Safer Internet Day happens annually on the 9th of February and this year will be celebrated with the theme ‘An internet we trust – exploring reliability in the online world’. Safer Internet Day inspires a national conversation about using technology responsibly, respectfully, critically, and creatively.
Coordinated by the UK Safer Internet Centre, the celebration sees thousands of organisations get involved to promote the safe, responsible and positive use of digital technology for children and young people.
We have put together our top 3 things that organisations and individuals can do to help them stay safe.
1. Patch your devices and applications and ensure endpoint protection is sufficient
With the huge increase in remote working the days of having office networks acting as a perimeter are gone and replaced with home networks with unknown, likely unpatched and insecure devices.
Wherever possible staff should connect devices to a secure VPN endpoint controlled by the organisation. If this is not in place or achievable, you should double down on your endpoint security, making sure OS level and application updates are installed without delay. Don’t assume it is happening, ensure you verify. If you use Microsoft Azure Active Directory, look at Intune. Or for on Premise Active Directory, use WSUS. Note both only cover the Windows OS and not the applications, you can use third party applications for this or as a minimum, make sure staff are made aware of the requirement.
Finally, now is the time to review your endpoint security protection – is your anti-malware solution able to update when remote or is it set to point to a local server that is now not accessible? Check your firewalls are enabled, a lot of businesses disabled them because of the network firewall in the office. Home routers firewalls are a lot more simplistic and often have remote admin ports exposed for the internet service provider to support customers, so do not rely on them.
Useful resources: Secure home working on personal IT – NCSC.GOV.UK
2. Authenticate with appropriate security
Passwords may be set by individuals, but as an organisation you can ensure that they understand good password security. Most secure password policies have now changed, so make sure yours reflect the change (Password policy: updating your approach – NCSC.GOV.UK).
Provide your staff with a password manager, they are humans and will reuse passwords because it is the easy option. Give them an easier option with a password manager that automatically generates passwords and populates them when they log in.
Password reuse is a huge cause for concern, the days of a handful of applications that needed to be changed in the event of a breach are gone, most people now have 10s if not 100s of work-based applications that need a password.
Finally, passwords alone have an inherent fault, they are a single point of failure. The best way to gain security, is to use Multi Factor Authentication, this requires the application to support it but most that hold personal or sensitive data now support it and it just needs to be enabled, mandate its use on at least your critical applications that compromised access would cost you either financially or reputationally.
3. Review your IT estate and monitor it
We all have that one drawer full of random things that we keep because one day we think we may need it. There is an equivalent in IT – that network storage device you brought back in 2015 that nobody uses. It’s still probably sat there, connected to your network with huge security holes.
Manage your devices and services and ensure you have an accurate list. If it is connected to your network, you should know about it and ensure it is included in your patching schedule and if appropriate, tested. The same principle applies to websites and web applications you host or manage that are accessible via the internet. Make sure they are patched and scanned for security – i3Secure will be offering a free service in the future to help you with this so watch this space.
Finally, you would not go on holiday and leave all your windows and doors wide open for the intruder to take advantage of. Over exposing ports is the equivalent. Make sure any devices you expose to the internet only expose the ports needed for the service (for example port 443 is generally used for secure website traffic). Similarly, you would not leave a front door that is barely attached to the hinges and no lock. Don’t expose services that are insecure – remote desktop is a great example of this. It was not designed to be secure to the internet without additional controls, so don’t expose it through your firewall, unless you mitigate the risk such as restricting what IP addresses can access it and mandate strong authentication with an excellent patching process to reduce the risk.
Useful resources: NCSC – NCSC.GOV.UK
An area that people are always told to improve and yet every year research still shows a huge amount of people continue to use weak passwords and reusing the same password on multiple sites.
Almost all users will benefit from using a Password Manager. They all generally work in the same way where you have one strong password to access all the other passwords. This means you only have to remember 1 string password instead of dozens or even worse one password that is used for multiple services.
There are some great free and low-cost products available. The most popular free one, LastPass (https://lastpass.com) even allows multiple devices to sync, allowing you to access your passwords on all your computers, mobiles and tablets. It also integrates into most browsers and will automatically generate random passwords for each account, providing great usability.
If you are an Apple user, you can use the iCloud Keychain for free, again syncing across other apple devices is included and the windows version is expected to be released shortly.
However, it is wise to avoid using the built-in browser password store. They are often held in clear text and offer very little protection if someone can access your device.
Useful resources: https://www.ncsc.gov.uk/section/information-for/individuals-families
2. Scams and Phishing
Phishing (via email phone or SMS) and scams are everywhere, there is no avoiding it and although tech companies are getting better at blocking them, they will always be there is some form. With that in mind, it is best to always be aware and work on the principal that every email is malicious until you prove otherwise.
Check the sender by hovering over or selecting the email address and make sure it is from the company they claim to be. For example, an email from Amazon would come from email@example.com or similar, not a random website name. Next check the content – does it make sense? For example, if it references a bank, do you even have an account with them? They will almost always use fear or excitement to override your rational thinking to get you to quickly enter details or click a link before you realise it is a scam – remember take your time.
Finally, almost all scams and phishing messages are trying to get you to either give your account details for a service or get you to send money, either directly or indirectly. If you are ever in doubt, contact the organisation the message claims to have come from using a known safe method such as a phone number or email address on their official website, rather than replying to the message or clicking the link.
3. Keep your devices up to date
If you are using a Windows laptop or computer, make sure it is not running Windows 7 or 8. If it is, it will not have been receiving updates for over a year, meaning you are not protected from a wide range of threats. However, good news – an upgrade to Windows 10 will not cost you. Simply search upgrade to Windows 10 to see if you can upgrade it to Windows 10, your Windows 7 or 8 license is valid for the upgrade, assuming your device can run it (most can).
Windows 10 generally updates itself but check by going to the start menu and search update and select check for updates. It will then tell you when it was last checked and that you are up to date, if it shows it has not been checked for over a month then choose check for updates.
For macOS, search for software update and tick the Automatically keep my Mac up to date. Around once a year, Apple release a major update, this year it was called “Big Sur”. Normally the major versions get security updates for 2 previous versions. This is currently Catalina and Mojave but this can vary, for a complete list see (https://support.apple.com/en-us/HT201222).
For Apple mobile devices again it obviously moves every year but if you have an iPhone 6 or older you will not be getting any updates, the 6s and 6s plus are also likely to stop getting updates from later this year.
For Android, it is slightly more complicated due to the various vendors but if your device is running Android Nougat (Version 7.x) or older, you will not be receiving updates.
If you have a device that can no longer receive updates, you should consider buying a new device. However, if not possible, you should avoid using it for any financial systems such as banking and online shopping, it is highly likely that a device with no updates has security holes that would allow a hacker to access your data.
We hope this article has been informative and proves useful in helping you and your organisation stay safe against cyber threat.
If you would like to find out more about how we can support your organisation or how our services can support you, please reach out at info@i3Secure.co.uk or contact us.