be password protected, without exception – this includes mobile devices, tablets, PCs, laptops, and any personal devices that employees use for work purposes.
Your password policy should include:
- A requirement for strong passwords – strong passwords tend to include both upper and lowercase letters, numbers, and sometimes special characters too
- A requirement for regular password changes – not the most popular step with employees, but enforcing regular password changes is security best practice. Aim for every 3-4 months for the most protection
- A requirement that new passwords are genuinely new, not a repeat of a previously-used password
- No acceptance of the most commonly used passwords – in 2015, these included 12345, password, qwerty, and abc123
Do you have a user/desktop policy in place? Can your users make local or system changes? Can they install new software?
The more locked-down your systems, the less opportunity there is for user error to cause a widescale security problem. Ideally, the local desktop should be locked down to user changes, preventing malicious software from being installed. There is always a balance when it comes to restricting functionality, in some cases users may need to be able to do certain things in order to perform their job effectively. If this is the case, ensure that user has received enough training to avoid security issues.
You should have an up to date anti-virus and anti-malware solution installed across your network at an absolute minimum. This software should be regularly updated, as security threats evolve frequently and an out-of-date AV system won’t protect you from new or evolved threats.
Look for a solution that includes:
- Usual definition database
- Heuristic scanning
- Behaviour/process scanning – the software will scan system process (e.g. opening a document or file) and block that action if the process has been changed somehow
You should consider using a web monitoring and filtering solution for additional protection. Many businesses filter web browsing from the perspective that there is plenty of content online that’s not suitable for a working environment, but blocking malicious and potentially malicious sites is another effective feature. You can usually decide how stringent you want your blocking parameters to be, and white-list sites that you know are safe and your staff may need.
Monitoring and reporting allows you to keep an eye on how the internet is being used on your network, which can help identify usage that does not conform to company policies and may invite a security risk.
Network and Wireless Security
Make sure your switches, routers, and APs are running the latest firmware. Check that all of your devices are locked down as far as possible/practicable. Ensure you regularly change your wireless access passwords.
Not updating firmware, or not installing security patches, is asking for trouble, and keeping the same passwords for long periods of time make it much easier for security threats to occur. You need to give yourself every advantage – by taking these simple steps, you do a lot to protect your business.
Backup and Disaster Recovery
Sometimes it doesn’t matter how hard you try, or what measures you put in place, something happens that you couldn’t forsee. In such cases, having effective backup and disaster recovery plans can make a massive difference to how your business recovers.
- Ensure your backup strategy is effective, and test it regularly for recovery – don’t wait until you need it to find out it hasn’t been working
- Backup to local and online/remote storage for extra protection
- Consider the time period you need to have backed up in order to recover lost data – how far back do you need to go?
When creating your disaster recovery plan, ask yourself if, in the event of any system breach or failure, does the plan meet your business needs and expectations – can you recover without lengthy/costly delays?
If you haven’t got a plan yet, or you would like some support in formulating your IT security policies and managing their implementation, why not get in touch with us. We work with small businesses across a huge variety of sectors, so we understand that different companies have very different needs when it comes to security and recovery.