1 – Poor Password Practice
The most common, easy-to-fix (for free) and high-risk element I see at most new clients is very poor password practice. It is easy to underestimate just how risky this is. Very common issues include:
- Using the same password as somewhere else
- using the same password for a long time
- Using a password that doesn’t meet proper security requirements
- Sending passwords over email
- I recommend to people a very simple way of creating passwords – think of a food, vehicle or object, use a capital letter at the start, add two random numbers and a special character at the end, and now you have a safe password. Examples such as Cherry94!, Porsche38# and Sunscreen05* are all easily-remembered but impossible to guess passwords.
- Change your password every 3-6 months. While this feel boring or irritating, it negates 90% of password breaches – that is, your old password being known by a malicious third party.
- Use a different password for all your business applications to anything else you use. Never share a password between business units. For your personal passwords, have 3 tiers – Don’t Care (for sites that are trivial and you don’t care if it gets hacked), Important (for sites where important data is kept) and Critical (banks, government, identity, critical data). Rotate the passwords of the latter two at least yearly.
- Use ‘2 step Authentication’ or ‘Multi-Factor Authentication’ for everything – this simply means that you also need to enter a code from a text to your phone to be able to login. While this takes another 10 seconds of your time, it prevents 99% of hacks to your system.
- Never send passwords over email. Ever. Send the username over email and text the password to the recipient – this is vastly safer as a malicious user would have to have access to both systems to then steal the credentials
- If you don’t have a safe, reliable method for remembering or retrieving passwords, then use something like LastPass as a secure password manager. Just remember and/or write down the Master Password!
2 – Clicking on malware emails
I have lost count of the number of times I’ve had someone ring me in a panic because they clicked on a link on an email, landed on a site, took further action, and now they’re in a real pickle, having given a third party their username and password. This is often the start of identity theft, malware hacks and ransomware.
Methods of Prevention
There are some very simple rules to follow to avoid this disaster:
3 – Insufficient Backup Processes
- Unless you are 100% sure of an email’s sender, intent and connection to you, always hover over any links before clicking – check the web address of the link – is it the correct domain for the sender or some strange, unrelated domain? Never click a link if the full domain doesn’t look legitimate.
- Check to see if the email contains your proper name or any other real data about you (not your email – they’ve obviously got that). If it doesn’t, treat it with some suspicion.
- Check if the logos, date, colours and other design aspects match the usual method from the sender.
- If any email warns that something is about to be suspended, deleted, needs re-activation or confirmed, treat it with suspicion – real online services very rarely do this.
- Pause, breathe, use your common sense and call your IT provider if there’s any suspicion.
Most IT issues can be solved with solid backup (and restore) practices. However, many businesses think they have a backup plan, but don’t monitor it, perform test restorations or have multiple backup locations. What happens if your backup device fails? What happens if your office burns down? What happens if a Restore job doesn’t work? What if you need to retrieve something that was deleted months or years ago? All these issues can be solved with a proper strategy in place.
For best backup practice, do the following:
- Have three backup locations – two locally, and one online.
- Ensure your data transfer speed for backup and restore is fast enough – if it takes 8 hours or more to restore your data, you should have had a faster solution.
- Have someone monitor your backup reports every day.
- Do a test restore of your data at least twice a year.
- Get clarity on the business’ retention needs – how far into the past would you ever need to retrieve a deleted file or email? Then talk with your IT provider to ensure this is in place.
4 – Consumer-grade Network Hardware
It can be very tempting to buy consumer / home grade network equipment (firewalls, routers and switches) when fitting out your office – there is a large cost difference between consumer grade and enterprise grade. So why bother? There are lots of reasons – Enterprise network hardware:
- Is more secure against hacking, both wireless and wired, through superior hardware, software and services
- Can be managed and monitored to track and remediate any issues on the network
- Can use advanced networking tools to maximise speed and lack of errors for network traffic
- Has warranty and support from the Vendor.
- Can have speeds up 10Gb, 25Gb or 40Gb, while home/consumer grade only does 1Gb. With today’s data needs increasing, speed can become a limiting factor
5 – No Disaster Recovery (DR) / Business Continuity (BC)
Nobody likes talking about it, but cases do happen where an office becomes unusable due to theft, flood, fire, power outage, lift failure, crime scene or earthquake? While rare, without Disaster Recovery (DR) processes in place, your business doesn’t have any Business Continuity, which can not only completely cripple your business, it can mean other large businesses don’t want to do business with you – it’s too risky. So what to do?
How to set up DR / BC
- Ensure all your business-crtical servers (and workstations if applicable) are backed up in a state that can be ‘virtualised’ – that is, they can be converted to Virtual Machines (VMs)
- Purchase an online backup plan that includes the ability to ‘spin up’ the backed up servers as Virtual Machines – Microsoft’s Azure is the obvious choice for most businesses
- Once Azure is active and has backup VMs in place, get your IT provider to test activating them as online VMs to log into and test – ensure you can perform business functions. Then turrn them off to save money.
6 – Physical / operational security
Physical Security is another major issue at organisations. Usually most breaches and hacks are due to human error, not technical ones.
How to physically secure your business
- Ensure everyone Locks or Logs Off from their computers when leaving their desk. Alternatively, IT can make PCs automatically Lock after 5 minutes of non-use, but this often annoys users.
- Ensure all office keys and swipes are accounted for and wiped / locks changed appropriately
- File away and lock all confidential documents and equipment
- Install security cameras and alarms, with immediate back-to-base and text message alerts
- Ensure your floor access through lifts and stairs is secure
7 – Data security
Lastly, for organisations with highly sensitive and/or valuable information, often the relevant security requirements are not adhered to. Data theft in these sorts of organisations is reasonably common, and I personally have assisted on a number of legal cases to bring data thieves to justice. Here’s a list of things to do.
How to secure your sensitive data
- As always, ensure you have a very strict password policy (see ‘1’ above)
- Don’t email sensitive data without encryption. Office 365 can encrypt your emails – get your IT Provider to help you. Otherwise, send sensitive data via more secure channels such as encrypted Messaging systems or online portals.
- Document security is critical on your server. Having security groups and relevany permissions applied, especially inside a Document Management System (DMS) is paramount to ensure a malicious user can’t find or export documents. Talk to your IT Provider and/or DMS provider about this.
- While only important if you store sensitive data on your workstations, encrypting your workstation hard drives is a good move
- Lock down device access to your data (mobiles, tablets, workstations, etc.) and have the ability to remotely wipe data from those devices