IT Security Check List
Check you have Anti-Virus
Most businesses will have some form of anti-virus installed in their network, however, if I had a pound for every time we carry out an audit on a new customer’s IT environment and found trial versions, differing versions of AV or unpatched (or worst still expired AV), I would be, maybe not very rich, but never short of change!
Ask yourself these questions, do you have the same application deployed or an array of different providers? A uniform AV suite is more desirable. Are your AV full copies or are few devices running evaluation versions? How are your AV’s managed? Do you use a central server to deploy and manage your AVs which automatically tracks the health of your machines, as well as push out any required updates, or is this critical work left to Tim in accounts to do…when he gets the time…to research how-to on Google (if I had a pound for every time we have heard this…well you know the rest)
Are Wi-Fi networks encrypted?
The good news is that businesses are much better with this one, the bad news is the passwords used can sometimes leave a lot to be desired. Guest 123, Pegasus!! (when the company name is Pegasus) and Qwerty are not good passwords. They are easy to guess. Use a password standard to create more secure passwords.
A possible password generated from this standard could be FordItaly&27! — very random but secure.
What Versions of Software Are You using and Are Provisions Made for Software Patching?
We found a Windows 95 computer a few weeks back (I know the horror!) but whilst a concern, the computer in question was not connected to the internet and was used to access some legacy software every few months.
Many businesses still run software that is no longer supported by the vendor. This means that critical updates (or patches) necessary to plug any security gaps will no longer be released by them. It is easy to ensure you are running the latest (or at the very least a supported) version of your application by checking out their website. Microsoft’s is here but a quick google search will also provide details for other vendors (try typing support cycle for, then add software name. For Adobe you would type “support cycle for adobe”). If you are still running legacy unsupported software, then chances are your systems will not be secure and hackers will have taken advantage of this.
Making sure you apply the patches for supported software is equally important. Vendors such as Microsoft, will release patches to “close” security gaps once they find them. Microsoft has its monthly Patch Tuesdays when it releases new patches, while Adobe has committed to a quarterly patch schedule for its software. Do you pay attention to the various patch schedules and make provisions for software patching, especially for large or critical updates?
Encrypt Your Mobile Devices
I have seen very few businesses do this, but considering how easy it is to do, I would have thought more businesses would encrypt mobile devices. Microsoft Windows includes the BitLocker drive encryption system which automatically encrypts any files saved to the hard drive. USB thumb drives and other external devices can also be encrypted. IT staff can set everything up using a management console and store the recovery keys. As more of us work remotely this is a vital security layer to ensure that if you do lose your laptop for example, your business files are safe from prying eyes.
Backup and Disaster Recovery Provision
If all fails, then having a good backup to restore to is essential. There are different types of backups that you can have. You can choose to have just your data backed up or have a bare metal backup. This is where you don’t just backup your data but also any applications required to run the data. Our preferred option is the latter because chances are, if your systems are compromised you may have to rebuild the entire thing. This can take days when you factor in install and config time for your applications. With a bare metal provision, you can literally be back up and running in hours rather than days.
Equally important is having well documented and regularly tested backup and disaster recovery procedures. What do you do if there was a major security breach? Just like having a fire evacuation process you also need to have procedures that tells your users what they should do if they believe their systems have been breached.
One advice we give our customers and is the number one action in our “Stop and Think” prep guide is for the user to disconnect their device from the network. This simple action could help stem the spread of a virus for example.
Do You Regularly Train Your Users?
Here at Supreme we are huge advocates of security training for all employees. We provide this free of charge to our customers because we know how important such training is for users as they are far more likely to ignore good security practices or fall prey to social-engineering attempts.
There are many free resources on the internet to help you create your own training program — covering the basics is all that is needed. The Government’s National Cyber Security Centre is a good place to start.
Want more advice? If you would like advice on IT for your small business or start-up, get in touch.