The following article is taken from Dan Kaplan's excellent post at Trustwave here.
2014 was a year of reckoning for IT and security professionals globally. Like never before, the crushing consequences of risky business behaviour, combined with continued hacker acumen, were hung on full display, for the world to see. And evidence of the fallout was everywhere: from high-profile vulnerabilities like Heartbleed and Shellshock, to innovative malware attacks such as Backoff, to devastating data breaches that brought household brands (and countless others that you'll never read about) to their knees.
At the rate things are going, 2015 is setting up to be even direr. No doubt, awareness of the threats has catapulted security onto the boardroom agenda, but the fact remains that most organisations are operating at some level of denial - somewhere between "It won't happen to me" to "We checked the compliance boxes, so we're good to go." At a point, however, businesses that have been making - and paying for - the same mistakes for the past five years must arrive at a collective awakening.
It can - and likely will - happen to you: Experts have been claiming for some time that data breaches are a when, not if, prospect. Yet they continue to happen, and responses remain poor - 71 percent of compromise victims don't even detect the breach themselves. Incident response and readiness, therefore, must become a priority. Invest, test the plans regularly and get everybody on board with them.
Your perimeter is dead: Mobility and BYOD is king, and the whole notion of the "internet of things" is just as real for the business environment as it is for the home consumer. Increasingly devices are internet-connected, and it's critical to understand which systems are trying to connect to your network. Also, mind your outsourced suppliers. Vendor risk management is more important than ever.
How safe are your staff devices? At present 60 per cent of New Zealander's own a smartphone and or Tablet/iPad and this percentage is expected to continue to climb. However, many people don’t apply the same safety standards to smartdevices that they would to their PC at home or at work even though they store a huge amount of personal and work data. Here are some key precautions to be aware of:
- Use a complex PIN lock and treat it like your EFTPOS PIN i.e. keep it to yourself so no one else can access your information
- Use an antivirus app and make sure it’s up to date
- Upload “locate and lock” apps to help you find, lock and wipe your smartphone if it is lost or stolen
- Back up your important information like contacts, photos and documents - there are plenty of cloud storage options that allow you to do this
- Use approved apps – not all apps are nice! Install apps only from Google, Microsoft and Apple stores
Only store information and files on your phone that you can afford to lose, otherwise store it somewhere else.
Advice from Daniel:
The world's gone mobile. Staying connected is cheap and it's everywhere and more people than ever want to - need to - work across a number of platforms and devices. Yet despite its benefits, working in this way can be a major security issue for employers if adequate device management isn't in place. Vertech now offers a Mobile Device Management service to take care of these issues so you can rest easy.
Additional advice from Jay:
BYOD or Guest devices should not be able to access to any of internal network resources because it can have virus on it, and spread it to the office network. The WIFI for BYOD devices should be on a segregated VLAN and can go to internet only and unable to see any of internal network to isolate BYOD devices.
Your employees are mistake-prone: As advanced as threats may be, oftentimes they are meaningless until they are welcomed inside the virtual door of a business. That deed typically is done by an unwitting employee who, for example, uses an easily crackable password or clicks on a link or attachment that they shouldn't have. Social engineering ruses, like targeted phishing attacks and blended threats, are getting better at tricking innocent users, but one can't overstate the importance of a regularly refined security awareness program that receives executive-level support.
Advice from Mital:
Change passwords from time to time – employees don’t like it because they find it difficult to memorise the new password.
Customer's often request us to disable password expiry or allow simple passwords however we strongly discourage this and recommend complex passwords (a mix of numbers, letters, case & punctuation marks of at least 7 characters length) changed on a monthly - quarterly basis.
Top Password Tips:
* A good password doesn't have to be entirely random, you can create a memorable password out of song lyrics or three unusual words with substitutions. eg. W@l1ays = We @ll live 1n a yellow submarine or 6redPhone!
* Don't share passwords!
* When a person leaves the organisation, please contact us to remove or disable the account - we can give you options on how to retain access to that staff members data & email. We can help you document an Staff exit procedure.