General security advice from Weald.

Please note that this does not cover every possible security risk and solution – it’s a prompt based on our experience.

All users

Do NOT open attachments from unknown sources. If in doubt send it to IT to check first.
If unsure, just don’t open it. If it looks wrong, it probably is wrong.
Know your suppliers, look out for invoices from them – but don’t accept from anyone else.
Know your own voicemail system – don’t open email voicemails that are not from yours.

Middle man attacks:
Do NOT accept “internal emails” that say transfer money here and there – have a proper procedure.
If someone asks you something unusual involving a bank transaction, stop and query it.
Examine the sender domain, i.e. wealdcomputer.com instead of wealdcomputers.com.
Be aware your internal emails can be compromised and may appear to come from your manager.
If the language of the email looks wrong for the person who sent it, it is probably spoofed.
Consider using 2FA – 2 factor authentication.  This is where you have to say yes or enter a PIN from your mobile phone.

General and ransomware type:
If you click something dodgy, TURN THE COMPUTER OFF – press the button until it goes off.
Get someone to check it – Do not turn it back on, take it to an expert to examine and deal with.
Don’t browse to dodgy web sites, or if you must do it at home and use a tablet, not your windows PC.
Do NOT connect to work with your home computer that has been used for ‘leisure’
Do NOT let your kids use your WORK laptop for playing games and internet browsing.
Be aware that Word and Excel documents are not automatically safe, they can run Macros.
Do not assume your AV or Malware package will stop the modern viruses, it possibly will not.
Do use complex passwords with special characters and preferably >=8 characters long.

Do NOT set up personal email accounts on work computers.
Do some PHISHING TESTS – Spear phishing is now probably the most common security compromise.
https://www.opendns.com/phishing-quiz/
https://www.sonicwall.com/phishing/phishing-quiz-question.aspx
Management and those working in Finance.

Backup and DR testing is the way to recover, make sure it works, have a daily checking procedure

Do NOT use banks that do not use encryption devices to authorise payments.
Do NOT use unchecked payment batches.
Do back IT to enforce a password policy, possibly use 2FA too.

Where possible, do NOT habitually use “faster payments”. These are not reversible.

HMRC, PAYE etc DO NOT send you emails about refunds.  Don’t click to get a refund.
Your BANK will probably not email you, or if they do it will come from a known account manager.

Do worry about ‘leavers’ and have a leavers procedure.  Having lots of ‘active directory users’ present increases risk, even if you have changed the passwords.  Don’t have generic AD accounts with easy passwords.  This may be web accessible via Outlook Web Access.  This is a way in.

When out of the office, be aware of “SHOULDER SURFERS” – they exist on trains!

IT People
IT People: Consider blocking all attachments except PDF – it might be hassle but the returns are great!
IT People: Do not allow the use of PPTP pass through (1723) – use an SSL VPN instead.
IT People: Use account locking on password attempts – 3 or more ?
IT People: Do have a 90 day change policy on passwords.
IT People: Look at implementing 2FA on 365 – it works well.
IT People: set up user education and testing.
IT People: Look at device encryption for your mobile workers
IT People: Look at MDM – mobile device management
Do not use open RDS connections for remote access (3389)
Do disable accounts on the server that you do not recognise. Disable first, ask later.
Do consider two factor authentication for any web accessible systems.