IT security guidelines for employees
This objective of this article is to bring awareness to London based employees about IT security and to provide advice that will help small businesses achieve a secure digital environment.
Most companies rely on their security related appliances (firewalls, centralised anti-virus /vulnerability management systems, intrusion Detection Systems “IDS” and other software/hardware. However, employees, are targeted more often, either by phishing or malware downloaded through internet browsers. Staff need to be made aware of the common risks to ensure the network remains secure and its data, protected.
Below we have covered the main sources that compromise business IT security:
Targeted phishing is one of the most used threats. An email is sent to the users, it can contain a link which will download malware, or other methods to get users attention to do something. Although some of these are blocked, it is not always possible to block all “known” malicious emails, as such, the user should not reply, click on links on emails, or open zipped attachments from unknown and known sources without verifying first with the source.
Emails which appear to be from bank or any financial institution, are also used commonly to gather data. Pay special attention to these, always confirm the source if the links are legitimate. Ask for the totality services helpdesk to analyse the email if required.
IT user authentication security is innovating, with some devices based on fingerprints, optics and facial recognition, however the most common method is still passwords or PINs. These should be private, if possibly unfamiliar and unrelated personally to the user.
Most passwords are easily guessed (names, birthdates, pets name, simple combinations of such, username or login, friends or family names, a password used previously, or a simple keyboard pattern like “qwerty”), as such, users are advised to have their passwords secret, relatively complex (any simple mixture of alphabet, symbols and numbers will increase password strength dramatically “Eg: n0t3p4d!!$ “.
Strong passwords are a common defence against the used often brute force attacks. The password should be changed every 90 days (3 months), even if a small change.
3. System Updates / Anti-Virus Updates
Some malware is written in order to take advantage of a specific known vulnerability, as such, it’s a vital that the operating system and anti-virus software is updated to the day to keep up with latest malware signatures. This simple task mitigates any known vulnerability and malware attack. Other software installed on your computer should be updated as frequently as possible.
4. Security while surfing on the web
- Here there are two major roles, the browser and the user. While some services and browsers automatically block known websites (Google, Microsoft Smart-Screen Filter, etc..). The browser needs to be updated (while anti-virus installed and running in real time), and the user needs some awareness.
- Some of the actions here are common sense, but common sense differs slightly from person to person, so to cover most of the basic security guidelines while browsing the web:
- Don’t open any downloaded files unless they’re meant for and you’re sure of what it is.
- Check any files downloaded for viruses (this should be done automatically if AV is enabled and running).
- If in doubt, you can use the website www.virustotal.com to scan the file with a diversity of anti-virus engines. If the file is malicious and discovered, it will come up. Do not run the file if comes up as malicious by any engine. In doubt, contact totality services.
- Avoid visiting websites that seem suspicious by any standard, some websites mask themselves as other services which will ask for a “username and password”. Unless you know what are doing, don’t do it. Keep in mind there are many ways to write a simple website which can deceive the user into gets its details.
- Do not fill any forms on popups, banners or websites, unless you are familiar with or know what you are doing.
- Malicious content is mostly used on websites with illegal or adult content.
5 Physical Security
- Everything above goes out the window if an attacker gains physical access to a machine. There are some things that can be done to make it difficult, and in data retrieval – nearly impossible.
- Do not save any sensitive data or documents locally on your machine. Save data on your server or cloud storage platform (e.g. Dropbox or SharePoint).
- Lock or shut down your workstation every time you leave your desk or leave your laptop/mobile device unattended.
- Delete sensitive information.
- You should always report incidents and suspicious behaviour to your manager.
- More and more companies are starting to use encryption for their devices and hard drives, this ensures the data remains protected in case the device gets stolen. Contact totality services for more information about this service.
Others basic security measures to look out for include:
- Scammers trying to get user information through a phone call, masking as an agency, bank or another institution, no institution asks for private information on the phone, either person related or bank account or workplace.
- As well as phishing, also be wary of email spoofing. This is the forgery of an email address so that the message appears to have originated from someone you know, for example your boss. In recent times there have been many such incidents requesting money to transferred or payments made. These emails can look very real, so be careful!
If you need any help with implementing solid IT security at your London based business, simply contact us and we’ll be happy to help.