Helpful pointers on IT Security

Some helpful, if blunt – pointers about IT Security.

IMPORTANT PLEASE READ
All users
Do NOT open attachments from unknown sources. If in doubt send it to IT to check first.
If unsure, just don’t open it. If it looks wrong, it probably is wrong.
Know your suppliers, look out for invoices from them – but don’t accept from anyone else.
Know your own voicemail system – don’t open email voicemails that are not from yours.
Do NOT accept “internal emails” that say transfer money here and there – have a proper procedure.
If someone asks you something unusual involving a bank transaction, stop and query it.
Examine the sender domain, i.e. wealdcomputer.com instead of wealdcomputers.com.
Be aware your internal emails can be compromised and may appear to come from your manager.
If the language of the email looks wrong for the person who sent it, it is probably spoofed.
If you click something dodgy, TURN THE COMPUTER OFF – press the button until it goes off.
Get someone to check it – Do not turn it back on, take it to an expert to examine and deal with.
Don’t browse to dodgy web sites, or if you must do it at home and use a tablet, not your windows PC.
Do NOT connect to work with your home computer that has been used for ‘leisure’
Do NOT let your kids use your WORK laptop for playing games and internet browsing.
Be aware that Word and Excel documents are not automatically safe, they can run Macros.
Do not assume your AV or Malware package will stop the modern viruses, it probably will not.
Do use complex passwords with special characters and preferably >=8 characters long.
Do NOT set up personal email accounts on work computers.
Do some PHISHING TESTS – Spear phishing is now probably the most common security compromise.
https://www.opendns.com/phishing-quiz/
https://www.sonicwall.com/phishing/phishing-quiz-question.aspx

Management and those working in Finance.
Backup and DR testing is the way to recover, make sure it works, have a daily checking procedure
Do NOT use banks that do not use encryption devices to authorise payments.
Do NOT use unchecked payment batches.
Do back IT to enforce a password policy, security is the greater need.
Where possible, do NOT habitually use “faster payments”. These are not reversible.
Know that HMRC, PAYE and all those people do NOT send you emails about refunds.
Know that your bank will not be emailing you or calling you, their service is not that good!
Do worry about ‘leavers’ and have a leavers procedure.

IT People
IT People: Consider blocking all attachments except PDF – it might be hassle but the returns are great!
IT People: Do not allow the use of PPTP pass through (1723)
IT People: Use account locking on password attempts – 3 or more ?
IT People: Do have a 90 day change policy on passwords.
IT People: set up user education and testing.
Do not use open RDS connections for remote access (3389)
Do disable accounts on the server that you do not recognise. Disable first, ask later.
Do consider two factor authentication for particularly sensitive data.