We live in perilous times.
Security incidents and data breaches are more widespread than ever, and digital-savvy businesses are often the victims. Companies are continuously at danger, and ransomware, cyberattacks, social engineering, and corporate espionage may all undermine them in a matter of minutes. Yet, the most typical manner for a company to be undermined and penetrated is through the activities of individual people within the organization itself.
With this in mind, it is critical for businesses to have strong internet security rules and standards in place. The cybersecurity policy of any business should be precise and complete. It should need specific actions and procedures, not simply common sense essentials such as:
- When leaving your device unattended, lock your workplace.
- When traveling, use a screen protector
- Avoid leaving crucial documents on the desk
- Don’t give anyone else access to your devices.
It also shouldn’t read like this: “don’t capture screenshots because of the security policy” or “security policy forbids usage of cameras”. It should explain why rather than simply what.
In this post, we will discuss some of the most significant aspects of your company’s internet security policy, how to execute the modifications, and why utilizing these tactics is a smart idea.
Policy on Passwords
Each employee should use a unique password that has NEVER been used before for any service that they use within the firm (or personal services, for that matter). The following services can assist your staff in creating, securing, and organizing passwords:
- HaveIBeenPwned: By subscribing to HaveIBeenPwned, workers will be notified if one of their accounts is compromised as a result of a firm data breach.
- Password managers: A password manager can assist employees in securely storing and readily accessing several strong (difficult-to-remember) passwords. Most of them can also generate absurdly tough passwords for them to utilize.
- Use of 2FA: In addition to using strong passwords, 2FA (two-factor authentication) should (must) be activated on all services that accept it.
Software Policy
Employees must utilize the most up-to-date software! This covers not just the operating system but also any additional software installed on staff devices. It is true that numerous software, ranging from personal software to cloud storage or even logo creation software, can be found on company notebooks and that may not have been used in months. Unnecessary software should be removed, and security upgrades should be implemented as soon as possible.
Certain software is more likely to be remotely attacked. That is why it is critical that you prioritize upgrading the software mentioned below:
- Operating system (desktop and mobile)
- PDF viewer
- Microsoft Office
- Java
- Browsers
- Email clients
Need-to-know Access
Certain workers have access to the company’s privileged accounts and services. Not all of these personnel may require access. Accounts that are sensitive should be shared with as few people as feasible inside the company.
Apart from limiting access, the overseer or manager should maintain access lists up to date so that he or she always knows who has access to what account at any given time.
In addition, the authorized manager should grant personnel access to all service accounts. When an employee who had access to certain services departs the organization, the management is required to reset the passwords and notify all parties involved.
To avoid mishaps, passwords for workplace accounts and services should be changed on a regular basis.
Tips for Browsing
There are numerous browsers out there, however, we recommend using FireFox, Brave, and Tor (whereas certain services may not necessarily function as needed) for your employees to protect devices from being hacked when quietly online. They must, however, ensure that all plugins are up to date, particularly Flash and Adobe, which are regularly discovered to be vulnerable.
How do you keep your browser secure?
Be sure you utilize the HTTPSEveryWhere and uBlock Origin addons.
- HTTPSEverywhere tries to bridge the gap between incorrectly setup HTTPS and browsers. The Brave browser has been updated to HTTPSEverywhere!
- uBlock Origin is not a security extension in and of itself, however it does assist in blocking undesirable content. Plus, there have been reports of advertising being used to distribute malware.
Additionally, make sure that WebRTC/Flash/Java are turned off in your workplace browser to reduce the attack surface. It is a fancy way of saying that there are fewer ways for viruses to enter the browser. Again, these are only recommendations and for most internet users, if your company uses the latest tools and browsers and educates it’s employees on what to do and not to do when it comes to surfing and downloading online content, then generally speaking things should be okay.
Email Security
Check to see whether your internet security policy contains a section on email security. One item that should be included in this section is that workers should never open attachments from unknown sources, especially if they are .zip or.exe. For example, in case you want to integrate video in email marketing, you need to make sure your emails will not seem suspicious and will not harm security goals.
Image files are generally secure as long as they are not SVG. Employees should be wary if they download a Word or PDF document and then open it because it asks them to approve anything or allow it authorization. If they see this, they must stop immediately and alert the IT department or security team.
Also, businesses must encourage staff to never click links in unsolicited emails. Seems too apparent, doesn’t it? According to Verizon’s 2021 DBIR, around 25% of all data breaches include email phishing, and 85% involve some type of human interaction.
Additionally, if an email appears suspect (email demanding immediate action, email asking sensitive data, email with poor syntax and spelling, etc.), personnel should verify the headers to ensure that the email originates from where it claims to come from. If this is not the case, they should report the email as phishing and delete it from their inbox.
Document Security
Document security is concerned with the preservation of all vital documents that are kept, filed, backed up, processed, distributed, and deleted. Because sensitive documents are vulnerable to serious security risks, it is critical to design a document backup and storage strategy.
Utilizing Google Drive, Dropbox, or other risky services will only increase your company’s vulnerability. Instead, make sure to provide your employees with the most secure tools possible.
Needless to say, end-to-end encrypted storage services should be high on your priority list. Another helpful feature is to ensure that your staff scan their files before transferring them to the disk. They may accomplish this easily by using a free online file virus scanning.
Employees should also avoid opening Microsoft Word files from unknown sources since they might be harmful. They should use Acrobat Reader DC on Windows and activate Protected View for PDFs. This is a sand-boxed mode that stops malicious PDFs from executing executable files. Don’t forget to keep Acrobat Reader DC up to date.
Another item to remember is that file extensions are sometimes ignored, but if your staff use Windows (this also applies to macOS), they should always configure Windows Explorer to display the file extensions:
- Windows: Control Panel -> Appearance and Personalization -> Folder Options -> Advanced Settings
- Mac: Finder -> Preferences -> Show all filename extensions
What is the significance of file extensions? As an example, if a file is named Scam Document.doc.exe, they will recognize the .exe and realize it is an executable file rather than a document. An employee may miss the problem if the extensions are not apparent.
Device Security
Although the efficiency of antivirus software is hit-or-miss, your company’s security strategy should nevertheless involve the usage of reputable antivirus software (whether free or commercial) on all computers.
Second, keep in mind that computers may and do become stolen. As a result, it is recommended that all devices used to access corporate infrastructure have full disk encryption enabled.
VeraCrypt and Bitlocker are available for Windows. LUKS is available for Linux, while Filevault is available for Mac OS X. This should be necessary for employees who have sensitive credentials or documents related to the firm. iOS and Android can and should be secured as well.
Several effective mobile device management systems include Kiosk lockout, which guarantees that workers do not access anything other than work-related apps on their corporate phones.
Lastly, staff should not connect unauthorized USB devices to computers. Also, users should not connect their USB device to an untrusted USB socket. Employees should never transfer data via USB devices.
It is now time to develop your company’s security policy.
Monitoring a company’s entire internet security is a duty shared by both people and the organization as a whole. It is significantly simpler to fall prey to cyber crime without adequate internet security habits, which may potentially cost your firm millions of euros in damages. Do not simply focus on establishing and advertising a nice logo or brand; you must also have a good security strategy in place for your company.
A solid security policy may take time, investment, and effort to implement. The advantages greatly exceed the hazards.
Think again if you believe your organization cannot afford digital safety and security measures. In reality, the one thing your firm cannot afford is to ignore internet security. If you want to know more, than feel free to reach out to us for a free consultation on your current infrastructure.