Ken Seymour of KTS Computers in St Ives has offered the following tips for staying safe whilst online:
Ken’s Top 10 Security Tips
List below is all essential, not in specific order.
1) Patch, Patch, Patch. It does not matter if you own an Android, Chromebook, Apple
MacOS, iPad or Windows device, all are vulnerable and that is why the
manufacturers send out updates. Make sure your operating system is at the latest
possible the hardware will support, and that the operating system is still supported by
the manufacturer. If it isn’t, buy a new device.
see https://endoflife.date/macos
and https://learn.microsoft.com/en-us/lifecycle/products/
This includes third party apps like Adobe. If you can’t be bothered, see point 10, find
an IT company that can help, or use a purpose built patching tool (talk to us for info).
2) Stop pretending you NEED to be an administrator of your computer. If you can
install a new program without typing a password, so can the website you just visited
that was hosting malware, and the link you just clicked on in that phishing email.
When building a new computer, the first user is always the Admin account, the
second is your day to day user account. MacOS sorts this automatically, you need to
type the keychain password to make changes, but it is down to the user / owner to
take responsibility and action this on Windows computers.
We recently had at least three people in last week and half phone up with malware
installed. 2/3 would not have had a problem if they were not administrator of device.
3) Passwords – are they unique? Make sure you are not using the same password
across multiple sites. That includes variations, so ‘Appletree1’ for Amazon and
‘Appletree2’ for Tesco is a bad idea. A good password is not a single real word (use
three words together – e.g. ‘TREE5random!7never’ to make them memorable).
Better still, use a GOOD password manager. Remember, songs get stuck in your
head passwords don’t!
4) Passwords – where do you store them? Password managers are good, as are
written down passwords. NEVER write down a password and store it with the laptop.
One of our clients recently had a laptop bag stolen, the thief smashed the back
window of the car. The password book, with ALL passwords was in the laptop bag –
game over, user lost. Again, a GOOD password manager can help alleviate this
issue. They also handle the MFA (AKA 2FA or Multifactor authentication) for you.
We use Keeper Security Enterprise internally, and a lot of our clients have this as
well. If you are a sole trader, you may find a yearly subscription to Bitwarden better. If
you are not running a business, there are free ones, but remember you get the level
of support you expect, if you pay nothing.
5) Secure Email System – many use Google workspace or Office 365 for their email,
and that is great. But which email account is the administrator one? Actually, it is a
myth that a valid email account should be the admin account, the reality is no valid
email should be the admin account. If an email account is the admin account, and it
falls victim to professional cyber criminals, business game is over, plan your
retirement.
For instance on our ktscomp.co,uk domain email, our admin login has no associated
email, and the login is not an @ktscomp.co.uk address.
Your profits will only be as good as your IT system in 2024
6) Free Antivirus is as good as the amount of money you pay; it is well worth the
extra to buy a GOOD anti-malware product, and get a business grade one with a
company licence. Do not buy per computer, as per computer costs a lot more than
say a 5 user Business licence. AVG is owned by Avast, who got bought out by
Norton (Symantec) so all pretty similar, and effective. However, they all use the antimalware
to sell you more stuff. Hence we have moved away from them to more
professional anti-malware companies, such as ESET.
7) Reliable Backup, why? – Should the worst happen (and it does, pipes burst, cars
break down, computer drives crash) you need to be able to restore data, fast. But
your data is on Google drive / Office 365 so that’s fine, isn’t it? Microsoft and Google
make it clear, they are responsible for the service, not the data.
In November 2023, Some Google Drive users experienced a bunch of recent files
vanishing from their cloud storage locker. See
https://www.tomshardware.com/software/cloud-storage/google-drive-users-arereporting-
the-loss-of-months-of-data
Microsoft states in their services agreement, section 6b “they are not offered with a
guaranteed level of quality of service and all online services suffer occasional disruptions and
outages” so yes, you need to back up cloud services too.
How do you know it works? Test it!
8) IT Documentation Is Essential In Business. We have one client who, after two
months, is still trying to find the right password to access the service provider domain
control panel so we can make the required DNS changes. Not only can they not get
the access, they did not choose a good provider and so can’t get support (see point
10)
9) Cybersecurity Awareness Training; This is not just for staff, but for owners as well.
Are you sure you can spot that phishing email, or that the staff can spot it, and should
a ‘pop-up’ appear on the device that is malicious, do they know what to do? Are they
scared you will fire them, so they sweep problems under the carpet? The human is
the last line of defence when the technology has allowed the threat through, why
would you not invest to protect your business?
10) Don’t Do It All Yourself, use a reliable IT Service provider. Yes, I have a vested
interest, but not the one you think. We hate charging large amounts of money to not
always successfully help companies recover from problems – which could have been
solved quickly with a good backup, or prevented altogether with the right security
setup. We would much rather help prevent than have to resolve after the event.
And Google is not a solution, it has all the right and wrong answers on it, but how do
you know which one is which?
A good supplier means you have someone who knows your system, can support you
quickly if key staff are on holiday and will give the correct advice often faster than
trying all the options Google has to offer! (Does mean you have to ask though!)
11) Ken’s bonus; How do you dispose of that old electronic equipment, which may still
have passwords, and company data on it, including mobile devices! First, wipe it of
all data before taking it to the dump or recycling. How? – just ask KTS
And yes, we know MFA is an absolute must, why is it not on the list? Because most
companies are now enforcing this, so it has become ‘non-optional’. However if you have not
done so, please make sure ALL cloud services have MFA enabled.