Russ Harvey Consulting - Computer and Internet Services

Security Policies

Protecting your computers & network

Creating Policies | Business | Home | Servicing Computers

Someone signing a policy document.

Wi-Fi is a Wi-Fi Alliance standard. WiFi is used to refer to generic wireless.

Be sure to read Security Basics because it introduces preventing unauthorized access and key elements of security upon which this page builds.

Now we live in a world that is strictly bounded by our capacity to understand it, by our ability to keep up with the pace of technological change, and to manage the new risks and security challenges that come with limitless storage capacity, limitless transmission capacity, limitless data mining capacity.

 

We are bounded by our own limited capacity to understand, to imagine the implications of data flow and data aggregation, and our ability to teach.
Privacy Commissioner of Canada

Creating a Security Policy

A security policy is strongly recommended because it will help employees understand the need for security. A security policy for your home is recommended for the same reason.

The policy should clearly indicate how security is managed as well as who is responsible (accountable) for those decisions.

User Responsibilities

The policy should specify which computers and devices may be connected to your network, how that connection is permitted and the responsibilities of those accessing the network in maintaining a secure environment.

Guest & Private Devices

A significant challenge is the use of personal devices on your network. I recommend restricting access to a “guest” network to keep potentially dangerous connections separate from your business computers and network.

Software Vulnerabilities

During the LastPass security breach the hacker was able to gain access into a secure server environment by exploiting a vulnerable piece of consumer software on a senior employee's home computer. This failure allowed the hacker to circumvent the security protocols and gain access to both the production environment and the customer password vaults.

Artificial Intelligence

The emergence of AI as a major factor in everything from operating systems to online services can no longer be ignored as a security factor. You need to assess the benefits and vulnerabilities in your unique situation and determine effective policies.

A Written Policy

A written security policy ensures that you cover all the necessary basics and clarifies responsibilities. It should be regularly reviewed to ensure it is current.

Requiring your employees and contractors to sign your security policy will help them realize their responsibilities to follow the policy as well as spell out consequences of failing to do so.

Taylor Pearson writes an excellent guide on how to write a standard operating procedure which can help in designing and writing your security policy.

A simplified policy for children is recommended including age-appropriate restrictions on their access so that bad decisions are less likely.

Security Policy Elements

Your security policy should contain at least these elements:

These areas are covered on this page and in other sections of this site. How you apply them depends upon whether it is a business or home environment.

Mobile Device Security Policy

Mobile devices are being used constantly in business but they are more vulnerable to loss, compromise and outright theft than traditional computers.

Mobile devices are commonly used to conduct company business, which can render them more susceptible to risk than desktop or even laptop computers.

 

Desktops are routinely stationary devices and laptops are harder to lose than smartphones or tablets, being more sizable.

 

In addition, the same social engineering, phishing and application/operating system vulnerabilities which plague desktops and laptops are just as applicable to mobile devices.
Tech Republic

Back Up Your Security Policy with Good Security

Besides the security policy, you need to ensure that you have purchased the best security and understand how to detect and avoid security risks.

  1. Protect your computers and devices with good quality security software that is updated regularly;
  2. Know how that security software operates so you're not fooled by fakes; and
  3. Learn about other security threats (including hoaxes) and how to respond to them correctly.

Security is Everyone's Responsibility

Ensure that your employees are trained to detect and avoid security risks.

The user is the point of greatest vulnerability which is why a security policy is useful and necessary. Everyone that uses your Internet and devices has to take security seriously.

Major vendors like Microsoft are much more focused on meeting the needs of enterprise users than consumers or small business. Corporate solutions seldom fit within a small business environment.

Educate About Evaluating Risks

Ensure that everyone using your computers understands how to evaluate risks.

Phone calls from a “technical support” person saying that you have a problem with your computer are all SCAMS. Just hang up.

Fake warnings can come

  1. by phone;
  2. via a phishing email; or
  3. a popup window containing a phone number.

If you provide a remote party with access to your computer so they can “fix a problem” you'll end up with an infected computer and a big credit card bill.

These are some indicators:

Family members and employees should be instructed NOT to respond to such ploys. If you're concerned, call the person that maintains your computers.

Access to Internet

There needs to be a policy regarding access to your home or business Internet (WiFi) in order to protect your network and the devices connected to it.

Recommendations

BEFORE you connect:

*NEVER access financial sites like banks, PayPal or shopping sites while on a network you don't control without using a trusted VPN.

Protect Your Network

In both homes and businesses the network provides access to the Internet but also can be used to share files and printers between computers and devices.

Vulnerabilities in either the network itself (e.g., the modem or router) or devices connected to it can lead to a compromise of your security.

Not only are computers, tablets, smartphones and networked printers connected to your network, but so are smart assistants (Google Home, Alexa, etc.) and a “smart” devices which can be used to invade your privacy.

Older smart home devices employ obsolete security (e.g., short passwords on your 2.4 GHz WiFi).

Always change the default passwords on routers and similar equipment and turn off access to insecure devices.

Guest WiFi

Many current routers provide a separate “guest” WiFi so that visitors to your home or business can have access to the Internet without access to your network. You should still consider whether you want users to have access at all since you're responsible for any illegal activity on your internet account.

Free WiFi Presents a Risk

We're constantly on the go and want to remain connected but choosing an unsecured WiFi network could undo all that we've done to secure our computers and devices.

[W]hile access to free Wi-Fi is a boon for most of us, it's also a common attack vector (entry point) for cybercriminals. Beyond the specifics…consider that public Wi-Fi, by its very nature, is open and unprotected to allow anyone to access it.

 

That makes it vulnerable to hackers, and they have a variety of tools to attack devices on public Wi-Fi.
Check Point blog

Others on the same network could intercept information like passwords and confidential information using easily-available hacking software. Watch this YouTube video.

Captive Portals No Safer

ZoneAlarm infographic: “The risks of public hotspots: How Free WiFi can harm you”

You'll want to ensure that when devices are outside the home or business they don't leak confidential information or download malware that could infect your own network.

The log-in screen requiring you to agree to the WiFi network's terms in coffee shops and elsewhere are called captive portals and are no safer than an open WiFi network, but give you the illusion of safety.

Captive portals can interfere with secure (HTTPS) sites, calling them “untrusted connections” which leads people to ignore such warnings in the future.

Return to top

Protecting Business Computers

Business computers are found in the office, home offices and on the road for mobile employees.

Correctly assessing the risks and determining the best method of protecting these devices while allowing for the necessary out-of-office communications and access to company data is critical to ensuring that your confidential business information remains protected.

Engage leaders from across the organization — not just those within IT. Include people from different functional areas, such as human relations, marketing, operations and finance. Other players essential to this conversation are your lawyer and your accountant/auditor.
Inc.

You might also want to consider developing a business continuity policy to deal with business disruptions, whether from natural or man-made disasters.

Teach Security Basics

To protect your business, it is important that your employees understand both the risks as well as how to detect such attempts to gain access. They need to develop a security mindset.

Pause before clicking: Stop. Think. Connect.

Employees should be trained to be aware of the risks of unsafe practices.

Insider Threats

Be aware that your employees, as much as you trust them, can be the source of security problems either because of carelessness or deceit.

Some 12% of employees take customer details, health records, sales contracts and other confidential data when leaving a company, according to DTEX.
Tech Republic

You need to take into account what each person must have access to in order to do their job, but also the potential repercussions if someone were to exploit that access.

One such activity is the casual or intentional but unauthorized viewing of confidential files such as customer records. Not only is that illegal, but it can be a precursor to someone selling that information or setting themselves up in business using your client base.

Close Old Accounts

When an email or other account is no longer required (such as an employee termination), you should delete access to that account immediately. This was the method used to hack senior Microsoft accounts:

The Midnight Blizzard threat actor group used a technique called a password spray attack.

 

Password spraying is a brute force attack in which threat actors spam or "spray" commonly used passwords against many different accounts in one organization or application.

 

The threat of a password spray attack is a good opportunity to be sure that your organization is using multifactor authentication, keeping tabs on older lapsed and test accounts and running up-to-date SIEM software.
Tech Republic

Access Restricted to “Need to Know”

Your policies should note that a need to know as well as the necessary security clearance based upon the job requirements is mandated prior to viewing such records.

Medical Data Valuable

Administrators have strict privacy rules about access to medical data.

Unfortunately, they have been less vigilant in protecting that same data against data breaches.

Entities such as hospitals, doctor's offices and urgent-care clinics are custodians of a wide swath of sensitive information.

 

Cybercriminals recognize the value of patient data, such as stolen health insurance numbers, to acquire medications and services.

 

Never before has medical data been so conveniently accessible by doctors, nurses and patients through devices such as smartphones, tablets, portals and health exchanges.

 

This dissolving perimeter results in efficiency wins and improved patient and health care delivery, yet these endpoints often lack basic security, such as access control, vulnerability management and encryption, making them prone to malfeasance and data loss.
Trustwave 2015

Phishing

Phishing is a form of spam using deceit to obtain financial and personal information.

Since 91% of all cyber attacks begin with a phishing email, taking steps to defend against phishing attack might be the single most important aspect of an overall threat defense plan.
DuoCircle

It is critical you ensure that employees can detect and avoid falling victim to phishing attacks.

When your employees fall victim to a phishing attack, your entire corporate network and brand is at risk. The cost can be stunning.
Vade Secure

Phishing has been the primary method of obtaining the necessary information to perpetrate hacking and the resulting data breaches.

The Equifax data breach, which exposed the sensitive personal information of nearly 146 million Americans, happened because of a mistake by a single employee
The New York Times (emphasis mine)

Most phishing attacks are aimed at small and mid size businesses, up to 60% of which will fail within six months of a cyber attack.

There are more of these phishing emails aimed as specific individuals based upon their function in the company and trending subject lines that have proven more effective.

Some of these phrasings are standard day-to-day subject lines, but as one expert explained, “the attacker wants you to be moving too fast to stop and question if it's legitimate.” — Tech Republic

Vishing

Vishing (phone scams) is a form of phishing where only the voice is used to deceive.

The emergence of AI has made vishing far easier by replicating the voice of an authority figure such as one of the C-suite executives as LastPass found out:

LastPass revealed [April 10, 2024] that threat actors targeted one of its employees in a voice phishing attack, using deepfake audio to impersonate Karim Toubba, the company's Chief Executive Officer. [T]he LastPass employee didn't fall for it because the attacker used WhatsApp, which is a very uncommon business channel.

 

The use of audio deepfakes also allows threat actors to make it much harder to verify the caller's identity remotely, rendering attacks where they impersonate executives and company employees very hard to detect.

 

Europol warned in April 2022 that deepfakes may soon become a tool that cybercriminal groups routinely use in CEO fraud, evidence tampering, and non-consensual pornography creation.
BleepingComputer

LastPass was the target of two back-to-back breaches in 2022. The manner of the breaches and the failure to provide timely warnings resulted in my dropping my recommendation of LastPass and moving to Bitwarden.

Business Email Compromise

Be aware of the increasing use of business email compromise (BEC) to generate unauthorized payments and is generally aimed at enterprise-level businesses.

While most BEC attacks are vie email, SMS text messages are increasingly used for the same purpose.

BEC attacks are built on using social engineering to trick victims into transferring a payment to cyber criminals. Often scammers will pose as a colleague, a client, your boss or a business partner to make their request seem legitimate.
ZDNET
These attacks begin with specially-crafted phishing emails designed for the executives of the organisations being targeted.

 

These are designed to look like legitimate documents from DocuSign, but if the victim clicks on the malicious link, they're taken to what appears to be a Microsoft 365 login page. It looks legitimate and if the user enters their details, they provide the attacker with their username and password.
ZDNET

Review your policies and procedures to ensure that the necessary authority to remit payments cannot be abused by BEC. This will vary by the size of the organization, but emails requests should require additional authorization methods to protect against BEC.

Be aware of the increasing use of business email compromise (BEC) to generate unauthorized payments and is generally aimed at enterprise-level businesses.

More about phishing.

Patch Your Computers and Devices

Security patches and updates are inconvenient and time consuming. When things go wrong, you may wish you'd left things alone.

Software updates are the best method to protect your business from such attacks since they patch known security vulnerabilities.

You can avoid the sorts of cascading failures that resulted in the Rogers nation-wide outage by updating a non-essential computer first, then proceeding in the order of the least critical to the most, testing to ensure there are no issues after each upgrade before moving on. Additionally, consider using an IT consultant that can recover your equipment from such failures.

One person needs to be responsible for maintaining updates, whether that person performs all updates or is the person that ensures they are done. Don't forget that all electronic devices require updates.

Determining your risks and security procedures should include employees across your business. They may be aware of risks that you don't recognize. However, the final decision is yours.

[W]hile most Windows systems on a network should be receiving regular security patches to ensure they can't fall victim to attack, it's all too easy for the PoS terminal to be forgotten about.
TechRepublic

If you have employees working from home or road warriors, you'll need to ensure that their equipment is being updated as well. Your security policies should cover this requirement including how it is to be accomplished.

What About Employee Devices?

Employees may be accessing the Internet via their own devices, rather than company equipment. They may also find it easier to use those devices when working for you or while at home.

Employees use their work phones and computers for personal use, that's a fact. Yet, the reverse is also true, as employees can use their smartphones and computers at home for work as well. Doing either can potentially expose an organization's sensitive data to a breach.
ZoneAlarm

Both have security consequences since around 42% of all Android devices are said to not carry the latest security updates.

It is strongly recommended that employees use company computers and smartphones for business purposes only, and use their own equipment for personal use only. This is especially true when working from home or on the road.

The LastPass breach happened because a single DevOp used a home computer with insecure software installed to access confidential client password databases. It took over six months from the time of the first incident to begin fully reporting the loss of both the development environment and customer vaults as well as revealing that many vaults were underprotected. That gave the malicious actors six months to hack their offline customer vaults before subscribers were aware of the risks.

A software engineer's corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.

 

The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
LastPass Security Update

Use Current and Appropriate Software

Software, including operating systems, generally have an expiry date. Vendors release new software versions and end support for previous versions. In some cases the vendor may not explicitly state software is not supported, but may list system requirements that are no longer currently supported (e.g., an unsupported version of Windows).

Depending upon the software and its critical nature in your business, you can place your business at risk. The following example is specific to Microsoft Office for Mac, but similar risks exist for other business software:

After Oct. 13, 2020, the lack of support for Office 2010 and Office 2016 for Mac means that using those applications in your business or organization could be construed by courts and regulatory agencies as negligence — possibly criminal negligence. The kind of negligence that leads to fines, penalties, incarceration, and bankruptcy.
TechRepublic

More about choosing software.

Enterprise Protection

Larger businesses face different risks and the solutions may require Managed Security Services which are run remotely.

Working From Home

Working from home grew from about 10% of workers to 40% or higher in some instances during the pandemic. For many, this may become permanent, requiring a revising of the security policies and changes to how equipment is paid for and managed.

This is a balancing act that requires understanding the differences between the requirements of executives and those earning much less while ensuring the protection of the business assets.

Employee Considerations

Working from home has ended the commute for many employees, but it has also made it harder to separate their work and home life.

Adobe reports that employees are juggling longer hours and struggling with work-life balance.

Business Considerations

Employers must think differently about security and other IT considerations. Many of the rules for protecting the business are based upon at least the majority of employees being based on the business premises.

For employees, it's a change in routine and locale, but for businesses, it's much more than that — every company has far more to consider.
Tech Republic

Consider the nature of work performed and liability issues (does worker's compensation apply?) and the ability to fit the work environment into a home setting if the person is living in a small one-bedroom apartment or condo.

Who is going to pay for the internet access and is it secure? Probably not if it isn't part of your company VPN where personal use may also compromise your security.

Password Policies

While password policies are something that every business needs to implement, it needs to be tempered with the reality of how passwords are usually generated in the real world as well as human nature.

The NCSC says that websites and employers who try to enforce complexity requirements (and those who make users change passwords regularly) may be doing more harm than good. That's because the ways users try to meet these requirements while still remembering a password are highly predictable.
Infopackets

When employers expect users to generate your own passwords, those passwords tend to fall into patterns that are known to hackers. Combined with a password policy that requires frequent password changes, your security tends to worsen rather than improve.

Password Manager Required

That is where a password manager comes in.

Products like Bitwarden will generate random passwords and save them securely, even in cross platform business environments. LastPass can change the passwords for the various accounts it is protecting, making the practice of frequent password changes safer.

Because you only need to remember one password (the one that protects your LastPass account) you're less likely to repeat password patterns. Combine that with password memory helpers to create a safe and memorable LastPass password, your security is increased.

Browser-based password managers, while convenient, are not secure nor do they allow the use of passwords across devices without using an online service (many of which are not reliable or secure).

Reliable Backups Critical

Business data is now primarily electronic. Much of the old paper tracking has been replaced with PDFs, e-Transfers, PayPal, online shopping carts, accounting programs, etc. The few remaining paper documents would likely be unable to recreate your business if all your electronic documents were wiped out.

According to an industry study by The Diffusion Group, who surveyed small business organisations, 60 percent of companies that lose their data close down within six months of the disaster and a staggering 72 percent of businesses that suffer major data loss disappear within 24 months.
Workspace
Around the world, IT professionals reported a 6% increase in data loss leading to downtime compared to 2020. That's an 18% increase over our 2019 findings. Similarly, personal IT users reported a 5% increase in permanent data loss over 2020 and an 8% jump from 2019. Despite all of the new technologies put in place, this problem isn't going away. In fact, it's getting worse.
Acronis

You'd need to be able to get up and running in as short a time as possible. Delays could damage your credibility and reputation. Complete and accurate backups are critical.

Restrict Access

You need to restrict access to business computers:

When your employees fall victim to a phishing attack, your entire corporate network and brand is at risk. The cost can be stunning.
Vade Secure

As more people work from home, poor security practices can place your business at risk. Your IT specialists aren't within easy reach and no one is ensuring they are following prescribed policies.

Employees found to be negligent in protecting their employer's security may find it affecting their future employability.

One creative alternative is Menlo Security's Secure Web Gateway:

For companies that don't want to isolate all web traffic, we are providing greater ability to specify which users or categories of websites to isolate.

 

For example, we can now automatically isolate any web service that was created with software known to be vulnerable to hacking, such as unpatched versions of WordPress and Drupal. End users don't even realize their web sessions are actually occurring on our platform rather than on their PCs.

 

With our new "Isolate and Read-Only" capability, administrators can allow employees to access — but not interact on — webmail and social media sites. That way, they can't be tricked into providing credentials to clever phishing scams.
— Menlo Security blog

Increase Your Security Budget

Why cyber security training is crucial for your business

Corporate and business Information technology (IT) departments are seriously underfunded and a significant number of employees aren't concerned about the affect their lax security habits could have on the company.

Saving money on IT security may benefit you in the short term, but could cost you a great deal in the long term. You could lose your company's credibility if you're hacked and lose critical business information or suffer a data breach revealing your customer database.

Return to top

Protecting Home Computers

While this section primarily discusses computers, people are increasingly accessing the Internet over tablets and smartphones as well as smart devices like Google Home and Alexa.

Protect the Integrity of Your Devices

Protect the integrity of your computers and devices by restricting access.

Reliable Backups Critical

So many of our transactions today are electronic. Our bills come via email or are provided online. Think of the monumental task of recreating your financial history of the last year at tax time if you were to lose everything on your computer.

Then there's your collections of photos, music, videos and personal documents, many of which are irreplaceable.

Complete and accurate backups are critical.

Working from Home?

Working from home can include self employment or working for an employer.

Because you'll be spending about a third of your day in your new home office, be sure to acquire the necessary equipment to make it work for you.

Working from home creates its own policy requirements, including privacy and security:

While working from home can be challenging, a policy can help your family understand the necessity for being undisturbed during working hours.

We're Not Alone

Keep in mind that others in your home have their own requirements such as homework. Accommodating those can go a long way to garnering acceptance. If you're unable to schedule Internet use, you may need to increase your bandwidth so that everyone can get adequate access.

Restrict Children's Access

Your children should not have full access to devices they use, including the ability to install or remove software. This includes:

You are legally liable for any computers and devices as well as the Internet access you provide no matter who uses them. Downloads of illegal or unauthorized copyright material could result in very large fines.

Protect Your Children

Children are curious and often more comfortable with technology than their parents. It is important that you monitor their activities for their own protection.

Kids may latch onto connected tech quickly, but that doesn't mean they know how to use it safely without guidance from the adults in their lives.
PCMag

Most computers come pre-installed with Windows or macOS that runs using administrator privileges. Add an account with lesser privileges to protect both the computer and your children.

Windows offers Family Group with features to protect your children.

A Family Security Agreement

A family security agreement (or policy) should be in language everyone can understand and agree with. That will depend upon the ages of the children.

Mozilla developed The Super-Official Family Tech Agreement to help families talk about security. It's a great place to start conversations about appropriate behaviour online.

Separate Computers for Schoolwork

The computers or devices your children are using for their schoolwork should be separate from the one where you do your banking, pay your bills, health records, etc. Many schools employed tracking software (“anti-cheating” software) during pandemic lock downs. None reveal everything about how they work or what they collect.

Interactions on Facebook and elsewhere could reveal your private information. Protect your privacy by removing the temptation and ability of your children to share such information inadvertently.

Educate Yourself

You have the right to choose what is appropriate for your children.

You'll need to learn more about how children are exposed to unwanted material online and how you can protect them.

It's important to know what threats kids are facing so that you can have the right conversations and implement the precautionary measures. It's also hugely important to set some fair and effective ground rules for how your kids use the internet.
17 rules to protect my child online

Return to top

Servicing Computers

It is important that anyone servicing your computers is knowledgable and trustworthy.

Return to top

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/policies.html
Updated: September 10, 2024