To mark Computer Awareness Day on November 30, Luis Navarro and Pedro Martins, co-founders of WFH IT Support, compiled a list of the nation’s ten most common cybersecurity mistakes and how to avoid them
1 No security awareness training
The cyber security threat landscape is changing every day, and it’s impossible for security software and solution vendors to guarantee against cyber-attacks. However, the use of best-of-breed software and solutions and continued security training for staff will put your business in a good position to avoid breaches.
2 Admin rights enabled for everyone
This is bread and butter stuff; your staff should not be able to download and install software, as doing so can cause serious virus issues and ransomware attacks. Always limit the admin rights to your IT support provider and one or two staff members who know what they’re doing.
3 Use of non-business-grade network hardware
Basic networking equipment can be a source of data breaches in office environments, so we recommend purchasing decent hardware. The management side of things, where devices (e.g. firewalls and wireless access points) are set-up and configured with specific security settings, should be cloud based.
4 No hard disk encryption
If a laptop is stolen, it’s easy for the thief to access data on the hard disk. While Windows 10 Pro and Mac OS have free encryption tools, we recommend that businesses use a separate encryption management application and manage all staff members’ devices centrally. All encryption details should be stored in a secure environment that offers proof-of-compliance (useful for GDPR) and allows PINs to be re-set remotely.
5 No DNS protection
DNS installed on laptops, PCs and Macs makes sure that websites accessed by staff are legitimate (e.g. online banking, G Suite, Microsoft 365 etc.). If your staff work from a shared network (common practice in business centres) or remotely (e.g. from a coffee shop or home), you don’t control the network and associated security settings, making network level threats more likely. DNS protection helps stop criminals from capturing information that staff input into a website, such as login credentials, that might enable them to steal data or money from your business.
6 2-step authentication not enabled
Whenever you enter login credentials online for a business application (e.g. G Suite, Microsoft 365, CRM systems, accountancy software etc.), you should be prompted to enter a numerical code or confirmation from an authenticator app on your mobile phone before gaining access to the software. This is a very basic but very effective way to stop hacking of business data and mailboxes, because no one else will have your phone (for the code or confirmation). We continue to be contacted by prospective clients whose mailboxes have been hacked – a common scam involves compromising the MD’s mailbox and emailing illegitimate requests for payment to accounts payable.
7 No email filtering
Do you receive junk or phishing emails? We always recommend deploying a third party email filtering solution alongside mailboxes so that every incoming email is scanned for fraudulent links, content and attachments. This will minimise the risk of a staff member clicking on a link and entering login details on a fraudulent website that mimics a platform you already use.
8 Mobile Device Management & Conditional Access not rolled out
Many companies let staff access their mailboxes on their personal phones, but what happens when they leave the business? Unless Mobile Device Management is in place, the mailbox data will more than likely remain on the staff member’s hard disk (even if they can’t access it because you have changed the password). Best practice is to deploy Mobile Device Management, which essentially gives staff a ‘Work’ folder on their mobile phones (containing mailbox, data, telephony app, Teams, Meet etc.), over which you have control. When a staff member leaves the business, you can suck out data residing in the folder and make sure no business data remains on the device.
9 No data backups
This is very often overlooked, Yet, it’s critical that businesses are able to recover emails and data in case of ransomware or deletion by staff.
10 No central management of security policies
Your staff should ideally have one login for all business software/platforms, and the password for that logon should be changed frequently. Central security policy management lets you do this, whilst also offering many other benefits, such as printer management or automated Operating System updates for laptops, PCs and Macs.
WFH IT Support is a new IT support service for home workers launched by London-based Totality Services. Any business with 10 or more Mac or Windows machines can sign up to WFH IT Support, with price plans starting at £14.99 per device per month and rising to £39.99 per machine per month.