Heather Anson, director of Anson Evaluate and co-author of the new edition of the Cyber Security Toolkit, provides some seasonal tips on avoiding cyber breaches during the festive period
At the end of a tumultuous couple of years, December brings again the familiar Christmas treadmill of office parties, secret Santas and looking forward to the workplace shutdown for the festive break. It’s important to check where you and your firm are with best cyber practice – are you on cyber Santa’s naughty or nice list?
The naughty list – 5 things to avoid
1. Personal use of business devices
Allowing your staff to use their business devices (mobiles, laptops, tablets) for personal use could include browsing and using it for social media or even sharing devices with family (such as watching movies on a tablet or laptop or allowing a child to play games on a device). Personal use of devices greatly increases the risk of hacking as well as inadvertent downloading of malware through downloading apps and visiting sites. A blanket policy against personal use is far easier and safer for your firm.
2. Using free wifi
Logging onto free public wifi with a business device (unless the device has a secure virtual private network (VPN)) or equivalent should be banned. Unless your firm’s IT department can ensure that a VPN is active on all wifi-enabled devices, it is best to never connect to free wifi. These are not only used regularly to hack into systems that are logged into the same network, but hackers can even spoof what looks like a free wifi service being provided by a restaurant, café or hotel to trick people into giving them full access to their devices.
3. Using the same passwords
Using the same passwords on multiple accounts and platforms is called ‘daisy chaining’. Whilst daisy chaining in nature may be a fun way to make a floral tiara it doesn’t have the same meaning in the cyber world. All a hacker has to do is breach one of the many platforms you use the password on to then be able to access all platforms and devices where you use the same password. So, by using the same password on everything you are entrusting the security of that password to the weakest common denominator amongst all of them.
4. Donating or selling used devices
Although it may seem like a charitable thing to do donating or selling devices after their use without removing hard drives and memory cards and reverting to factory reset at the minimum is not safe practice. It’s very difficult to ensure that all data including log ins and password information are removed from devices after you are finished using them. This is particularly the case with devices that are very maternal in nature and want to ensure they don’t make it easy for their customers to accidentally delete important data. The safest, and the most charitable thing to do is to destroy the devices.
5. Using WhatsApp for business communications
The National Cyber Security Centre (NCSC), the UK Information Commissioner’s Office (ICO) and MI5 all recommend that WhatsApp is not used for business communications. Designed primarily for personal use and widely used, WhatsApp has been heavily criticized for its failure to protect its users’ data privacy. If your employees are using WhatsApp for business communication on their personal mobile devices, they are exposing your company to serious data breaches and security risks.
The nice list – 5 things you should do
1. Use multi-factor verification
Using multifactor identification on all platforms and software where it is available. is now considered a minimum recommended by the NCSC and the ICO. If you don’t already have it, it’s strongly recommended to help protect your online accounts.
2. Update and protect all devices
Ensure you update virus and firewall protection on all devices including mobile phones and tablets. Our phones and tablets are just as connected today to the internet as our computers (and have been for decades). You need to provide them the same protection.
3. Update your software regularly
Updating software regularly to ensure that safety patches are in place is crucial. This is a must to keep your system safe – Tuckers LLP were fined £98,000 by the ICO for failing to keep their systems safe.
4. Use strong passwords
It’s very important to have strong passwords that follow the latest advice on password security. Current standards state that length is more important than complexity and therefore needing to add random numbers, symbols or exclamation points are no longer necessary. Longer passwords that are easier to remember such as phrases or a list of common words is therefore recommended over the previous ‘complex’ password guidance. The NCSC recommends using three random words to create a single password that’s difficult to crack.
5. Have secure communications
Use secure methods of communication such as Signal. Although this seems like straightforward advice, it can be difficult when you have clients that prefer to use messaging platforms such as WhatsApp or even SMS messaging. However, if you explain the risks to them clearly and give them an easy alternative, they are much more willing to use it, and are even grateful for the advice.
The new edition of the Cyber Security Toolkit (2nd) is availabe to purchase here.