Lightweight IT Security Policy for small and medium companies
Small and medium companies often have trouble to formulate what they expect from their employees with regards to security. On the one hand, they often realise it’s important as information security is often in the news nowadays. On the other hand, hiring expensive consultants is often overkill for these companies, as are the rigid security rules these consultants often like to introduce. Being small and nimble is one of the main advantages of SME’s, so what’s needed is a pragmatic approach.
This is the advice I often give to clients that want to expand 20% effort to get 80% results. The right place to put these “rules” is somewhere you can refer to easily (ad valvas, on the intranet,…) and in the information package you provide to new hires.
It is also a good idea to find someone in the team with a bit of an interest in security and officially make security a part of his or her role. This person would then function as a point-of-contact for security related questions and help others, for example: to spot phishing attempts.
IT Security Guidelines
Above all, We’re counting on you to be responsible professionals and keep in mind:
- Be aware that your computer is the key to your kingdom. It contains accounts where you’re authenticated, saved passwords, sensitive documents,… Make sure you take care of it appropriatly.
- Look out for phishing emails. When something seems too good to be true, it often is. If possible, avoid clicking on any links in a suspicious email, not even to verify if the email is malicious. Instead, report suspeced email to “email@example.com” (an address you provide, managed by the security officer mentioned above). Learn more how to spot phishing on safeonweb.be.
- Please don’t reuse passwords. For example: don’t use the same password for LinkedIn as you use for your company accounts. Passwords often are stolen from public sites and the bad guys do try to use them for other accounts. Don’t make it easy for them! Additionally, use 2-factor authentication if possible (that means: if a site allows you to use a password and sends you a challenge via sms, please opt in to that).
- If you can, use a password manager. Let it generate complex and different passwords for different services. By the way, did you know that “passphrases” are often better passwords than complex but shorter passwords? For example: “The Horse is Yellow!” is considered a better password than “xAbD45O”, it’s also easier to remember. Here’s a great explanation:
- Enable full-disk encryption on computers and laptops. That way, when they are stolen or lost, criminals cannot read the content of your harddisk.
- Try to avoid copying sensitive (or any) data to USB keys. These are too easy to lose, a lot of data has been leaked exactly like this. Instead, try to use other ways of sharing data like a common share internally or a password encrypted zip via a file-sharing website externally. If you do the latter, make sure to share the password via another channel (for example, sms).
- Keep your computer up to date. Apply those updates and don’t use old, unsupported versions of software. Yes, those updates might be a pain sometimes, but there’s a reason they are created..
- On Windows (and Android), try to use antivirus software. Make sure to schedule a regular full scan (for example: once a week) and update the “virus signature” database regularly. The database is how the antivirus recognises new virusses, if hasn’t been updated, the newer virusses will still be able to get to you.
- Any questions on security, concerns or to report a possible issue, contact the person you made responsible for security (see above).
- Lock your computers and devices when unattended, even for a minute.
A note about wifi
The office wifi is another weak point. Try to do at least the following:
- Check your router and make sure your wifi is encrypted with at least “WPA2” or “WPA-PSK”. “WEP” or “WPA1” (sometimes just called “WPA”) are unsecure methods of encryption, don’t use those.
- Be very careful with sharing the wifi password with visitors. Actually, I recommend never doing this. A better idea is to have a separate guest network for those visitors that do need internet access.
- Choose a wifi password as described in point 4 above. If it helps, you can be a little silly, have fun with it, “Dave still has to bring birthday cake!” is perfectly valid!
- Don’t use Wi-Fi Protected Setup (WPS). There have been some serious security issues with it. This one is particularly tricky, as it’s enabled by default on many routers.
Backups, backups, backups
When things have gone wrong, having backups is a life saver! Alas, most of us don’t have any…
I’m going to assume for a moment that we’re all in agreement on the importance of backups. There are 2 basic strategies:
- Copy your important files to a second storage. Pro: Quick, easy to restore one file. Con: you might miss some important documents and you might have to reinstall your operating system.
- Make a copy of your whole hard disk. Pro: easy to restore from scratch. Con: it might take longer to take a backup.
Both options are definitely better than having no backups. Whichever option you choose, it’s important that you:
- Make backups regurarly (say, once a week). Make them part of your schedule to make sure you won’t forget.
- Make the backup to storage that isn’t connected to your computer (ie: usb-drive) and store the storage somewhere safe. Making a backup to a connected network drive is not recommended, as there’s ransomware out there that will also destroy any files on connected drives. Dropbox, Google Drive and others are also vulnerable to this.
In case you choose the second option, here are the steps to make a proper backup: How to back up your computer
Helping people adhere to these guidelines
The best way to make sure these guidelines are followed is to explain why they matter. If they don’t know how to do everything, make sure to help them out.
Additionally, it’s a good idea to prepare a small checklist to verify that people follow the guidelines. Items like: “Do you have all updates installed?” and “Is your antivirus still up to date?” are good candidates for this list. Periodically go around the office (say, once a month) with this list. Try to act more like a coach than like a policeman. When you find someone not following the rules, use the opportunity to again explain why they matter and help them to configure their systems correctly. This will show you care and people won’t be afraid to approach you with their questions around security.