Do not set up accounts to give more ‘power’ than is necessary, as these accounts allow malicious code to run more easily. A security software company, Avecto, found a couple of years ago that a huge percentage of vulnerabilities are based on use of ‘local admin’ rights.
It’s common for malware to need elevated permissions to do real damage to a device, and gets this through ‘administrator’ level accounts. Take these rights away, and the malware cannot run.
Don’t give yourself more permission than you need. Don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other 'regular work' activities while you are logged in with administrator rights.
The basics: don’t ever reveal your full password; don’t write it down (unless you’re storing it securely); and use sufficiently long and complex passwords to avoid easy routes in.
A lot of malware still spreads as a result of user action (or inaction). A common cause is the use of poor passwords (e.g. very short passwords or the use of the same password by the same user across numerous different services).
If you receive an attachment by email, or download an app to install, its important to know where it came from, and also what type of file it actually is.
Enable visible file extensions so you can see what a file actually is from the extension (e.g. “.exe”). If you’re using mobile tech, particularly Android, it’s also worth making sure devices only use Google Play Store (as alternative sources may lack any attempts to screen apps for malware).
While some malware can infect a device without you doing anything, most still requires user action.
Many scams rely on tricking you in to doing something by creating a sense of urgency or peril if you dont.
If an email or document tells you to turn off security features (e.g. enable macros), don’t (and definitely don’t without checking out the validity first). Most items can be viewed with the security features in place.
Consider network design and network access carefully.
Where wireless local area networks (WLANs) are used to transmit sensitive or personal data, appropriate security protocols should be in place. Wi-Fi Protected Access II (WPA2) is the recommended standard - WEP and WPA are both vulnerable to attack.
Where it is necessary to support remote working, consider the security implications. Remote Desktop Protocol (RDP) can be easy to set up, but can also (if not sufficiently hardened) open up the network to a range of attacks. For more information on securing RDP, have a look at our guide.
It's good practice to separate different nodes on the local network (e.g. servers and workstations), and generally wired and wireless traffic too. This will help to limit further movement across the network if unauthorised access is gained.
People are often referred to as the weakest link in the security chain, but they can be the strongest. It's vital to raise awareness amongst staff and users of the importance of information security.
Keep staff and users up to date with training, and what your organisation is doing. Even advising users on what to look out for in a phishing email can prevent a problem from occurring.
A lot of malware requires an action from a user in order to deploy (e.g. clicking to open an email attachment), so if users know what to look for, there's more chance of them avoiding it.
Plan and document measures to take if anything goes wrong; when something does happen, organisations that have clear plans are able to recover more quickly and effectively, and as a consequence, usually with less pain (i.e. reduced data loss and cost).
This could include:
This is not a complete list of information security tasks, but a guide to certain fundamental steps that can be taken (or checked) to help ensure a base level of control is in place.
For more information, please visit the information security pages on our website: swgfl.org.uk/security.