2018 is well underway and by now, New Year’s Resolutions may already be a distant memory for some. But at WatchGuard, we believe it’s never too late to start building good information security habits or breaking bad ones. So, our research team has compiled a list of do’s and don’ts that will help both network admins and everyday users stay safe and secure online in 2018.
If you’re a network admin stressed out by the security of your network, here are some ways to improve it. And if you’re just an everyday person who’s freaked out by all the hacks in the news (Stolen Bitcoins! Flawed Intel chips! Nation-state spying!), read on for some simple steps you can take to significantly improve your digital security without impacting your daily life.
For network admins:
- Do implement enterprise-wide multifactor authentication (MFA). Your employees probably don’t pick passwords well, or they might use the same ones for both work and private accounts. Multiple password database leaks have greatly exacerbated this problem. MFA is the solution. It used to be too complex and expensive for most companies, but that is no longer the case. You should strongly consider implementing enterprise-wide MFA at your company to protect enterprise logins, Cloud apps, VPNs, and more.
- Do create and test a Business Continuity and Disaster Recovery (BC/DR) plan. While it is weird expending significant effort on a plan you hope never to use, too many businesses have lost millions of dollars and time to cyber security incidents like ransomware. If you run a hospital, these issues could have life-threatening consequences. Obviously, backups are an important part of this plan, but think about your services and computing resources as well as your data.
- Do offer regular security awareness training. Some network admins say you can’t patch stupid, but that just isn’t true. Education is the patch to ignorance. While training does NOT mean that employees become perfect and always do the right thing, it DOES mean that statistically they will do the wrong thing less, resulting in less incidents for you to clean up. Technological defenses are a must, but there are some risks you can’t mitigate without a user’s help.
- Do get involved in cyber legislation. Cyber security has become major news. From election hacking and breach disclosure to vulnerability hording and IoT regulations, lawmakers in your country are likely discussing new legislation to deal with some of the problems associated with cyber attacks. However, these lawmakers aren’t the experts. You are. Make your voice heard and participate in public debate when possible.
- Don’t plan your security strategy in a vacuum. Your entire company is affected by cyber security and the policies set by IT. CEOs will want to play a more active role in this process, since they know that a bad enough breach could cost them their job. More importantly, other departments likely know things about where data may go, and other risks. You’ll learn a lot by involving department leaders in your security plans, and you will get more buy-in and resources by involving others early.
- Don’t only focus on preventative security technology. Historically, security pros invest most of their budget in things that are meant to stop attacks. While you definitely need some of this investment, the hard truth is that technology will never block every threat. Balance your security investment with technologies that quickly find and eradicate threats that do make it into your network
- Don’t become complacent or discouraged. We live in a world where news about breaches and cyber security pours down upon us constantly. It’s easy to become fatigued when you hear about endless problems that sound horribly critical. However, often the true severity of the risk is more manageable. The sky is not falling. Even if the news seems overwhelming, work to keep yourself vigilant of the latest major security issues.
For everyday consumers:
- Do use free two factor authentications (2FA) whenever available. Passwords have problems, and many users don’t use them correctly. The best defense is multifactor authentication. Most big sites and cloud services offer free 2FA options, so there’s no excuse not to use them when they are available.
- Do use a password manager. MFA is your best option, but if a site doesn’t offer it, you need to follow good password practices. That said, remembering hundreds of long random passwords is hard (okay, impossible). Password managers solve this problem. Sometimes they are even built into your OS. USE THEM!
- Do invest in security hardware or software, no matter what platform you use. Any desktop computer without security software is like swimming in a sewer with an open sore. Have a Windows system? Then you are probably used to it already. However, Macs also need security suites, as well as mobile providers like Android.
- Do backup! Yes, most people say they do… but do you really? If everyone backed up their systems correctly, ransomware would cease to exist. If you do backup, have you ever tested those backups? Make sure the data you think you are saving is really there, otherwise you’re just wasting time.
- Do patch regularly. For normal desktop users, I suggest you just set your OS to automatically download and install updates immediately. While there are potentially a few cases where you might wait, I’d rather deal with those uncommon cases rather than dealing with a computer that has two-year-old software flaws.
- Don’t send payments based only on texts or emails. There has been a big increase in phishing emails and text messages asking victims to make wire transfers. While these communications may seem to come from your boss or someone you know, they almost never do. You should always validate such communications by talking to the requester using a different communication channel before fulfilling them.
- Don’t be click happy. You see a lot of emails and social network posts everyday with links. Yes, a deal might sound good, but do you really need to click? Do your best to avoid clicking unnecessary links from unsolicited communications. Rather, visit sites directly, or if you must click something, look at the link first, and use tools to unmask shortened links.
- Don’t join public or open wireless networks without protection. First, see the Do above on security software. More importantly, if it’s an open network you should NEVER use it without a VPN.
- Don’t believe that good things come free. There’s a lot of applications and media you find online that screams it’s “FREE.” At best, many of these things come with ads or spyware. At worst, they may infect your computer. While there are some open source things that are good, think twice about anything screaming about being “free.”
- Don’t leave your computer in the open in public. Even in environments you control, set a lock screen on your computer, and make the lock timeout relatively low (a few minutes).
Remember, for both businesses and individuals, good security is often way more about sustained behaviors – day in and day out – than any one mistake or decision. If you commit to following these best practices and revisiting them from time to time, you’ll be well on your way a safer 2018.