IT security guidelines for employees
IT security is a serious matter when it comes to a business’ safety and growth. Employees must be made aware of possible threats to their computers as a breach could affect company data. In this article we will clarify the common threats posed to business IT systems and suggest preventative security measures for London based employees. We believe IT security guidelines are key to helping small businesses achieve a secure digital environment.
Most companies rely on their security related appliances to protect their IT systems. These can include firewalls, centralised anti-virus/vulnerability management systems, Intrusion Detection Systems (IDS) and other software/hardware. However, employees are more often the targets, either by phishing or malware downloaded through internet browsers. These tactics can deceive employees, making it much easier for cybercriminals to successfully extract and exploit business data. Therefore, as new scams and threats arise, it is more important than ever for staff to be made aware of common threats and how they operate. This ensures the network remains secure and its data is protected.
Below are the main sources which can compromise your business’ IT security:
Targeted phishing is one of the most used threats against employees. An email is sent to the users prompting them to take some sort of action. This is often done by clicking on a link, opening an attachment, or other methods. This kind of threat is secretly malicious, as it leads employees to accidentally download malware which can attack computers and steal sensitive data. Attackers may also use details about your business, employees, or workplace to appear convincing and mask their true intentions. Although some emails are blocked, it is not always possible to block all “known” malicious emails. This kind of phishing can target many users at once, hiding in busy inboxes. As such, the user should not reply, click on links from emails, or open zipped attachments from unknown or known sources without first verifying with the source.
Emails which appear to be from a bank or other financial institutions are also commonly used to extract and gather data. Pay special attention to these and always confirm with the source as to whether the links are legitimate. Where employees fail to identify phishing, it may be helpful to utilise anti-spoofing controls to separate real sources from false ones. For example, Domain-based Message Authentication, Reporting and Conformance (DMARC) is recommended for the protection of company domains from hackers.
If you require support with analysing suspicious emails, feel free to ask the totality services team.
User authentication in IT security is innovating, with some devices based on fingerprints, optics, and facial recognition, helping elevate user protection to a new degree. However, the most common method of authentication is still passwords or PINs. These should remain private to the user, and if possible be unfamiliar and personally unrelated to them.
Choosing a familiar password can risk sensitive and private data being exposed to anyone who has basic information collected about an employee. Most passwords are easily guessed as they contain names, birthdays, pets’ names, and simple combinations of such. Furthermore, recycling your username or login, friends’ or family’s names, previous passwords, or a simple keyboard pattern like “qwerty” provides very weak protection from hackers. Instead, users are advised to have their passwords secret and relatively complex to improve their IT security during authentication. Any simple mixture of alphabet, symbols and numbers can increase password strength dramatically, eg: “n0t3p4d!!$”.
Ensuring you have a strong password is the most common practice in defending against malicious attacks. It is recommended that your passwords are changed every 90 days (3 months), even if a small change. And remember that a breach to your passwords can become a data breach of your workplace, and indeed pose a significant security risk to the business itself.
System Updates / Anti-Virus Updates
Some malware is written in order to take advantage of a specific known vulnerability. As such, it is vital that your operating system and anti-virus software are kept up to date. These new solutions are equipped to protect vulnerabilities and strengthen IT security, so ensure immediate updates are scheduled to the day. Your anti-virus software should be kept aware of the latest malware signatures, as without it may not be able to react against new malware and will be rendered obsolete. It is also just as important that other software installed on your computer are updated as frequently as possible.
Simply put, updating your systems and anti-virus software mitigates any known vulnerability and malware attack.
Security while surfing on the web
Surfing on the web comprises two major roles: the browser and the user. Some services and browsers automatically block known phishing and malware sites. For example, Google and Microsoft Smart-Screen Filter help scan for malicious activity by analysing webpages and downloaded files. While the anti-virus software is installed and running in real time, the browser needs to be updated. However, to ensure the best security practices while surfing the web, the user must be aware of what to do.
Generally, the user’s security measures are common sense, but this can differ slightly from person to person. So, we have compiled most of the basic security guidelines to follow whilst browsing the web:
- Don’t open any downloaded files unless they’re meant for you and you’re sure of what they are.
- Check any files downloaded for viruses. This should be done automatically if your anti-virus software is enabled and running.
- If in doubt, you can use www.virustotal.com to scan any files with a diverse range of anti-virus engines. If the file is discovered as malicious, it will show. If this happens not run the file. If in doubt, contact us at totality services.
- Avoid visiting websites that seem suspicious by any standard. Some websites disguise themselves as other services, asking for a username and password. Unless you know what are doing, do not continue. Keep in mind that there are many ways to create a simple website with the goal of deceiving the user into giving their details.
- Do not fill out any forms on popups, banners or websites, unless you are familiar with them or know what you are doing.
- Remember that malicious content is mostly used on websites with illegal or adult content.
Everything we have pointed out above goes out the window if an attacker gains physical access to a machine. There are some things that can be done to make this kind of access difficult, and in data retrieval – nearly impossible.
- Do not save any sensitive data or documents locally on your machine. Save data on your server or cloud storage platform (e.g. Dropbox or SharePoint).
- Lock or shut down your workstation every time you leave your desk or leave your laptop/mobile device unattended.
- Delete sensitive information.
- You should always report incidents and suspicious behaviour to your manager.
- Encryption is being used more and more in companies to protect devices and hard drives. It can ensure that data remains protected in case a device gets stolen. Contact our team at totality services for more information about this service.
Other threats and basic security measures to look out for include:
- Scammers trying to get user information through a phone call, often masking as an agency, bank or another institution. No institution will ask for private information over the phone, whether it be person, bank account or workplace related.
- As well as phishing, also be wary of email spoofing. This is the forgery of an email address so that the message appears to have originated from someone you know, for example your boss. In recent times there have been many such incidents requesting money to be transferred or payments made. These emails can look very real, so be careful!
totality services is a leading London IT Support company providing specialist IT security services. If you need any help with implementing solid IT security at your London based business, simply contact us. For our clients the helpdesk team are available around the clock to offer guidance and solutions to your business’ cybersecurity needs.