October 2015 is European Cyber Security Month #CyberSecMonth – tips to improve security

Cyber Security Month 2015

In the EU it is Cyber Security Month. In the USA it is National Cyber Security Awareness Month.  It is good to see the promotion of good practices, anything to reduce risks to businesses and individuals is welcome. Personally, I am waiting for Information Security Month; maybe I will have to start that myself.

This will blog be updated during October to give tips on how to get into the ‘Information Security’ mindset where doing things securely becomes second nature.

Number 1 – Use strong passwords

Use a combination of letters, numbers and special characters. Some sites don’t allow special characters, but most do.

Don’t use the same password for every site. Most people cannot remember multiple passwords so consider using a password manager rather than storing them in another format. It isn’t possible to guarantee 100% security for password managers, but the extra security they provide is worth it for most people.

Number 2 – Use Multi-factor authentication

This provides an extra layer of protection when you login. After entering your username and password, an SMS message is sent to your mobile with a validation code. There are other methods to issue the validation code, but SMS is the usual default. You need to enter the code to complete the login. This is a great way to protect yourself in case someone finds out your passwords. Use the Help or Support option to find out how to enable it for your accounts.

Number 3 – Keep up to date with security patches

If you don’t apply security patches when they become you increase the risk of being attacked. Patches can be made available at any time, so do regular checks to see if any need to be applied.

Number 4 – Anti-virus isn’t just for PCs

Macs and mobile devices can be infected by viruses and malware.  Several vendors have anti-virus products for these platforms, some are free. Use your favourite search engine to see what is available for your platform and which ones get the best reviews.

Number 5 – Disabling network access when someone leaves your company

When someone leaves a company disable their logins straight away; to the network, the VPN, and cloud services. You don’t want to give them the opportunity to continue accessing confidential information. Have this as part of the Leavers Checklist that will also include the collection of any door access fobs and company IT equipment they have.

Number 6 – Make your staff part of the solution, not the problem

The problem – around 35% of security incidents are caused by staff not following guidelines or accidentally passing on information in public places.

The solution – remind staff on a regular basis of your key security principles. Not just the IT ones, but the ones around building security, disposing of confidential waste and being careful about what is said and shown to others in public places. How you do this is down to the company culture – ‘carrot’ vs ‘stick’ – and the policies that are in place to define what is acceptable and disciplinary procedures to deal with offenders. If there is an incident tell staff about what was learnt and changes to be made. Provide opportunities for staff to submit ideas on improving security. You may be surprised at the number of simple-but-effective ones they come up with.

Number 7 – Testing your Business Continuity plan

Every business should have a Business Continuity plan to keep working if the main business premises are not available, there is a major IT failure etc.  To check the plan will work it needs testing on an annual basis. This could be a full test, a desktop test or a discussion with the key stakeholders. More details are in our blog on this subject.

Number 8 – Backing up your information

Every business will say they have backed up their information, but the majority never check the integrity of the backups and the process to restore files. Make sure you have primary and secondary backups.  One could be in the cloud and the other a physical device. You may want to consider having multiple generations of backups. Encrypt and/or password protect the data.  Every 2-3 months do a quick check to confirm that a) recently added folders and servers and being backed up and b) you can restore a few files.  If you have a third party that looks after your IT get them to confirm that the checks have been done,

Number 8 – Keeping track of installed software

If you have an accurate software inventory, you will know where software patches need to be applied.  There are several software packages that can automatically maintain your inventory, some are free.

Number 9 – Disposal of old equipment

When equipment is no longer useful make sure that all data is securely wiped before disposing of it.  This applies to hard disks, SSDs, mobile devices, SIMs and  SD cards. If you get a third party to do this for you, get a certificate to confirm it has been done correctly. If they cannot issue confirmation, then find a company that will do this.

Number 10 – Showing potential clients that you care about information security

You many not need formal certification such as ISO27001:2013 or Cyber Essentials, but you do need a way to show your commitment.  This can be done by having documents such as an Information Security Management System (ISMS) policy, Acceptable Use Policy, Bring Your Own Device (BYOD) policy and a Business Continuity Plan. Make sure they reviewed on an annual basis to reflect current business requirements.

Other resources

The Stop, Think, Connect site has lots of good advice.