04 Dec Business IT Security for Non-Geeks, Part 4
Welcome back. In the second post about the elements in a workable, thorough IT security checklist, we’re looking at checklist items four to seven.
IT security checklist item 4 – Internal staff
It’s most important that everyone in your organisation is in agreement, on training and communication. After all, you can’t make people responsible for something they don’t understand or hasn’t been explained properly.
Your first step is to make IT security part of your new staff induction pack and/or training. New staff might think they know how to work securely, but it’s your job to make sure they understand your business’ specific risks and the unique protocols put in place to deal with them. Make sure new people know not to open attachments or emails from unknown sources, download software, visit potentially harmful websites, hand personal or commercial information to unknown parties or fall for one of the latest scams. You might also want to specify exactly what employees are and aren’t allowed to do on their work machines.
Passwords are very important. Make sure staff are fully aware of the risks associated with weak/guessable passwords and know how to set strong passwords. The best passwords use upper case and lower case letters, numbers and symbols. It’s best not to use real words such as place names or words found in a dictionary, but to make words up instead. Staff should never, ever need to share their passwords with each other or anyone else.
Good security doesn’t mean setting up a blame culture. Because you want to know about breaches and mistakes straight away, a no-blame culture is the way to go. It means people learn from mistakes rather than hiding them. When mistakes are covered up and start to fester, terrible things can happen.
Staff IT security training should include awareness of social engineering attacks, so your employees aren’t conned into circumventing your security system on an attacker’s behalf. Cons can include getting people to hand over confidential information, providing access to systems or giving out passwords.
Compartmentalising data on your network limits the amount of harm any one employee can cause. Each employee should only have permission to access the data they need, not the entire system. You can give someone temporary access for the lifetime of a project or task, then remove it. Sometimes employees have access to both secured and unsecured sections of the network. They’ll need to know how to stay secure under this special circumstance. And when someone leaves the company, you need to delete their access privileges straight away – Forensic Control has a termination checklist which lists many other additional procedures you should enact when a member of staff is about to leave.
Commercial IT security checklist number 5 – Protecting remote workers
Can staff connect to the office network remotely? If so, this comes with unique security challenges, including making remote tech just as secure as internal systems. Smartphones come with their own inherent security risks, giving thieves access to sensitive information if a phone is stolen and its contents accessed.
Common sense helps. People should never leave a laptop or smartphone lying around. Laptop locks and secure briefcases help, as does switching on the BIOS password on a laptop or tablet, and the SIM password on a smartphone, usually a simple matter. Use whole-disk-encryption if available. At the most basic level, it’s vital to set strong passwords on portable machines of every kind.
Some freelancers like to work in their local coffee shop or cafe via the public WiFI network: do this via a Virtual Private Network (VPN) to stop easy snooping of your passwords and data. Additionally, be aware of “shoulder surfing” – someone looking over your shoulder at you PIN number, passwords or that sensitive document that you’re working on.
More sophisticated thieves can forensically analyse your hard drive. Whole-disk-encryption prevents this even if someone has physical access to your machine. Some versions of Windows include built-in drive encryption services (BitLocker), designed to protect data.
Checklist item 6 – Encrypting wireless networks
As we mentioned above, Wi-Fi can be dangerous. If your data is particularly sensitive or you want a belt and braces approach, use a VPN, a Virtual Private Network, should be set up. Don’t let your employees set up their own wireless networks via personal Wi-Fi routers – it’s a sure-fire way to create a back door for intruders to sneak through.
Business IT checklist item 7 – Using cloud computing safely
Cloud computing is mainstream. Unlike conventional software, which runs on your own PC, cloud computing means running applications like web-based email, customer relationship management and web conferencing over the internet. But it raises new security challenges, making it vital to choose a cloud service that’s secure by design, and to use it in a secure way.
Do your research before picking your cloud provider; is the company reputable, do they provide exactly what you require? Read the supplier’s user agreement to find out exactly how the storage works. Make sure they take security seriously by reading all the literature, including the Ts & Cs. And be serious about setting secure passwords, training your staff in good password protocol.
Buy paid-for encryption software rather than using free tools, which are not always reliable and may include spyware or adware or worse. And remember, always back up your data in several places.
Next time – Your sample security plan
Next time we’ll provide a sample security plan for you to use as a template. In the meantime stay secure, and keep your data safe!