As COVID-19 challenges South Australian business practices, the move towards remote working and flexibility in workplaces provides the tantalising prospect of reduced office rents, internet costs and more as staff set up home offices.
But for all these opportunities, the same risks to business integrity remain: cyber-attack, viruses, and low ‘security culture’ within workforces, along with potential consequences like loss of finances, intellectual property and, perhaps most critically, reputational damage.
Following our Cybersecurity Masterclass with Loftus, and recent cases of security breaches among South Australian and national businesses during COVID-19, we spoke to Showcase SA Platinum Member Blackbird IT to seek their views and top tips on simple ways for businesses and sole traders to protect themselves.
“Businesses think they need to go to the most advanced technical solutions to improve their security, when they’re not even undertaking the basics, which really undermines any significant investment,” explains Blackbird IT’s Business Development Director Ben Corbett.
“What’s the culture in your organisation? People need to have the right mindset to digital security, rather than simply an attitude of, ‘the more I spend, the more secure, I’ll be.’”
Blackbird IT’s Top Tips for a digitally secure culture at work
1. Multi-factor authentication (MFA)
Fact: Microsoft says 44-million of its users reused passwords in Q1 2019.
It feels like a big company falls victim to a massive data breach all the time – just look at the breaches on this interactive graphic!
Recent examples are consumer product companies Garmin and MyFitnessPal. You can protect yourself from falling victim to one of these events (where usernames and emails are often published online) by using MFA, which follows-up a password submission by sending you a code, token or similar prompt to approve access. You’ll come across this system when doing online banking, but even Gmail and Facebook offer two-factor authentication as a login option. MFA is recommended for anything to do with email, file transfer, sharing intellectual property or other sensitive information.
Blackbird IT’s MFA top tips:
- Enforce MFA to reduce this common point of security failure.
- Educate your team about why MFA is important to business and personal security.
- Use a secure password manager to generate and save strong passwords for each website you use. Make sure you turn on MFA and configure your recovery options. (free services include LastPass) A password manager will take the pain out of managing multiple complex passwords and can reduce time lost in being locked out of a system, and password recovery calls to IT.
- This guide shows how you can enable MFA in your Microsoft environment
2. Security Policies – Create and Enforce
What permissions do your staff actually need? How many administrators do you need on your corporate social media or website administration? Who needs access to your most sensitive areas of business? Prevent hacks and reduce risk by reducing the attack surface area of your systems, creating and enforcing the permissions staff actually require. In doing so, you’ll significantly reduce the points of attack your chances of falling victim to a devastating breach.
Blackbird IT’s Security Policy top tips:
- Undertake critical process (such as changing bank details) face-to-face or over phone channels where the identity of the person serving you can be confirmed – NEVER over email or chat!
- Don’t accept email attachments from third parties. HR departments are often susceptible to this when they allow applicants to email their resumes. Many recruitment websites (like Seek and Linkedin) offer secure services that prevent this happening.
- Configure critical systems like email, HR, marketing and CRM systems to enforce your policies. For example, prompts to enforce MFA.
3. Only use corporate managed devices to access corporate networks.
Imagine this: You buy the world’s safest home security system… but leave the code under the mat every time you leave the house.
It’s the equivalent of running a secure corporate network and then letting your staff access it using personal devices that do not have a basic level of security enabled.
That same personal device could be used to visit dangerous websites, open risky attachments and, worst of all, compromise your corporate network and introduce any number of issues into the system. BYO devices are popular with a mobile workforce, but this mustn’t be implemented without an appropriate strategy to mitigate risk.
Companies should ensure the corporate network is not exposed by unmanaged or potentially compromised devices. For example, a mobile device management (MDM) tool should be considered to control access to corporate resources and ensure appropriate patching and security measures such as secure passwords, MFA and antivirus are still being implemented.
Blackbird IT’s Corporate Device top tips
- Provide your employees devices (phones, computers, laptops) when using your system.
- Do not allow a home or personal device that is uncontrolled to access the corporate network.
- If you do allow home devices, make sure they obey your corporate security policies.
4. Keep your systems up to date
It was just a computer for the work experience kid to use once a month. Over time it fell so far out of date it stopped receiving update support – but hey, it still did the job!
Does this seldom-used computer scenario sound familiar? Here’s the risk: this out-of-date-system remains connected to your network, with no update support, and all the vulnerabilities of an out-of-date system remaining. It could provide a hacker easy access to your business network.
Blackbird IT’s Update top tips:
- Be aware of your products, operating systems and update cycles.
- Update your software, patch and back-up your systems
- Enforce your security policies
5. Education is key
Whether you’re running a large, medium or small business, or work for yourself, awareness of digital risk is the first step towards being more secure. There are free online resources available to educate yourself and your team about best-practice digital hygiene and security. If you have an internal IT team or external provider, work with them through ways to make your business as secure as possible.
Blackbird IT’s Education tips:
- Building a security minded culture begins with cyber security awareness and training at induction and this education in ongoing with regular refreshers.
- Online resources provide a great template for educating employees about phishing scams, how to spot a suspicious emails, safe internet habits, clean desk policy, password re-use risks and many more.
- Email is not a secure form of communication and should not be used to convey sensitive information such as passwords.
- Websites like ‘have i been pwned?‘ provide a way to check if you have an account that has been compromised in a data breach and you can also subscribe to notifications for any other breaches.
- Staff should be trained on how to spot a phishing email using free resources like the Sophos Anti Phishing Toolkit.
Blackbird IT is a Showcase SA Platinum Member providing local specialist cloud computing consultation and solutions. Find out more at Blackbird IT.
The information contained on this web site is general in nature and does not constitute personal or professional advice, or take into account your personal or business situation. You should consider whether the information presented is appropriate to your needs, and where appropriate, seek professional advice.