Cyber Security is a key aspect we need to look at in today’s connected world, from our children finding entertainment on YouTube to major businesses transferring billions over the internet. Often overlooked is who has access to what?
An IT Department / IT Company is often trusted with secure passwords to access all their systems, this is fine but you should have checks in place to make sure a single employee doesn’t control access. Such as in a case in the USA, a college fired an employee and the password was then held to ransom for $200,000.
We provide some guidelines to follow below.
Make Sure No Personal Addresses Are Used As A Recovery Option
A recovery method is essential incase of forgetting passwords and somehow not having access to a stored password or in the case of a Cyber Attack causing the password to be changed. In the case of the linked story above the employee had his personal email as the recovery address, for a while Google said no to resetting it due to their policy.
Make sure the recovery address is linked to the organisation, even if it is a throw away email address not associated to the domain (recommended) you should ensure the policy does not allow the use of personal e-mail addresses.
Unique Passwords For Every Site
This sounds obvious but the amount of people even in the tech world that use a variation of the same password. We went to help someone recently that had 1234 and changeme in their password, clearly left as a placeholder to encourage the user to change it but this was their only password on multiple machines.
Regardless of how complex your password may be it needs to be unique, the reason is simple if a site was breached and passwords leaked if you used one password that was complex that password would then be out in the open for all to try.
Make Sure The CEO/CFO Have Access To Passwords
You don’t want any IT company to hold all the keys to your kingdom, best practices is to have the main password locked away in a safe so if an employee leaves, is fired or if an IT company goes out of business then you won’t be locked out of your crucial systems.
For example when we encrypt systems we set a unique key, this is stored in a secure place that our clients can access as without this key then recovery is impossible.
Security Awareness Training
Keeping staff clued up on what to do can make the difference between your company making the right steps towards a secure environment and staff accidentally opening up the doors to a breach. With GDPR if such a breach occurs you have to report it to your customers and the Information Commissioners Office (ICO) as well as the potential fines it is not worth it.
Quite a few companies offer Security Awareness Training including CHTSI, look at booking a session with whoever you choose to use. The difference it will make to your staff will pay dividends to protecting your business.
“If you want to build security, avoid straining people to respect complex security tasks, but rather teach them to be vigilant and how to long for convenient and safe solutions.” Stephane Nappo
Need more help?
If you feel that you need assistance with putting your IT Security in order then reach out to us via the form below. We know IT so you don’t have to.