Information security is the process of ensuring that only authorised users have access to accurate and complete information, when access is required.
Information security is often also called cyber security.
These are twelve key steps you can take (or just check, if you’ve done them in the past) to get some information security fundamentals in place:
Backup your data regularly (ideally daily); keep a recent copy off-site and off-line (i.e. not connected ‘live’ to the network); and test your backups (which lots of people forget to do, until it’s too late).
If you can restore your data easily and quickly, the impact of security incident will be lessened.
Data replication is different to data backup. Whilst replication can be useful for retrieving files under normal circumstances, it’s possible that certain types of malware would infect the replicated data location too. A true backup is a copy of the data at a point in time, which (on the assumption it is working correctly) can be restored to the source at a later time.
2. Update and up to date:
Vendors like Microsoft release patches frequently, so make sure they are downloaded and installed without delay. Also, make sure you are only running versions of software that are supported by the vendors.
Various attacks seek to exploit vulnerabilities in popular software, applications and plug-ins (e.g. Microsoft Windows, Microsoft Office, browsers, Flash Player etc.) so it’s important to keep yours up to date with the latest version.
In some cases it’s also important that you uninstall older versions when you install the new ones, so that the vulnerabilities are closed (e.g. Java).
It is also advisable to consider the configuration of software. Some malware is deployed via features in operating systems and applications that many users do not require, so disabling or removing them (or not installing them in the first place) can improve security.
3. Update security products too:
Having security is essential, but so too is keeping it up to date and well configured. Software (e.g. anti-virus) needs to be updated with the latest info, and things like firewalls need to be configured and managed by specialists to be fully effective.
It’s also advisable to consider specific anti-exploit software to provide additional protection against ‘zero-day vulnerabilities’.
It is also advisable to check the extent to which your security software is deployed (i.e. the number of devices) and whether any issues have been detected (i.e. malware detected) regularly. Certain anti-malware solutions provide a ‘console’ allowing these checks to take place easily.
4. Be cautious:
Email is still one of the major attack methods, so don’t click on links that you are not certain are genuine and trustworthy; and do not open unsolicited email attachments or attachments to emails that don’t look right (e.g. emails purporting to be official but that are incorrectly formatted, contain poor spelling or grammar).
Microsoft Office viewers allow the viewing of attachments without opening them (https://support.microsoft.com/en-us/help/979860/supported-versions-of-the-office-viewers).
Check whether your email platform is using good spam filtering, and that the settings are correct. This can prevent phishing emails and malicious attachments from reaching users.
5. Manage accounts carefully:
Do not set up accounts to give more ‘power’ than is necessary, as these accounts allow malicious code to run more easily. A security software company, Avecto, found a couple of years ago that a huge percentage of vulnerabilities are based on use of ‘local admin’ rights.
It’s common for malware to need elevated permissions to do real damage to a device, and gets this through ‘administrator’ level accounts.
Don’t give yourself more permission than you need. Don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you are logged in with administrator rights.
6. Look after passwords:
The basics: don’t ever reveal your full password; don’t write it down (unless you’re storing it securely); and use sufficiently long and complex passwords to avoid easy routes in.
A lot of malware still spreads as a result of user action (or inaction). A common cause is the use of poor passwords (e.g. very short passwords or the use of the same password by the same user across numerous different services).
7. Check out those files:
Enable visible file extensions so you can see what a file actually is from the extension (e.g. “.exe”). If you’re using mobile tech, particularly Android, it’s also worth making sure devices only use Google Play Store (as alternative sources may lack any attempts to screen apps for malware).
8. Prevent code from running:
9. Don’t do as you’re told:
If an email or document tells you to turn off security features (e.g. enable macros), don’t (and definitely don’t without checking out the validity first). Most items can be viewed with the security features in place.
10. Network security and segmentation:
Consider network design and network access carefully.
Where wireless local area networks (WLANs) are used to transmit sensitive or personal data, appropriate security protocols should be in place. Wi-Fi Protected Access II (WPA2) is recommended.
Where it is necessary to support remote working, consider the security implications. Remote Desktop Protocol (RDP) can be easy to set up, but can also (if not sufficiently hardened) open up the network to a range of attacks.
Separate different nodes on the local network (e.g. servers and workstations), and generally wired and wireless traffic too. This will help to limit further movement across the network if unauthorised access is gained.
Raise awareness amongst staff and users of the importance of information security.
Keep staff and users up to date with security training, and what your organisation is doing. Even advising users on what to look out for in a phishing email can prevent a problem from occurring.
A lot of malware requires an action from a user in order to deploy (e.g. clicking to open an email attachment).
Plan and document measures to take if anything goes wrong; when something does happen, organisations that have clear plans are able to recover more quickly and effectively, and as a consequence, usually with less pain (i.e. reduced data loss and cost).
This could include:
- Developing a clear and workable business continuity and data recovery (BCDR) plan will help everyone understands what needs to be done in the event of an issue.
- Building a clear data protection policy will help to make sure that the right data is kept safe.
- Establishing a breach management process with a clear protocol for informing the ICO if any personal data has been compromised.
- Setting out a clear communications plan to keep all users and stakeholders informed.
- Considering whether any of the cyber-risks can be covered by insurance.
This is not a complete list of information security tasks, but a guide to certain fundamental steps that can be taken (or checked) to help ensure a base level of control is in place.
For more information, please visit the information security pages on our website: swgfl.org.uk/security.