- Working devices – devices that are specific for work use
- Business systems – systems that are operated or managed by the organization
- Business systems accounts – the user accounts for business systems
- Personal accounts – the user accounts that are not for business systems
From a management perspective, you would like to achieve the following tasks:
1. Information Assets Management
Have in mind the systems we use, devices we have and user accounts we manage. It is better to have a list of all the systems, devices, and user accounts. Especially the administrator accounts, and keep the list updated.
2. Awareness Training
Continually educate your team with the importance of security. Try to support your team with knowledge and technical assistance.
3. Communication and Reporting
Build up a communication channel for your team to report and update security incidents and identified risks and respond to the incident in a timely manner.
4. Backup plan
To achieve the above task, you may need a backup plan to protect the business continuity and response to incidents, which includes data backup solutions and redundancy services.
From a user’s point of view, you would like to follow the instructions and requirements to protect the company’s data and information security:
1. Endpoint Protection
Users work with their endpoint devices such as laptops, mobile phones, tablets, and PCs should protect the devices from being misused and hacked.
- Keep the endpoint devices in a manageable place
- Lock the screen or turn off the power when you leave the device
- Install advance, next-generation anti-malware applications on devices
- Do not use working devices for personal use (e.g. checking personal emails)
2. Access to Systems (VPN)
Use a VPN (Virtual Private Network) to connect to the business systems.
- Do not use the same passwords for your business systems accounts and your personal accounts.
- Passwords for business system accounts should be:
1. Longer than 12 characters (preferably 14)
2. Complex by containing uppercase, lowercase, numbers and/or special characters. Or passphrase i.e. Agile-Method-Webinar7
3. Changed once (or better twice) a year
4. WIFI Security
- Use trusted WIFI
- Review and harden your home WIFI by
1. Change the administrator password of your WIFI in line with password advice above in item 3.
2. Change the WIFI password once (or better twice) a year
- Do not trust WIFI without password or login requirements
5. User Account Security
- Enable multi-factor authentication for business systems
- Do not share one business system account with other users
6. Phishing Emails
- Be aware of phishing emails and SMS
- Do not open emails sent by untrusted sources
- Do not click any link in the emails sent by untrusted sources
- Always verify. Be aware if the email asks you to carry out a financial task in a hurry. and always contact your manager or finance department to confirm.
7. Application Security
- Only download and install applications from a trusted source
- Do not download applications on working devices for personal use
- Ensure system patches are always up to date
8. Removable Media (USB)
- Do not connect untrusted removable media such as USB flash drive to your working devices
- Do not transfer or store sensitive data via USB flash drive
9. Data Backup
- Back up your data to an offline data storage
- Schedule your data backup at least once a month
- Test your data backup once (or better twice) a year for the availability
10. Update Systems (OS & Apps)
- Update your systems (include the operating systems and business systems)
- Update your anti-malware version and database
11. Report Incidents
- Report incidents and malicious behaviour of your working devices