A Quick Guide to Information Security
Information security - or 'infosec' - is about protecting information by addressing the risks posed to it.
Information security is often also referred to as cyber security.
These are twelve key steps you can take (or just check, if you’ve done them in the past) to get some information security fundamentals in place:
Backup your data regularly (at least daily, ideally); keep a recent copy off-site (i.e. in a different physical location) and off-line (i.e. not connected ‘live’ to the network); and test your backups (which lots of people forget to do, until it’s too late) from time to time, to make sure they work.
If you can restore your data easily and quickly, the impact of security incident will be lessened.
Data replication is different to data backup. Whilst replication can be useful for retrieving files under normal circumstances, it’s possible that certain types of malware would infect the replicated data location too. A true backup is a copy of the data at a point in time, which (on the assumption it is working correctly) can be restored to the source at a later time.
2. Update and up to date
Keep operating systems and applications up to date with the latest updates (often called patches or hotfixes).
Vendors like Microsoft release patches frequently, so make sure they are downloaded and installed without delay. Also, make sure you are only running versions of software that are supported by the vendors.
Various attacks seek to exploit vulnerabilities in popular software, applications and plug-ins (e.g. Microsoft Windows, Microsoft Office, browsers, Flash Player etc.) so it’s important to keep yours up to date with the latest version.
In some cases it’s also important that you uninstall older versions when you install the new ones, so that the vulnerabilities are closed (e.g. Java).
It is also advisable to consider the configuration of software. Some malware is deployed via features in operating systems and applications that many users do not require, so disabling or removing them (or not installing them in the first place) can improve security.
3. Update security products too
Having security is essential, but so too is keeping it up to date and well configured. Software (e.g. anti-virus) needs to be updated with the latest info, and things like firewalls need to be configured and managed by specialists to be fully effective.
It’s also advisable to consider specific anti-exploit software to provide protection against ‘zero-day vulnerabilities’, which traditional anti-virus software might not protect against.
It is also advisable to check the extent to which your security software is deployed (i.e. the number of devices its installed on) and whether any issues have been detected (i.e. malware detected) regularly. Certain anti-malware solutions provide a ‘console’ allowing these checks to take place easily.
4. Be Cautious
Almost every piece of email guidance says this. The reason why is that its still relevant.
Email is one of the major attack methods, so don’t click on links that you are not certain are genuine and trustworthy; and do not open unsolicited email attachments or attachments to emails that don’t look right (e.g. emails purporting to be official but that are incorrectly formatted, contain poor spelling or grammar).
Microsoft Office viewers allow the viewing of attachments without opening them (https://support.microsoft.com/en-us/help/979860/supported-versions-of-the-office-viewers).
Check whether your email platform is using good spam filtering, and that the settings are correct. This can prevent phishing emails and malicious attachments from reaching users.
For more information about phishing and how to protect yourself and your systems, take a look at our Guide to Phishing.
5. Manage accounts carefully
Do not set up accounts to give more ‘power’ than is necessary, as these accounts allow malicious code to run more easily. A security software company, Avecto, found a couple of years ago that a huge percentage of vulnerabilities are based on use of ‘local admin’ rights.
It’s common for malware to need elevated permissions to do real damage to a device, and gets this through ‘administrator’ level accounts. Take these rights away, and the malware cannot run.
Don’t give yourself more permission than you need. Don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other 'regular work' activities while you are logged in with administrator rights.
6. Look After Passwords
The basics: don’t ever reveal your full password; don’t write it down (unless you’re storing it securely); and use sufficiently long and complex passwords to avoid easy routes in.
A lot of malware still spreads as a result of user action (or inaction). A common cause is the use of poor passwords (e.g. very short passwords or the use of the same password by the same user across numerous different services).
7. Check Out Those Files
If you receive an attachment by email, or download an app to install, its important to know where it came from, and also what type of file it actually is.
Enable visible file extensions so you can see what a file actually is from the extension (e.g. “.exe”). If you’re using mobile tech, particularly Android, it’s also worth making sure devices only use Google Play Store (as alternative sources may lack any attempts to screen apps for malware).
8. Prevent Code From Running
While some malware can infect a device without you doing anything, most still requires user action.
9. Don’t Do As You’re Told
Many scams rely on tricking you in to doing something by creating a sense of urgency or peril if you dont.
If an email or document tells you to turn off security features (e.g. enable macros), don’t (and definitely don’t without checking out the validity first). Most items can be viewed with the security features in place.
10. Network Security and Segmentation
Consider network design and network access carefully.
Where wireless local area networks (WLANs) are used to transmit sensitive or personal data, appropriate security protocols should be in place. Wi-Fi Protected Access II (WPA2) is the recommended standard - WEP and WPA are both vulnerable to attack.
Where it is necessary to support remote working, consider the security implications. Remote Desktop Protocol (RDP) can be easy to set up, but can also (if not sufficiently hardened) open up the network to a range of attacks. For more information on securing RDP, have a look at our guide.
It's good practice to separate different nodes on the local network (e.g. servers and workstations), and generally wired and wireless traffic too. This will help to limit further movement across the network if unauthorised access is gained.
11. Train Staff
People are often referred to as the weakest link in the security chain, but they can be the strongest. It's vital to raise awareness amongst staff and users of the importance of information security.
Keep staff and users up to date with training, and what your organisation is doing. Even advising users on what to look out for in a phishing email can prevent a problem from occurring.
A lot of malware requires an action from a user in order to deploy (e.g. clicking to open an email attachment), so if users know what to look for, there's more chance of them avoiding it.
12. Plan Ahead
Plan and document measures to take if anything goes wrong; when something does happen, organisations that have clear plans are able to recover more quickly and effectively, and as a consequence, usually with less pain (i.e. reduced data loss and cost).
This could include:
- Developing a clear and workable business continuity and data recovery (BCDR) plan will help everyone understands what needs to be done in the event of an issue.
- Building a clear data protection policy will help to make sure that the right data is kept safe.
- Establishing a breach management process with a clear protocol for informing the ICO if any personal data has been compromised.
- Setting out a clear communications plan to keep all users and stakeholders informed.
- Considering whether any of the cyber-risks can be covered by insurance.
This is not a complete list of information security tasks, but a guide to certain fundamental steps that can be taken (or checked) to help ensure a base level of control is in place.
For more information, please visit the information security pages on our website: swgfl.org.uk/security.