General Security Advice
General security advice from Weald.
Please note that this does not cover every possible security risk and solution – it’s a prompt based on our experience.
Use unique and complex passwords – i.e. do not share across multiple online providers because if one is compromised, you don’t want that password being used to log into another.
Use MFA/2FA – this means a text or app which asks for confirmation of access to your account.
Do NOT open attachments from unknown sources. If in doubt send it to IT to check first.
If unsure, just don’t open it. If it looks wrong, it probably is wrong.
Know your suppliers, look out for invoices from them – but don’t accept from anyone else.
Know your own voicemail system – don’t open email voicemails that are not from yours.
Middle man attacks:
Do NOT accept “internal emails” that say transfer money here and there to unknown account and sort codes.
Issue statements to clients and suppliers along the lines of:
“We will never ask you move your money or ask you to transfer funds to a new sort code and account number that we provide”
Use an old fashioned procedure, verify account changes by phone.
If someone asks you something unusual involving a bank transaction, stop and query it.
Examine the sender domain, i.e. wealdcomputer.com instead of wealdcomputers.com.
Be aware your internal emails can be compromised and may appear to come from your manager.
If the language of the email looks wrong for the person who sent it, it is probably spoofed.
Strongly consider using 2FA – 2 factor authentication. This is where you have to say yes on an app or enter a PIN from your mobile phone.
General and ransomware type:
Encyrypt your data or device.
Backup is your way to recover from ransomware. Make sure you are, and ask us to test it.
If you click something dodgy, TURN THE COMPUTER OFF – press the button until it goes off.
Get someone to check it – Do not turn it back on, take it to an expert to examine and deal with.
Don’t browse to dodgy web sites, or if you must do it at home and use a tablet, not your windows PC.
Do NOT connect to work with your home computer that has been used for ‘leisure’
Do NOT let your kids use your WORK laptop for playing games and internet browsing.
Be aware that Word and Excel documents are not automatically safe, they can run Macros.
Do not assume your AV or Malware package will stop the modern viruses, we are now in the age of the “file-less” virus. These use exploits or internal code.
Do NOT set up personal email accounts on work computers.
Do some PHISHING TESTS – Spear phishing is now probably the most common security compromise.
Management and those working in Finance.
Backup and DR testing is the way to recover, make sure it works, have a daily checking procedure
Do NOT use banks that do not use encryption devices to authorise payments.
Do NOT use unchecked payment batches.
Do back IT to enforce a password policy, possibly use 2FA too.
Where possible, do NOT habitually use “faster payments”. These are not reversible.
HMRC, PAYE etc DO NOT send you emails about refunds. Don’t click to get a refund.
Your BANK will probably not email you, or if they do it will come from a known account manager.
Do worry about ‘leavers’ and have a leavers procedure. Having lots of ‘active directory users’ present increases risk, even if you have changed the passwords. Don’t have generic AD accounts with easy passwords. This may be web accessible via Outlook Web Access. This is a way in.
When out of the office, be aware of “SHOULDER SURFERS” – they exist on trains!
IT People: Consider blocking all attachments except PDF – it might be hassle but the returns are great!
IT People: Do not allow the use of PPTP pass through (1723) – use an SSL VPN instead.
IT People: Use account locking on password attempts – 3 or more ?
IT People: Do have a 90 day change policy on passwords.
IT People: Look at implementing 2FA on 365 – it works well.
IT People: set up user education and testing.
IT People: Look at device encryption for your mobile workers
IT People: Look at MDM – mobile device management
Do not use open RDS connections for remote access (3389)
Do disable accounts on the server that you do not recognise. Disable first, ask later.
Do consider two factor authentication for any web accessible systems.