1. Change default passwords

Your network is at risk from failure to modify the default usernames and passwords which come with a multitude of devices. Inspect your firewalls, routers, servers, workstations, tablets etc. to ensure that any default credentials have been removed.

2. Adopt Pass-phrases

User passwords are a perpetual source of risk, not least of all because of outdated guidance. Users should be required to use passwords of a minimum of eight characters but, recognising that such a password can be cracked in as little as 14 minutes, ten or twelve characters is preferred. Consider the use of ‘pass-phrases’.

3. Don’t abuse administrative accounts

Users with administrative accounts must be obliged to use such accounts only for the performance of required tasks. For example, the IT team should have ‘ordinary’ privileges for office tasks.

4. Control anti-virus protection

Confirm that every computer has appropriately configured spyware, malware and anti-virus software installed, and that it receives automatic updates via a subscription. Check that users cannot disable or modify the settings.

5. Adopt a software whitelist approach

Create a list of approved applications (a so-called ‘whitelist’), and block the installation or opening of any application not on this list.

6. Disable legacy and unsupported software

Disable any software for which no license can be identified, or which is not supported by its author. All legacy applications should be removed or isolated from the network.

7. Use two-factor authentication

Enable two-factor authentication wherever possible, especially for mobile devices.

8. Address IT physical security

Ensure the core IT infrastructure (servers, routers etc.), are located in a secure room with strict access controls. Access should be logged.

9. Close network ports

Disable applications which rely upon ‘ports’ to create remote access. Such applications are often used for remote access in support scenarios and include names such as ‘LogMeIn’ and ‘TeamViewer’. These applications can pose significant security risks left running and unmonitored.

10. Terminate consumer-grade file sharing

Terminate the use of consumer grade cloud file share services, such as GoogleDocs, Dropbox, iCloud and so forth. Primarily, such services open the door to corporate data being shared across the personal devices of users which synchronising. Further risks lie in the routine data corruption or loss caused by such services.

11. Test your backups

Test your backups! Ransomware attacks are hugely under-reported, and the true cost can only be speculated. Even if you pay the criminal, your data is likely to not be made available and so your backups are your only true defence. Sadly, too many organisations fail to test their ability to restore a backup, and so may be devastated.

12: Cyber security training!

Invest in a cyber security training course for all staff. Even one hour of training can pay dividends.

 

Have you read:

Are you Ready

⏱ 5 Second Summary

Part of our Cyber Security Series

12 easy steps to improve cyber security in any organisation, and to prepare for the Cyber Essentials certification

Recent Posts

Subscribe to our Blog

 

Humperdinck Jackman, Author

Humperdinck Jackman

Director of Consulting Services

Humperdinck has a 30-year career spanning Document Management Systems (DMS), data protection, Artificial Intelligence, Data Protection and Robotic Process Automation. With many articles published in print internationally, he believes the advances in office technology are such that we're entering the 4th Industrial Revolution. Now Director of Marketing and Consulting Services at Advanced UK, he's as active with clients as he is in endeavouring to write original blog articles.