Cyber Security Guide
The Flex IT Cyber Security Guide
Here is our simple guide with advice and guidance for businesses about these five core areas that will help businesses significantly increase their protection. The areas covered are:
- Backing Up your Information
- Protect the business from Malware.
- Making sure your Mobile Devices are Safe
- Having Strong Passwords and Using MFA
- Being Aware of Phishing
This is by no means an exhaustive list, consider it a starting point. While this may seem daunting, there are systems and processes that can be implemented to ensure your business is getting on top of keeping safe.
Backing up your Information
In a worst-case situation, the best route to recovery will be restoring data/information from backups and rebuilding systems. So, make sure you have good backups:
- Your first step is to identify your essential data.
- Restrict access to data backups so that they are only accessible by approved users and are not permanently connected (either physically or over a local network) to the device holding the original copy.
- Using cloud backup means your data is physically separate from your location, it will be fully encrypted before it leaves your file store. However, before choosing a provider make sure their services are secure and reliable.
- Using automated backups not only saves time but also ensures that you have the latest version of your files should you need them.
- Backup frequently.
- Backup different data sets appropriately and based on importance and required retention policies.
- Test the Backups by Restoring selected data routinely.
- Check backup progress and quality by looking at the reports and logs.
Check out this NCSC video to learn more about backing up your data – https://youtu.be/Ik08M7Xo0fQ
Protect the business from Malware
Malicious software will damage your data by infesting it with viruses, malware or even encrypt the data so it can’t be accessed unless a ransom is paid (ransomware).
- Setup external email filtering & scanning or Microsoft’s Advanced Threat Protection to intercept malicious emails before they reach users mailboxes.
- Install Gateway protection with a good quality firewall.
- Train users about the risks of Malware and how to identify suspicious emails.
- Make sure you have installed good quality Anti-Virus as well as Anti-Malware to all your systems and that they are automatically updated.
- Ensure that no Local Administration rights are assigned to users.
- Only install applications to system and mobile device from approved sources.
- Switch on all local firewalls and ensure they are always on.
- Install all software and Operating Systems updates to all systems and mobile devices.
- Never use outdated software.
- Don’t Use USB Memory Sticks to transfer data.
Check out this NCSC video to learn more about protecting your organisation from malware – https://youtu.be/9zNa3T_OGsk
Making sure your Mobile Devices are Safe
Mobile computing is now a vital part of business life because we want information wherever we are. This presents an ever-widening landscape for cybercriminals to attack your systems, damage your data and potentially harm the business.
- Make sure complex PIN’s and Passwords are used and if possible, use biometric access.
- Make sure the mobile track service is enabled to devices can be located.
- Remote Lock and Wipe facilities are available and should be used where possible.
- Mobile Device Backups should be taken to recover locally stored information.
- Keep devices up to date, but if the device is too old to accommodate updates it should be replaced.
- Make sure all the apps on devices are up to date.
- Don’t Connect to Wi-Fi networks or Hotspots unless users are absolutely sure of who the provider is, use the mobile network provider’s service instead.
- If you need to connect a laptop to the internet, use tethering to a mobile device and the network provider’s network.
- Don’t connect to VPN service unless you know who the provider is.
Check out this NCSC video to learn more about how to keep your devices safe – https://youtu.be/mtSsKkXp-Eo
Having Strong Passwords, Using MFA & Encryption
Make it a rule to never share passwords and always change the default passwords on devices. Make sure all users know what is required of them and create policies to cover all aspects of security and reference this in your HR documents.
- Use Bit-Locker/FileVault to encrypt PC’s & Mac’s.
- Make sure Data Protection is enabled on your mobile device.
- Set a Screen Lock Password, biometric method to secure devices.
- Old Hardware may not have a Trusted Platform Module (TPM) and should be replaced.
- Use Touch/Face ID on Mobile Devices.
- Set the Erase Data option on mobile devices after x number of failed logons.
- Passwords must be considered carefully, not all need to be changed regularly and users should be able to reset them themselves.
- Use a secure password manager that has an individual master password for access.
- Use longer and more complex passwords that can’t be easily guessed for highly critical services such as banking and email.
- Administrator passwords must be very strong and only given to selected users who understand the implications of the responsibility that is afforded to these types of accounts.
Check out this NCSC video to learn more about the types of passwords to use to protect your data – https://youtu.be/lUze3iXlPtw
Being Aware of Phishing
Malicious emails will still get through regularly, and when that happens, the only thing preventing your organisation from a breach is your employees’ ability to detect their fraudulent nature and respond appropriately.
- Assume you will receive fake emails/phishing attacks at some point from scammers.
- Think about ways that a hacker might try to trick a user into doing something that could cause harm.
- Make sure all staff are involved, aware and provided with information to help them identify a scam. Encourage staff to seek help if they are not sure about an email.
- Show staff example scam emails that contain the typical “flags” of poor spelling, odd-looking web links, poor graphics and generic language.
- Give staff the confidence to question a request to act on financial or other important matters.
- Always use the principle of “Least Privilege” which means that users are only allowed to access the information and services they need to do their work.
- To conduct Administrative work on systems a separate logon must be used which may in itself have certain restrictions such as email and web browsing.
- Use Multi-Factor Authentication (MFA / 2FA) for all of the web services you use including Microsoft and any VPN’s you have setup.
- Consider signing up to a scamming alert service.
Check out this NCSC video to learn more about how to avoid phishing attacks – https://youtu.be/KBOaBC26ojE