Security Updates
Microsoft, Apple, Google, Firefox and numerous other reputable software products release updates regularly to patch identified vulnerabilities and performance issues. Some software addresses updates automatically, but if programs aren’t allowed to close and relaunch to update, or if devices aren’t rebooted, then the updates don’t complete installation. Furthermore, if you have updates partially installed and just needing an application reload or system reboot to complete, over time these can cause instability and performance issues—even corruption of essential files to run the given applications. Remember those Living of the Land threats we mentioned? Think about all the old video conferencing software on your systems. They already have access to mics and cameras, so how hard would it be to commandeer unpatched and vulnerable software to access those devices?
Malware no longer only affects software layers of systems. CPUs and other hardware can be compromised and vendors now release firmware and driver updates, not only to address performance issues, but to address identified vulnerabilities as well. Vendors like Dell, HP, Brother and Epson provide utilities to check for and install these updates. In many cases the utilities install updates in the correct order and only install tested updates. If ever in doubt, go to the vendor’s website to see what the update is. A word of caution: be careful with going directly to a component manufacturer, such as video or sound card, to get drivers and firmware unless you know what you’re doing. Instead, rely on the computer manufacturer to provide you the necessary updates which they test to work with other components in a given system. Installing the wrong driver or firmware can cause problems from minor annoyances to serious malfunctions.
Have you gotten some great tool or utility to accomplish a task? Those need updates too. When downloading software, vet the source to be sure they’re safe. Even if they typically are, use caution and be sure to download to a protected device where it will need to pass through a good firewall, get scanned by malware detection tools and so on. Never download software to a corporate system without approval from your IT department. Open source software provides solutions for just about every need there might be and the open source community at large is about making something that works well and sharing with others. Github has long been a repository for loads of such software and does a great job of making it easy to find and use. Criminals have taken notice and purposely compromised offerings. Because open source software is open so others can customize the code, using it means the end user should have a good knowledge of how and where to use it safely and how to protect sensitive information.
Establish Protocols and Procedures
Most companies have an employee handbook addressing typical expectations of conduct and job function, paths of communication and so on. Now that companies rarely operate without tech, there should be protocols around setting up new employees, what they have access to, keeping track of assigned hardware and software licenses. On the flip side, there also need to be protocols around job changes and employee departures. As noted earlier, employees should only be given access to resources they need and only for as long as they need them. Having an open network makes more room for mistakes and malicious action. The malicious intent may not be your employees’, but if they release malware, that malware has access to everything they do. When an employee departs a company under any condition, their access should be immediately revoked by at least changing credentials or disabling the account. Others can be given access to the former employee’s data for review before archival or deletion.
Most modern employee handbooks have a section of security policies addressing use of digital tools, access to data, handling of sensitive information and protocols when things are suspect or a downright security issue. Having clear security policies and proof that every employee (CEOs, CFOs, directors and all management included!) have read, understood and acknowledged the policies is very important if there is even a hint of a data breach. Not sure where to start? There are templates for everything and we have some great ones for security policies.
Limit Devices on Your Private Network
Many small offices utilize consumer-grade wifi solutions in their offices. While such systems have improved over the years, they still do not offer the security of business-class solutions. In a business-class solution, your wifi should be behind a business-class firewall. Then the wifi should be separated into to different networks (SSIDs) which are not allowed to communicate with each other: one is for corporately managed devices and lets them communicate with resources on your private network such as servers and printers. Allowing unmanaged devices on this SSID or connecting them with a cable to the same network is risky business. Tablets and phones typically are not updated as they should be, may be jail-broken and usually have questionable apps installed. Someone else’s laptop has who-knows-what on it.
Most corporate devices offer at least two, if not more, SSIDs. Consider offering one to your employees for their phones and tablets. If there’s option for another, you could offer a guest network and limit the bandwidth it can consume. Create separate SSIDs for distinct purposes: have cameras? Put them on an SSID of their own. Thermostats, door and light controls? Separate them. In many cases, devices on the same SSID can even be prevented from “seeing” each other. All of this separation offers incremental security to connected devices.
A note on data jacks in walls: don’t make them inviting. If they are accessible and not in use, don’t have them live. Then if anyone plugs in a device, they won’t connect to anything. Keep track of who’s connecting to which network and only give out credentials as needed. When employees exit that would know those credentials, change them!
Security Training
Do you have a formal security training process? It used to be that occasional training in an extended session was sufficient to apprise users. Most just assume that people know what they need to. But do you know that new threats are introduced constantly? There are segments of the tech sector dedicated to security from many different angles and it’s only growing. Educators will confirm that cramming for an exam really doesn’t produce long-term recall and knowledge. Rather, consistent bits of information that apply to a specific situation will be more memorable over time and help people to retain information that helps them to process logical thought in a stressful situation. Modern security training delivers short, contemporary lessons on a frequent basis to teach people, but also to keep risks at the front of users’ thoughts as they move throughout their days. Users trained in this way more readily identify a phish, or check a link before clicking. They’re more cautious on what information they divulge to an unknown caller and confirm information before taking action that could put your business in a world of hurt. Test your skill at detecting phishing emails. There’s more to it than you might think.
These practices go a long way toward that due-diligence mentioned earlier. Hopefully, you’ve got some food for thought. If you have questions, let us know.