FOUNDATIONAL PRACTICES
Antivirus
• Ensure Antivirus is installed on all computers ( Windows + Mac )
• Ensure Antivirus is configured to update hourly
• Ensure Antivirus is configured for ‘ real-time ’ scanning
• Run weekly Antivirus scans on all devices
Hardware Firewall
• Ensure network is protected from the Internet with a Firewall
• Change the device administrative password upon installation
• Ensure direct port forwards are not configured
• Always use a Virtual Private Network ( VPN ) if remote access is required
Software Firewall
• Ensure the built in software firewall is enabled on all computers ( Windows + Mac )
Patching - Operating System
• Windows : Ensure patches are configured to automatically download and install
• Mac : Install updates when available
• Upgrade to new Operating System versions when available
Patching - Application
• Ensure all software is kept up to date
• Enable application auto updates
Backups
Ensure backup copies of important business data / information . A good approach is to use the 3-2-1 backup strategy :
• Maintain 3 x backup copies of your data
• 2 x backup copies located onsite on different devices ( e . g . HDD , backup tape )
• 1 x backup copy located offsite ( e . g . 2nd Backup tape , cloud storage )
• Daily Backup Schedule
Laptops
• Ensure Hard Drive Encryption is enabled ( Bitlocker for Windows , FileVault 2 for Mac )
Mobile Phones / Tablets
Ensure all devices have a custom PIN code set
• Do not use default or common PIN ’ s ( e . g . 0000 , 1234 )
• Use longer PIN ’ s ( e . g . 6 digit ) where available
Physical Security
• Do not allow unauthorised persons to have physical access to or use of any of your business computers
• Do not use USB or external hard drives from an unfamiliar / untrusted source
Wireless
• Change the device administrative password upon installation
• Ensure wireless uses WiFi Protected Access 2 ( WPA-2 ) minimum security ( Do Not Use WEP , it is not considered secure )
• Ensure wireless uses a strong password
• Be cautious when using public or free Wi-Fi - do not perform transactions on public / free WiFi ( e . g . online banking , online purchases )
User Accounts
• Use individual accounts for all computers and applications , do not use shared accounts or share individual account information with anyone
Passwords
• Use a unique password for each site / service
• Use passwords as long and complex as can be remembered . Longer passphrases ( e . g . IL0veSe !! ingHouses ) are better than shorter , more random passwords ( e . g . Ai4wl # mj )
• Use Multi Factor Authentication where available
• Use a Password Manager to help remember passwords
• Only change a password if it ’ s forgotten or breached ( phished , etc )
• Never share passwords with anyone
Limit Access to Data and Information
• Do not provide access to all data / systems to any employee , provide access to only to those systems / data that they need to do their jobs
HIGHLY RECOMMENDED PRACTICES
Email
• Communicate to all staff to not open email attachments unless you are expecting the email with the attachment and you trust the sender
• Communicate to all staff to beware of emails which ask for sensitive personal or financial information
• Communicate to all staff to not click on links in email messages unless you know what the link connects to and you trust the person who sent the email to you
• Always confirm any emailed change requests to bank , invoice , payment or contact details by speaking directly to the requesting party on the phone
Web Browsing
• Communicate to all staff to not respond to popup windows requesting that you click ‘ OK ’ for anything
• Communicate to all staff to that if a popup window appears informing that you have a virus or spyware on your computer , close the window immediately
• Online banking should only be done with a secure browser connection ( Lock icon visible on the browser bar ). If the lock icon is not present or the browser says the site is not secure do not use it .
Software installation
• Only download / install programs from a trusted source
Social Media
• Communicate to all office staff to be be careful about what you share online - try to keep personal information private and know who you are interacting with
8