The evolving threat landscape is putting organisations under pressure to address IT Security at every level. Breaches, regardless of the severity, can be disruptive, costly and damaging to a businesses reputation.
- Do you have monitoring in place with your IT provider to alert you to issues that could cause outages?
- Do they apply security updates/ patches and do they preform regular file-restores?
- Does your organisation have industry-standard Firewall hardware installed and correctly configured to the highest security settings?
- Does your organisation have anti-virus protection in place on all devices?
- Is this a managed service in terms of renewals and new activations?
Laptop/Mobile Device Encryption
- Recommended by GDPR as an appropriate way to achieve data protection goals, this is a prerequisite for all businesses with staff Laptops/mobile devices. If you don’t have encryption enabled on laptops/mobile devices you should address this as a matter of priority.
Strong Group Policy Settings
- Are passwords set to change regularly?
- Are there screen-lock settings in place?
- Are staff advised about password complexity and not sharing passwords?
- Are restricted access levels in place for administration access?
Data & GDPR Compliance
- Do you know how all your data is stored, shared and remotely accessed in your organisation?
- Do you have retention polices in line with GDPR guidelines?
- Do you have a nominated data processor/controller?
- Do you have a process for a data breach?
- Do you have local/cloud backups activated in case of data loss? Does your organisation have a business continuity plan in place to make sure you can recover quickly from a disruptive event?
- Third-party applications, particularly those that are Cloud-based are particularly vulnerable from a security perspective.
- Is Two-Factor Authentication in place for those products?
- Do users have separate passwords?
- Cloud-based email products like Office365 also need an extra layer of protection. Office365 has Two-Factor Authentication as an added feature, make sure this is activated.
Mobile device usage and BYOD
- Does your organisation allow staff to have email on personal devices?
- Are there usage policies in place for mobile devices and BYOD (Bring your own Device) policies for staff who use their own devices?
- Are files/folders held on individual machines or stored in a central location?
- It is good practice to advise staff not to store files/folder on individual machines.
- Do you communicate with staff about what to do if they get a potentially harmful file or if they think their machine has been hacked?
- Do you have controls in place with key functions like finance to question emails that relate to funds-transfer?
- Have you ever performed internal/ external vulnerability testing on your IP’s addresses?
- Does your organisation have WIFI in place for staff and guest users and are they separate so guests cannot get onto the network?