Okay, if you’ve read part one of our security tips, you’ve got your password manager in place, your employees understand passwords vs. passphrases, and your multi factor authentication is cheerfully showing anyone to the door who wasn’t invited to the party.
But you’re not out of proverbial woods yet.
Let’s talk about three more basic security features your business needs to protect itself during Covid-19 and beyond. These are especially important when you have employees working from home on their own networks and, possibly, their own computers (yikes, as security guys, it’s really hard to even type that sentence). But it’s our new normal, and we have to face it.
Patch Your Apps. Here is a fact that is horrifying, but true: most people do not run regular updates. The prompt comes up and they automatically hit “later” or dismiss it altogether. Why? Because running updates interrupts their workflow and because sometimes it breaks things. Maybe those are justifiable reasons to some, but they end up sounding more like excuses when you realize that, outside of password hacking, the next most common way to get compromised is by not loading patches to your OS and apps.
Why is not patching apps so dangerous? Here’s something you may not know– when a new update for a major piece of software comes out, attackers immediately take those patches, break them down, and exploit them. To them, the patches are basically blueprints for the vulnerabilities of the last version. The worst attacks we’ve seen were on computers where the new updates had been out for a couple of months, but were never loaded. If you don’t load the patch, you are a sitting duck.
In a company with an IT department, the IT people would do this for you. But at home, it’s going to be up to individual employees (with prompting from IT staff or leaders) to protect their apps and therefore their data. The best way to do this is to set the apps up to automatically update. Then you never have to think about it again, which is what most busy working people prefer. If you can’t do that, check to be sure you’re running the latest version of all the apps you use, and the next time the prompt comes up for you to update, for the love of everything you hold dear, please just say yes.
A couple more thoughts on this:
- If something is going to break it’s usually an older or legacy app. Your IT staff can help with this.
- Updates usually require a restart, which is why many people don’t want to run them. There is a dark underbelly of users out there who like to leave a lot of apps open, especially browser tabs, for example, and they will only close them out under duress. For those people (you know who you are), we would like to introduce our friend Control-Shift-T. This little shortcut will bring back all of the tabs you had open before you last closed your browser. You’re welcome. Now, please go run that patch. Like right now.
Use Native Apps. Here is another thing that gets a lot of people in trouble– they receive a file, say a video, and they don’t have the software on their computer to watch it, so they do a quick search and download the first random executable that shows up. This is akin to needing a babysitter, looking out the window, and hiring the first person you see. Terrible idea, right?
Users need to make sure that the programs they are running are trustworthy. Luckily a lot of the bigger companies, like Microsoft and Apple, have rolled some of these into their OS (Windows has a built-in FTP client, for example). Another bonus to this is that when you run OS patches, these applications get updated as well. Hallelujah!
If a first party option isn’t available, users need to know how to find a reputable third party app. Do they recognize the name of the app? For example, Adobe is probably okay but Adoppe isn’t. Is it free? Not all free apps are bad, but remember, they are free for a reason. It might not be malware, so to speak, but it might be to advertise incessantly to you and also share your contact info with other people who want to advertise incessantly to you and maybe give you malware. Something to think about.
Don’t run your computer as Admin. This is the most difficult security barrier for people to overcome because it takes the most technical skill. When you get a new machine, you are usually set up as the administrator on that machine. This is good because you have All The Power. It’s also bad because, if you click on something you shouldn’t have and end up downloading malware, now the malware is logged in as Admin and it has All The Power, too. See the problem?
The safest thing to do is to set up a second non-admin account and use that one on a day-to-day basis. That way, if you accidentally run a program you shouldn’t, recovery is easier because you can nuke the account. If you ever need to use your admin capabilities, you will have the small inconvenience of having to log in with your admin credentials, but honestly those times are going to be few and far between. It’s worth it. The only time you’ll be truly inconvenienced by this is if you have an older app that doesn’t like to run unless it’s run as a local admin. Again, this is rare. Do yourself a favor and set up a second account so that you are not constantly dangling the keys to the kingdom.
Watch out for Macros. Lastly, let’s talk about the evils of macros. Macros are tiny little programs running inside of a document that you think you can trust. Let’s say someone emails you a Word document. A message tells you that if you want to see the content, you have to enable macros. You click “enable” and the hounds (malware) are released.
We are here to tell you that the majority of people don’t need to run macros. In fact, most users can go into settings and just disable macros altogether. Macros are really only needed when you are doing complicated tasks in Excel or maybe running a mail merge in Word. Other than that, a macro is a huge red flag.
The truth is you can protect your business and your employees from most cyber attacks with these relatively simple work modifications and a little bit of education. To learn more, watch our video on Cybersecurity. Solarity also offers courses on IT service management, risk management, and more.
About the Authors
Wes Allen and Don Garrison, Solarity Senior Security Analysts
Christy Swift has been a writer and correspondent in the United States and Canada for over 10 years. With a degree in English and technical writing, she has a knack for making complicated subject matter digestible and even tasty. Christy regularly conducts research into the latest trends in project management to provide the Solarity Group with engaging content for its website and e-newsletters.
Our mission is to help people, organizations, and communities THRIVE! Our broad range of experience and knowledge in a range of different industries allows us to customize our approach to fit the situation. We work in total partnership with our clients to understand their business needs and the current environment, and then match the right amount of process to meet the culture and the project.