IT SECURITY POLICY 101: PUT THESE SAFEGUARDS IN PLACE TODAY!
If you have online subscriptions, it’s likely that one or more of the services you’ve used has suffered a data breach. You’ve probably received an apologetic email urging you to change your password. To you, it may just be a minor bother, but to the company that suffers the breach it’s critical. Heads roll, millions of dollars can be lost, partnerships are broken, brands are tarnished. All of this, simply because a basic IT security policy wasn’t put in place.
Any business can suffer a serious security incident, from compromised email accounts to having your website blacklisted by Google. While some of these might seem slightly paranoid, it’s better to be safe than sorry.
So what should I do to keep my business secure?
- Do control who has your important login information.
Logins for your domain name, web hosting account, website CMS, etc. should be considered critical information. These should be held only by those who absolutely require them. Right now, if you’re wondering who controls your accounts, the only thing between you and digital catastrophe may be luck. Better get your IT security policy in place pronto.
- Do ensure two people hold the keys to any critical systems.
If the worst happens and your IT guy gets hit by a bus, make sure someone else has your domain name registration logins – otherwise you could have major trouble getting access back. You don’t want to be locked out of anything. Remember this is harder with two-factor authentication because most 2FA implementations give you a set of access codes to be used in an emergency such as if your device is lost.
- Do ensure your users use complex passwords for all services.
Every user must use a password that can’t easily be guessed – “yourname2018” or your phone number is not okay and can lead to your accounts getting compromised. If it’s your email, then your account could suddenly start sending spam, and the first you’ll know about it is when your hosting provider complains and locks your account.
- Do change your passwords regularly.
It’s good practice to ensure that any old passwords have not been leaked over time, but the best policy is to change them at set intervals.
- Do educate your team about spam and phishing emails.
Inexperienced users can easily get fooled by emails tricking them into opening malicious attachments or visiting a “phishing” website that wants to steal their logins. Make sure your team are educated against these threats.
- Do take basic website security seriously.
Ensure that your website is properly built and not easily hacked. If it does get hacked, then take action immediately (we can help!).
- Do use anti-virus software on all company computers.
Make sure to regularly update and scan all computers. AVG and Windows Defender are great free anti-virus options for Windows. Remember that no anti-virus will completely protect you. Your users also need to use common sense. That can often be the biggest challenge.
- Do ensure computers and mobile devices are password protected.
If your device is lost or stolen then don’t make it easy for a malicious attacker, simply set a password on login.
- Do use a password manager.
A password manager is a secure, encrypted vault that stores your passwords and is accessed with one master key or master password. KeePass is a great option but might intimidate less technical users.
- Do use a trusted provider for your website and email hosting.
A good web host will help you secure your website and email, and warn you against potential problems. We recommend our partners at HostAsean.com.
- Do use a spam filter on your email server.
You can configure this yourself or ask your web host. This will filter out most malicious emails before they reach your users.
- Do report any unusual activity to your IT administrator.
Something strange? Computer behaving oddly? Ask an expert.
What not to do?
- Don’t re-use passwords.
This is basic password security policy. If you are setting passwords for users then never use predictable patterns that a malicious attacker could guess, e.g. “yourname2018” and phone numbers are particularly common. Use a random generator instead.
- Don’t share logins.
A breach is made even more painful if you can’t tell who broke your IT security policy. Always set up individual accounts for each person wherever possible. This makes it easier to track any logins, updates, and lock old accounts as needed.
- Don’t use personal email accounts (e.g. Gmail or Hotmail)
Make sure all your staff have and use a company email that you can control. It may be an easy option, but don’t forward mail to your staff’s personal accounts or they’ll still have a copy of your company data even if they leave your company.
- Don’t use copied software.
Seems obvious but we often see cases where large companies are not buying the proper licences for their software. Pirated software often has security holes in it. Every computer needs a fully licenced copy of software like Windows, Office and any other software your team needs. If you want free software then go open source, don’t pirate.
- Don’t let users write their passwords on post-it notes.
It sounds funny but this is common, especially when you start enforcing complex passwords. You go to the trouble of setting a secure, complex password only for your user to write it down and stick it on the device it is supposed to protect.
- Don’t let users save passwords or allow automatic log in.
You never know who might sit at your computer while you are gone. Don’t make it easy for an attacker. Over the years we’ve even seen seemingly harmless pranks resulting in terrible embarrassment and damage. Every individual should be completely accountable for their workstation.
- Don’t give out critical passwords in chat or email unless necessary.
As a service provider, clients are often giving us passwords, but you only need to give us a login once. We’ll save it to our secure vault. Once you’ve given us the password then immediately delete it from the chat/email history. An even better way to transmit passwords is to send half by one method and half by another, e.g. by SMS and by email, or written on physical paper which is quickly destroyed.
- Don’t log into any website that does not use a SSL certificate.
The URL will always show as “https” when a SSL certificate is used – this encrypts the connection and any data. If there is no SSL certificate it means your data is being transmitted in plain text – and can be easily intercepted. This goes beyond the general IT security policy to become a part of customer experience, and SEOs have long debated how harshly Google penalises sites without this level of security. Logic says the current ‘minor’ penalty will increase over time, especially if personal details are being submitted on the site.
- Don’t allow company email or system logins from unauthorised locations or devices.
Critical systems should be accessible only over trusted networks – not from your local coffee shop Wi-Fi. You never know who is snooping around the network while enjoying their latte.
- Don’t trust email attachments from unknown sources.
Suspicious file types (particularly executable files) are often stripped by your mail server, but you still need to use caution.
- Don’t trust flash drives / USB sticks without first scanning them.
If you often receive files from customers then ensure you scan these drives before opening, or even better use an isolated “sandbox” computer for copying files and scanning them.
The saddest thing about breaches is that they are, on most occasions, the result of ignorance and/or laziness. Neither are acceptable reasons to put a company’s data at risk or temporarily disrupt its business. Some of the security breaches we’ve seen are shocking, and simply not acceptable for a modern business.
Sadly, few businesses introduce policies until they’ve been burned, but prevention is better (and certainly less expensive) than cure. If any of our dos and don’ts aren’t currently part of your IT security policy, now is the time to make your business breach-proof.