We recently had some issues with some malware on a few computers here at work. After spending a couple of days finding, removing, and double-checking everything, I thought that this might be a good time to discuss with everyone some security practices that we should be using in our daily electronic lives.
Unauthorized access, cyber-attacks, and information breaches are ubiquitous in today’s world. While many only think of a hacker as someone who is sitting at their computer trying to breach security at your company, there are many other variations. Merely leaving a terminal unlocked, using weak passwords, letting someone without a badge enter a facility, and even taking company data out of the workplace, are all methods where a company can be taken advantage of.
Although many IT teams do an excellent job with security, several suggestions can enable it to perform better. First, keeping your system, network, firewall, and intrusion/antivirus/antimalware protection up to date is the primary defensive barrier. Since many have issues with an employee starting a Windows update during regular working hours, thus causing downtime, this action should only be performed by IT team members, at a specified time. Granting and removing system and network access to individuals who are assigned to specific security tiers can lessen the number of individuals who have access to sensitive material as well as increase accountability. For example, a janitor does not need to be able to view a company’s banking information.
Additionally, using and saving system logs can let the IT team know when people log in, log out, what they access, and what they try to change. For the rest of the employees of a company apart from the IT team, there are several things you can do to increase the security of a company’s network. By requiring that all passwords be at least nine characters long, consist of three special characters, and ensuring that these passwords will be renewed every 90 days, login security is greatly increased.
It is the job of every IT professional to secure and protect their business and its employees from outside threats. While I can and have double/triple secured everything attached to our network, the one thing that I cannot protect is the human aspect of security; what this means is that our electronic hardware (phones, computers, laptops, etc.) is 99.99% secure by itself until we add ourselves into the mix; then, that security drops to as low as 70%. Only by everyone using safe digital practices can we keep that number close to 99.99%, and confidently protect one another.
The first and most vital thing I want to cover is email handling. Most viruses/malware are acquired through email. While most internal emails (within the company) are safe, every external email (outside the company) should be treated as suspicious. Even emails from regular customers/business partners could be harmful depending on their contents and how they are handled. Opening an email is not dangerous, but if the email contains links or attachments, then that is the hazardous part. One should never download an attachment or click on a link in an email from someone you don’t know; even if it is from someone you trust, but happens to be at an odd time, odd format, have an odd filename, or include anything that looks peculiar, then you should treat it as suspicious.
We once had a someone with a suspicious email address send an email with a link that was supposed to go to what was a screenshot of what they were having a problem with. Screenshots can be placed in the email itself, so there is no need to have a suspicious link to it. I instructed the CSR to email them back and ask them to place the picture in the email, not in a link or attachment, due to our security policies preventing us from following the link. What do you do with something you think is suspicious? If you ever have any doubts, then forward the email to your IT team to check it and let you know if it’s safe, or what actions to take. If it’s a regular customer/business partner, then you can always call and ask if they sent the email with that particular link/attachment.
The second thing I want to cover is internet browsing. Most browsing is safe unless you are visiting risky sites to begin with; just avoid those sites altogether. Do not download anything from those type of pages. If you get suspicious pop-ups of any kind, always try to close that page without clicking on anything on the page itself (use the closing ‘X’ in the corner of the page). Another safe way to do this is Alt+F4. The most significant area of concern is when you’re entering personal/financial information; ensuring you are on a secure page is critical. The web address should be “https://” and not just “http://” for that type of page. Also, be on the lookout for improperly spelled words, copyright information, and secure connection icons, such as the ‘lock’ image in Google Chrome; this displays whether the connection is secure, any certificates that are present, as well as cookies, depending on which internet browser you are using.
Every employee within a business is responsible for security, in all forms. Only through the use of proper communication, education, and teamwork can a company truly be a step ahead of the always rising number of viruses, malware, and other potential threats.