10 tips for cyber security at your business
Ready for international Computer Awareness Day on Monday, London based IT company WFH IT Support has released its list of the ten most common cybersecurity mistakes made by businesses.
“2020 has presented challenges across the board to businesses big and small and to make things worse, cybercriminal tactics have become more sophisticated than ever. The National Crime Agency has identified a surge in coronavirus-themed malicious apps, websites, phishing emails and messages that seek to steal confidential or sensitive information,” according to the company. “The Chartered Trading Standards Institute has even estimated that the UK has been the most heavily targeted country for Covid-19 related phishing emails.”
To further complicate business cybersecurity, it added, data from the Office for National Statistics showed that the number of people working exclusively from home in the UK has risen to 24%, with 23% using unauthorised devices to conduct professional tasks.
Here is the list – Caveat emptor, Electronics Weekly has no way to verify this list.
- Staff Security Awareness Training
The threat landscape changes every day. It is impossible for security solution vendors to guarantee against cyber-attacks. Continued staff training on spotting security threats backs up other security precautions.
Staff should not be able to download and install software – the risk is serious virus and ransomware attacks.
Limit the admin rights to one or two expert staff and your IT support provider.
- The use of ‘non-business grade’ network hardware
Basic networking equipment can allow data breaches. Purchase decent hardware. Security management of this equipment should be cloud based.
- No hard disk encryption
If a laptop is stolen, the thief can access all the data on the hard disk – mailboxes and files. Windows 10 Pro and Mac OS have free encryption tools but, according to WFH IT Support: “We would recommend businesses use a separate encryption management application to manage all staff member’s devices centrally. This is useful as all encryption details should be stored in a secure environment that offers proof-of-compliance [useful for GDPR] and it allows encryptions to be PINs to be re-set remotely.”
- No DNS protection
In a nutshell, DNS protection installed on laptops, PCs and Macs ensures that websites accessed by staff are legitimate (banking, G Suite or Microsoft 365, for example). When working from a network shared by others – in a business centre or coffee shop, for example – network control and security is in the hands of others. DNS protection helps protect log-in credentials for such websites whilst on shared networks.
- 2-Step Authentication not enabled
Whenever you enter login credentials online for a business application (G Suite, Microsoft 365, CRM systems or accountancy software, for example.), you should always be prompted to enter a numerical code or confirm that it’s you trying to access from an authenticator app on your mobile phone – once that 2nd step is complete you are then granted access to the software. “This is a very basic, but very effective way to stop hacking of business data and mailboxes because no one else will have your phone”, according to the company. We continue to be contacted by prospective clients who have been hacked in this way, usually mailboxes, and there are some real horror stories we’ve heard.
- No Email filtering
We always recommend a 3rd party email filtering solution is deployed alongside mailboxes so that every incoming email is scanned for fraudulent links, content and attachments.
- Mobile device management and conditional access not rolled out
If a company lets a staff member access company mailboxes from a personal phone, and then that person leaves the company, the mailbox data could still reside with the former employee, even if the password has been changed so that they can’t access it. Having ‘mobile device management’ means that there is a ‘work’ folder on that mobile, whose content (mailbox, data, telephony app, Teams, Meet, …) can be removed remotely when the staff member leaves.
- No Data Backup in place
It is critical that all businesses are able to recover emails and data perpetually. Proper data back-up allows recovery from ransomware attacks and malicious deletion.
- No Central management of security policies deployed
Staff should ideally have one login for all business platforms, and the password for that logon should be changed frequently – at a frequency that depends on the nature of the business. Central security policy management allows control over password updating, and adds features such as printer management and automated operating system updates for company computers.