Here, IT experts WFH IT Support share the most common cybersecurity mistakes made by businesses of all sizes.
2020 has presented challenges across the board to businesses big and small and to make things worse, cybercriminal tactics have become more sophisticated than ever. The National Crime Agency (NCA) has identified a surge in ‘coronavirus-themed’ malicious apps, websites, phishing emails and messages that seek to steal confidential or sensitive information. The Chartered Trading Standards Institute has even estimated that the UK has been the most heavily targeted country for Covid-19 related phishing emails.
To further complicate business cybersecurity, data from the Office for National Statistics showed that the number of people working exclusively from home in the UK has risen to 24%, with almost a quarter (23%) using unauthorized devices to conduct professional tasks.
Business data is at huge risk but in an attempt to help stay secure, WFH IT Support – a support service launched by UK IT business Totality Services to service millions of displaced office workers across the UK – has shared the nation’s most common mistakes and how to avoid them.
Staff security awareness training
The cyber security threat landscape is changing every day, and it’s impossible for security software and solution vendors to guarantee against cyber-attacks. However, through the use of best-of-breed software and solutions, and continued staff training of security threats to look out for, your business will be well placed to avoid breaches.
Admin rights enabled for all staff members
This is bread and butter stuff – your staff shouldn’t be able to download and install software, it represents a huge security risk if they install something they shouldn’t. This can cause serious virus issues and ransomware attacks. Always limit the admin rights to 1 or 2 staff members (who know what they’re doing of course!) and your IT support provider.
The use of ‘non-business grade’ network hardware
Basic networking equipment can be one of the causes of data breaches in office environments, so we recommend decent hardware is purchased. The management side of things however, should be cloud based – this is where the devices (e.g. firewalls and wireless access points) are set-up and configured with specific security setting.
No hard disk encryption
If a laptop is stolen, it’s easy for the person who stole the machine to access all the data on the hard disk – this could be mailboxes, files data etc. The risk here is obvious, Windows 10 Pro and Mac OS have free encryption tools – we would however recommend businesses use a separate encryption management application to manage all staff member’s devices centrally. This is useful as all encryption details should be stored in a secure environment that offers proof-of-compliance (useful for GDPR) and it allows encryptions to be PINs to be re-set remotely.
No DNS protection
DNS protection is a solution that’s installed on laptops, PCs and Macs. In a nutshell it makes sure that the websites your staff access are legitimate (e.g. online banking, G Suite, Microsoft 365 etc). If your staff work from a shared network in the office (this is common in business centres) or remotely at times (e.g. from a coffee shop or home) it means you do not control the network and the associated security settings, therefore network level threats are more likely. So you want to make sure when staff are imputing login credentials into any website, that nobody is able to see this information, and steal data or money from your business. DNS protection helps with this.
2-Step Authentication not enabled
Whenever you enter login credentials online for a business application (e.g. G Suite, Microsoft 365, CRM systems, accountancy software etc.), you should always be prompted to enter a numerical code or confirm that it’s you trying to access from an authenticator app on your mobile phone – once that 2nd step is complete you are then granted access to the software. This is a very basic, but very effective way to stop hacking of business data and mailboxes because no one else will have your phone (for the code or confirmation), so the data is protected and it’s very hard for a hack to occur. We continue to be contacted by prospective clients who have been hacked in this way (usually mailboxes), and there are some real horror stories we’ve heard – a common one is where MD’s mailboxes have been compromised, and illegitimate email requests are made to accounts payable for invoices.
No email filtering
Do you receive junk or phishing emails? The answer is usually yes, we always recommend a 3rd party email filtering solution is deployed alongside mailboxes so that every incoming email is scanned for fraudulent links, content and attachments. Like all the security solutions we’re covering off, this is another one that will give you peace of mind, knowing that there’s very little chance a staff member will click on a link, enter login details on a fraudulent website that mimics a platform you already use.
Mobile device management and conditional access not rolled out
Many companies let staff access their mailboxes on their personal phones, but what happens when staff members leave the business or are terminated? Well, unless Mobile Device Management is in place, the mailbox data will more than likely be stored on the staff member’s hard disk (even if they can’t access it because you have changed the password). Best practice is to deploy Mobile Device Management, which essentially means your staff have a ‘Work’ folder on their mobile phones, however you control the content of that folder – mailbox, data, telephony app, Teams, Meet etc.). When a staff member leaves the business, you can suck out the data that resides in the folder, and there is no business data present on the mobile phone.
No data backup in place
This is very often overlooked – it’s critical that all businesses are able to recover emails and data perpetually. It covers ransomware scenarios, and any malicious deletion of data by staff. We have helped out many clients of the years, when they needed to recover deleted amd important client emails sent many years ago, or for court cases etc.
No central management of security policies deployed
Your staff should ideally have one login for all business software/platforms and password for that logon should be changed frequently (that frequency depends on the sector, e.g. FCA regulated vs a marketing agency). Central security policy management allows for the latter, and there are many other features such as printer management, automated Operating System updates for laptops, PCs and Macs etc.