What makes hardware-as-a-service so important? It’s not quite the same as renting something. Business owners are finding hardware services useful as they become more prevalent
What is hardware as a service?
Similar to renting hardware, it shares some of the same benefits. You are essentially borrowing the hardware to use short or long term, returning equipment at an arranged point. What sets it apart from a rental is that you are paying for a service to support the hardware. Think of it as paying for the utility. So what are the benefits?
Low Upfront Costs
You can get the latest hardware up and running faster and cheaper than if you were to specify it, buy it and set it up yourself. Kerbury experts will come to install your hardware for you and make sure everything is functioning properly. This monthly flat rate means that it is easy to budget for.
Responsibility For Maintenance Does Not Lie With You
No worries if your hardware falters, just call the Kerbury experts to come take a look at it! Periodical monitoring will keep things running smoothly. What’s more, you have reduced downtime thanks to the ability to swap out the malfunctioning unit, rather than waiting eons for repairs!
Stay Up To Date With Latest Technology
When a new version of a particular technology arrives, they’ll be in charge of updating it for you, when necessary, rather than you having to deal with it yourself. You won’t have to worry about investing in technology that might shortly become obsolete because your provider will want you to be running as quickly and efficiently as possible – they’re incentivized to make sure you’ve got the best equipment for your needs and budget.
Hardware-as-a-service includes things like cloud solutions or server storage that you rent from another company. You can pay to use their hardware rather than investing in your own infrastructure.
Hardware-as-a-Service allows you to operate to your full potential with minimal risk and investment. Luckily for most businesses, this is quickly becoming the norm and will certainly evolve into more productive and creative practices and services as time goes on.
As the UK begins to emerge from its lockdown following government advice about COVID19, many businesses are keen to get to work. As we tentatively step back into a post-lockdown scenario, we must maintain utmost caution towards our workplace safety, both physically and online. As we have seen hackers exploit the work from home lockdown situation, now too must we address this by asking the question: how can businesses avoid a cybersecurity crisis after lockdown?
Innovative technologies like VPN tools or cloud solutions have proven to be a double-edged sword. On one hand, they have helped to quickly create a remote workforce and keep at least some business processes moving. On the other hand, they have opened new routes into corporate networks that hackers can, and will, exploit.
“All it takes is one misdirected email, incorrectly stored data file, or weak password, before a business faces a severe data breach that results in the wrath of regulations and financial turmoil,” said Tim Sadler, CEO at Tessian.
Employees are more than likely bringing new devices such as phones and laptops back into the workplace. Some of these devices won’t be running the latest software and security patches, meaning they are vulnerable. Others may have already been compromised, giving cybercriminals a virtual golden ticket that fast tracks their access to corporate networks. It is therefore imperative that businesses bare this in mind when their employees return to the place of work, On top of properly segmenting their networks, organisations could also consider introducing a separate “decontamination zone” for devices returning to a local environment. Here, IT teams can vet each device before allowing it back onto the corporate network, while still giving it access to the most basic service in order to keep operations running smoothly. This approach goes hand-in-hand with the final pillar of an effective approach to cybersecurity for life after lockdown: network access control.
With cyberattacks and phishing scams increasing exponentially during this period, it is vital that any business returning to work environment bares in mind the cybersecurity implications as well as the physical health ones. Contact the Kerbury team today to get a full health check of your equipment to check for repairs and ensure that you aren’t encouraging a healthy breeding environment for cyber vulnerabilities.
Request a FREE consultation here or contact us for more information today!
Creating a solid password is a great start to protecting your cyber safety. Cybersecurity should always be a top priority for everybody, especially at the moment, and not just for businesses. Cybercrime is the single biggest threat that a company will ever have to face, and it is a possibility in any situation. Hackers exploit vulnerabilities to extract data, hold victims to ransom, sell information on the dark web, and more. Last year, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. The best action you can take to protect yourself from cybercrime and hackers is to get in touch with Kerbury for a security consultation so we can give you a thorough evaluation of your security status. Whilst we take care of the rest, a very simple step you can take yourself in the meantime is to create a safe password.
What makes a safe password?
The key aspects of a strong password are length (the longer the better); a mix of letters (upper and lower case), numbers, and symbols, no ties to your personal information, and no dictionary words. The more random and unique the password, the better.
-1 Passwords should be long in character numbers, complex, and varied. Use all the characters available – uppercase letters, lowercase letters, numbers, and special characters. The length and complexity can create a stronger password, and make it more difficult for hackers to break!
-2 Do not make it easy to guess – Do not use any word related to your family name, pet, street you live on etc. These can all be researched through your social media.
-3 Wherever you can, use two-factor authentication. When this is available, it will provide you with another shield of protection against hackers.
Try this: -Take a line from your a song “There will be blue birds over the white cliffs of Dover” Take a letter from each “twbbbotwcod” Add a capital letter “twbbbOtwcoD” swap up one letter for a number “twbb8OtwcoD” and add a special character “twbb8Ot%coD” then add something unique for each site, such as an extra B for banking, or Tw for twitter.
If you have any questions or would like to discuss anything concerning IT support services, remember to contact us for help and guidance!
Hackers are exploiting the cybersecurity vulnerabilities of work from home staff during the COVID19 pandemic to steal valuable information. Despicably, some scammers are already using the coronavirus as the perfect opportunity to trick people with Phishing scams. ENISA said it had already seen an increase in coronavirus-related phishing attacks. The agency recommends, as far as possible, that workers try to not mix work and leisure activities on the same device and be particularly careful with any Emails referencing the coronavirus. “Attackers are exploiting the situation, so look out for phishing emails and scams,” ENISA said.
Here are some basic recommendations that can help keep you secure whilst working from home during the COVID19 Pandemic:
- Ensure your Wi-Fi connection is secure. While most Wi-Fi is correctly secured, some older installations might not be, which means people in the near vicinity can snoop your traffic.
- Ensure anti-virus is in place and fully updated.
- Check all security software is up to date: Privacy tools, add-ons for browsers and other patches need to be checked regularly.
- Have a back-up strategy and remember to do it: All important files should be backed up regularly. In the worst case scenario, staff could fall foul of ransomware for instance. Then all is lost without a backup.
- Make sure you are using a secure connection to your work environment.
- Check if you have encryption tools installed.
- Get in touch with a professional cybersecurity team like Kerbury if you have any worries
There are also recommendations for employers to help ensure the cybersecurity of their staff during the COVID19 pandemic
Things employers can do:
- Provide initial and then regular feedback to staff on how to react in case of problems. Who to call, hours of service, emergency procedures and how they evolve.
- Give suitable priority to the support of remote access solutions.
- Define a clear procedure to follow in case of a security incident.
- Consider restricting access to sensitive systems where it makes sense.
- Seek guidance from cybersecurity professionals at Kerbury should you have any concerns
Your cybersecurity should be one of your top priorities to ensure your staff working from home are operating safely and efficiently. Should you need further support the Kerbury team will be happy to provide training as well as any IT support you may need during this difficult time. Get in touch today to find out more
Do you know what phishing is? Would you recognise a phishing scam if you came across one? We have put together some simple and easy tips you can keep in mind to keep yourself safe from falling victim to phishing scams. In 2019, nearly one-third of all data breaches in 2018 involved phishing. The two most popular brands phishers to pose as are Microsoft (42%) and Amazon (38%). Microsoft Office users are the most at risk because hackers often disguise their malware as Office file email attachments to trick them into clicking on them. Follow these tips and as ever, if you are in doubt, always get in touch with the experts here at Kerbury for all your cybersecurity and IT requirements.
Evaluate the situation carefully. Many open their emails as soon as they see them without even considering the possibility of a threat. This is human nature, but if you receive an email that you don’t recognise, take a moment to consider it before you speed through opening it.
Never click links from an unknown sender!
You don’t know who the email is from and you can’t trust what it is they are sending you
Enable mail server options.
This will explicitly label emails that come from outside the company.
Keep an eye out for strange requests.
Ask yourself what is the relevance of what the email is asking you to do. NEVER send bank details or personal details to an unknown sender.
Watch out for something that may seem “phishy.”
Spelling mistakes, grammatical errors, flashy click-bait content can all be red flags
Remember, Cyber-espionage actors frequently employ phishing attacks and there is a growing use of malicious files and HTTPS sites in phishing scams.
Beware!! Phishing attacks are made by cyber criminals to grab sensitive information (i.e. banking information, credit card information, stealing of customer data and passwords) to misuse them.
How does a phishing work?
Hackers spread their phishing net to catch different types of phish. Be it a small phish or a big whale!
Phishing attacks are carried out by cyber criminals who trick the victim by concealing their identity, by masking themselves as a trusted identity and luring them into opening deceptive emails in order to steal sensitive information. These attacks are successful because of a lack of security knowledge. In short a phishing attack is a disguised attack made by hacker in a very sophisticated way.
Phishing Scams can involve thousands of users being targeted at a time by cyber criminals. e.g. A fake Google Mail login page is created and emails are sent asking customers to check their accounts. Huge scams lead to huge losses, Surveys show a phishing increase of approximately 250% according to Microsoft.There are many types of Phishing Attacks and Phishing Scams carried out by hackers:
Many business owners are oblivious to the insecure email links. e.g. the victim gets an e-mail from the hacker to check some unknown transactions in their bank account, a fake link is attached to a site which looks legitimate. Without thinking the victim opens the fake link and enters the account details and passwords. That’s it. You have been attacked!
Spear phishing is an email attack is carried out by a perpetrator pretending to be your friend. To make their attack successful, these fraudsters invest a lot of time and effort to gather specific information about their victims; i.e. victim’s name, position in their company, contact information etc.
They later customise their emails, with the gathered information, thus tricking the victim to believe that the email is sent from a trustworthy source. Fake URL and email links are attached in the email asking for private information. Spear phishing emails are targeted towards individuals as well as companies to steal sensitive information.
The attacker forges the domain of the company, to impersonate them. The victim receives an email with the domain name of the company, they believe that it’s from a trusted source and open.
A few years ago there were only 2 types of phishing attacks. Email phishing and Domain spoofing. Either the email name was forged, or the domain name was forged to attack victims. But as time goes by cyber criminals come up with various types of attacks.
A Whaling attack or CEO fraud as the name suggests are targeted on high profile individuals like a CEO or senior executives of a company. The attack is almost like spear phishing; the only difference is that the targets are like whales in a sea and not fish. Hence the name “whaling” is given to these phishing attacks.
Fraudsters can take months to research their high level victims, also their contacts and their trusted sources to send fake emails in order to get sensitive information, later stealing important data and money, hampering the business. As they target senior management the business losses can be huge, which makes a whaling attack more dangerous.
VoIP (Voice) + Phishing = Vishing.
Until now phishing attacks were made by sending emails. But when attacks are done by targeting mobile numbers, it’s called Vishing or Voice Phishing.
In Vishing attacks, the fraudsters call on a mobile and ask for personal information posing as someone else e.g. a bank employee, they get bank account numbers, pin numbers or passwords and once you have handed that information over you have given these people access to your accounts and finances.
SMS + Phishing = SmiShing.
Just like Vishing, SmiShing attacks are also related to mobiles. This is when the attacker sends a text message to the target person asking them to open a link or an text alert. Once they open the fake message the virus or malware is instantly downloaded to the mobile. In this way, the attacker can get all the desired information stored on your mobile.
Clone means to duplicate giving this it’s name. Clone Phishing is when an email is cloned by the fraudster, to create another identical email to trap employees. As it’s a perfect replica of the original, fraudsters take advantage of its legitimate look to execute their malicious intentions.
Search engine phishing:
This is a new type of phishing whereby the fraudster makes a web site comprising of fake products, fake schemes or fake offers to attract customers. They can even couple up with fraudulent banks for fake interest schemes. They get their website indexed by search engines and wait for their victims. Once a customer visits their page and enters their personal information to purchase a product, their information is in the hands of fraudsters, who can cause them as they please.
Watering hole phishing:
In this type of phishing the attacker keeps a close watch on their targets. They observe the sites their targets usually visit and infect those sites with malware. It’s a wait and watch situation whereby the attacker waits for the target to re-visit the malicious site. Once the targeted person opens the site again the malware infects the victims computer which can then grab all the required personal details or customer information it can.
Although the cyber hackers are very clever, there are certain precautionary measures which can help prevent them succeeding:
- Check the URL before clicking unknown or suspicious links
- Do not open suspicious emails or links
- Change passwords frequently
- Educate and train your employees to identify phishing attacks
- Check for secured sites; i.e. HTTP sites
- Install the latest anti-virus software, anti-phishing software and anti-phishing toolbars
- Don’t install anything from unknown sources
- Always opt for 2-factor authentication
- Trust your instincts
- Update your systems with latest security measures
- Install web-filtering tools for malicious emails
- Use SSL security for encryption
- Contact Kerbury for advice
The main point of phishing emails is to trick users to click emails or links causing monetary loss to them. Ongoing cyber security training given to all employees from top to bottom will keep them alert against such attacks, preventing your business from financial damages. Contact us to see how we can help you! 01440708686 www.kerbury.co.uk
The impending end of life date for analogue ISDN telephony, set by BT for 2025, represents one of the most significant changes in telecoms history. Whilst millions of businesses have already turned away from ISDN in favour of more cost effective and functional alternatives, the 2025 switch off means that in order for companies to continue using their business telephone systems past 2025 they have no choice but to embrace modern, internet based digital telephony as using an ISDN system will no longer be possible.
Why is the switch off happening?
The move to digital is part of an international trend amongst telecoms providers preparing for analogue platforms like the PSTN to become obsolete (Openreach, 2018). Internet based telephony has already surpassed analogue throughout much of Europe simply because it costs less and offers more. The 2025 end of life date has been set not only for the UK to catch up with the latest technological breakthroughs being enjoyed by many of our European neighbours, but as is the case when any new technological breakthrough emerges, it is simply better than the outgoing tech – in this case ISDN.
As IP relies on an internet connection, the main stumbling block it has faced in the past has been concerns surrounding internet availability and quality. With fibre now in place throughout much of the UK, and most of the UK set to be fibre enabled by 2025, this stumbling block has been removed enabling businesses to operate without any of the previous concerns using fully IP telephone systems.
New buildings are in fact now being constructed with infrastructure in place offering only digital telephony options as the telecoms industry gears up to the total takeover by digital.
2025 is 5 years away, why should my business take action now?
IP telephony is being adopted as it offers significant cost savings and functional benefits compared to analogue systems. So whilst the 2025 deadline may seem like a long way off, you don’t have to wait until the deadline to start benefiting from VoIP telephone system – in other words, if you can save money and gain extra functionality whilst future proofing your business at the same time now, why wouldn’t you?
It is also important to note that whilst 2025 may seem like a lifetime away, the cease in supply deadline (the date set when ISDN related services and products will no longer be available to order) is actually set for 2020. If you’re in the market for a new phone system then opting for a VoIP system now makes the most sense
To find out more about the ISDN switch off, to discuss the benefits of VoIP or just to discuss your options in improving your telephony give us a call on 01444 708686
No-one wants a conversation about printers. Maybe that’s why so many SMBs in the UK (52%, according to one survey ) are turning a blind eye to the cost of their printing. Because if they knew what they were spending (£10,000-a-year-plus in many cases) they wouldn’t be able to keep quiet about it.
This post encourages SMBs to face up to their current printing costs and provides expert advice on how to significantly reduce printer expense.
Every office can do better when it comes to waste, and printing is no exception. The top three areas for improvement are:
- Unnecessary printing
- Needless use of colour and high-quality settings
- Forgetting to pick up print jobs
Fact: The average employee leaves 600 pieces of paper at the printer every year.
Training, of course, is a great way to help us change our behaviour and tackle the problem of waste. But there are several other changes that could have a more immediate impact.
Brother’s PrintSmart Cost Control is a print management solution that lets you track what, when and how much each employee prints. It enables you to identify the departments and individuals who may need additional training in reducing waste. To help them along, you can also apply quotas, limiting their printing output. Stop abandoning those poor print jobs. By introducing pull printing, employees will have to actively release print jobs at the device, helping to eradicate lost and forgotten output. What’s more, by setting default options to economical settings, you can cut back on the volume of colour, single-page and high-resolution printing.
Fact: You can shave 10% to 30% off your print budget by actively managing printing behaviour.
Avoid the traps
You can be forgiven for thinking that holding on to your old “trusted” printer is a good idea. You may convince yourself that your old printer never lets you down, and that a smart new printer has too many elements in it that can go wrong.
Fact: Businesses are so concerned by printer downtime that as many as 29% sit on a stock of replacement printers just in case a printer breaks down.
There is a way to take the risk out of buying new printers. You can partner with a Managed Print Services (MPS) provider, which leases top-of-the-line products while delivering continuous supplies, maintenance and support, not to mention guidance on proper printer usage.
Fact: The average IT department spends one-third of its time dealing with office printing.
Brother MPS solutions, for example, are tailored to the specific requirements and budgets of SMBs. Our MPS customers choose from a wide range of Brother laser printers. They also avoid the need to order toner because we monitor printer usage, and customers are never left waiting for toners or repairs. And if anything does go wrong, we respond quickly.
Cut energy usage
Energy bills are always a concern. They represent a significant chunk of any company’s overheads, and anything we can do to get those costs down is going to be welcomed. Printer efficiency has improved massively in recent times, and it’s fair to say you can significantly reduce printer-related energy consumption by removing your legacy printers and moving to laser machines. The new laser models offer low-energy standby modes, which draw close to no power when the printer isn’t being used.
Fact: Modern devices are on average 36% more efficient than their predecessors.
Fact: Traditionally, printers consume 30% to 40% of their peak power demand when in idle mode.
Fact: Modern printers work by charging a capacitor when the printer is active and can save up to 12p an hour per printer.
Is refilling the paper tray on your to-do list? This is not a priority in everyone’s day and time we can ill afford to waste, especially when there aren’t enough hours in the day as it is. Having extra paper capacity would certainly save time and improve efficiency. And with Brother laser printers you can add up to four extra paper trays so that your printing capacity grows and contracts in line with your business cycles. Furthermore, by tracking printer usage, using Brother’s PrintSmart Cost Control you can see how usage changes over time, allowing you to fine-tune your printer strategy.
Get more flexible
We can’t do everything from our desks. We regularly have to attend meetings, and often these meetings aren’t scheduled in advance – they’re last-minute. If you’re tied to one printer, working efficiently in this environment can be challenging. However, with the pull-print functions in Brother laser printers, you can print, scan and copy from any device around the office. Plus, if your regular printer isn’t working for some reason, it won’t slow you down because you can print from the next nearest machine.
Be welcoming and secure
Offices are also places to welcome customers, hold business discussions and make presentations. But customers are as busy as we are, so a visit to your office can feel like a disruption. Imagine how they would feel if they could work and print from your office as easily as they can from their own.
All Brother SMB laser printers come with reliable security features such as Secure Print+ and User Authentication that allow secure guest printing. Plus, there are Papercut and Ringdale, to ensure private information stays private.
Where do I begin?
At this point, you may be thinking, “Wow, that’s a lot to take in. What do I do next?” Partnering with Brother MPS would be a good first step. We can advise you on printer models, handle printer procurement and provide guidance on proper printer usage.
Fact: Brother has a long history of delivering an industryleading service: more than 90% of our customers renew their MPS contracts.
Printing doesn’t need to be a drain on your resources. By choosing Brother, you can drive down costs while gaining a flexible and high-performing printer infrastructure that helps employees work more efficiently.
So maybe now is the time to confront your printing costs and eliminate the risk of any nasty surprises that may lead to an awkward printer conversation.
If you think you might be spending too much on your printer fleet, Contact us to reveal the savings you could make.
Kerbury Business Centre 01440 708686
It’s not often that a piece of regulation affects everyone in business, but this one does.
If your normal work activities involve storing or using information relating to named individuals – customers (past, present and prospective), suppliers and employees, then you need to take note of GDPR.
What is it?
The General Data Protection Regulation (GDPR), came into effect on 25th May 2018, it provides a legal framework for keeping everyone’s personal data safe by requiring companies to have vigerous processes in place for handling and storing personal information. It’s also designed to protect us as individuals from being contacted by organisations without our permission.
Why does it matter?
- The GDPR is bigger than its predecessor, the Data Protection Act 1998 (DPA 1998), and has many new rules which are significantly different in certain areas, such as:
- A wider definition of ‘personal data’ which covers more information than ever before;
- Data processors (i.e. firms that process personal data on behalf of another business, such as an outsourced payroll service) will be required to comply with the GDPR, whereas they weren’t required to comply with the DPA 1998;
- Businesses based outside of the EU will have to comply if they offer goods or services into the EU (one to watch post-Brexit!);
- When obtaining ‘consent’ from individuals, it must now be explicit and specific – it’s all about ‘opting in’ (and knowing exactly what we’re signing up for) rather than ‘opting out’. The old rules placed the onus on the individual to ask to be removed from a mailing list. In future, businesses must ask for consent from the very start;
- A duty to report data breaches to the Information Commissioner within very strict timeframes;
- A new ‘right to be forgotten’;
- The statutory need for certain businesses to appoint data protection officers, responsible for overseeing the new requirements for record-keeping and data impact assessments;
- An easier process for individuals to claim compensation from a non-compliant business
- Tougher penalties for non-compliance.
Who needs to know?
As well as operational policies for marketing teams and data handlers, firms may be required to appoint data protection officers and conduct privacy impact assessments. The content of trading contracts between businesses has become more complicated. So HR, operations, business development, and marketing should all be involved, and everyone in the business who uses data should be aware of how to comply.
While some industries will be more affected than others – those in the direct marketing industry, consumer-facing businesses, firms that trade internationally, through e-commerce or that hold huge customer databases – the GDPR will touch every business to some degree.
Five things to check now:
This hasn’t been just a minor change, it’s much more expansive than that. So, with that in mind, here are five things that you need to address, if you haven’t already.
- Information held: Do you know what personal data you currently hold, where it came from and what it is used for? If not, carrying out an information audit will help identify areas for reform;
- Privacy notices: Check your current privacy notices (the statement that describes what you use data for), do they meet GDPR requirements? Remember they should be kept under continuous review and updated when something changes;
- Rights: Ensure that your procedures cover all the rights of an individual, including how data would be provided in response to a request or how you might action a request for erasure;
- Gathering consent: Does how you gather and record consent comply with the GDPR?
- Information for children: Storing information on children requires parental or guardian consent, have you put in place adequate verification of individuals’ ages to facilitate the proper consent procedure?
What can you do?
The demands and requirements are high. Ensuring all policies relating to data protection are at least current is a good starting point, followed by an audit of your data, which we can help you with. Going forward, you should be looking to ensure that any new business contracts you enter into contain appropriate compliant data clauses, and any existing contracts are amended.
Our team is available to help, Call us on 01440 708686
|Cyber Essentials is a Government-backed, industry-supported scheme to help organisations protect themselves against common online threats. |
With Cyber Essentials, you can prevent around 80% of cyber-attacks. (HM Government 2016)
The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls to help organisations protect themselves against common online security threats.
Why do I need Cyber Essentials?
• Reassure customers that you take cyber security seriously
• You will be listed on the Directory of organisations awarded Cyber Essentials
• Attract new business with the promise you have cyber security measures in place
• The scheme will also increase your opportunities within the private sector as it is required for UK Government contracts that involve the handling of personal and sensitive information.
Use a firewall to secure your Internet connection
You should protect your Internet connection with a firewall. This effectively creates a ‘buffer zone’ between your IT network and other, external networks.
In the simplest case, this means between your computer (or computers) and ‘the Internet’. Within this buffer zone, incoming traffic can be analysed to find out whether or not it should be allowed onto your network.
You could use a personal firewall on your internet connected laptop (normally included within your Operating System at no extra charge). Or, if you have a more complicated set up with many different types of devices, you might require a dedicated boundary firewall, which places a protective buffer around your network as a whole. Some routers will contain a firewall which could be used in this boundary protection role. But this can’t be guaranteed.
Cyber Essentials Certification requires that you configure and use a firewall to protect all your devices, particularly those that connect to public or other untrusted Wi-Fi networks.
Choose the most secure settings for your devices and software
Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. They come with ‘everything on’ to make them easily connectable and usable. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data, often with ease. Check the settings So, you should always check the settings of new software and devices and where possible, make changes which raise your level of security. For example, by disabling or removing any functions, accounts or services which you do not require.
Use passwords: Your laptops, desktop computers, tablets and smartphones contain your data, but they also store the details of the online accounts that you access, so both your devices and your accounts should always be password-protected. Passwords – when implemented correctly – are an easy and effective way to prevent unauthorised users accessing your devices. Passwords should be easy to remember and hard for somebody else to guess. The default passwords which come with new devices such as ‘admin’ and ‘password’ are the easiest of all for attackers to guess. So you must change all default passwords before devices are distributed and used. The use of PINs or touch-ID can also help secure your device.
Extra Security For ‘important’ accounts, such as banking and IT administration, you should use two-factor authentication, also known as 2FA. A common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.
Cyber Essentials Certification requires that only necessary software, accounts and apps are used. If you would like more information on choosing passwords, Choose the most secure settings for your devices and software
Control who has access to your data and services
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
Administrative accounts Check what privileges your accounts have – accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you cut down on the chance that an admin account will be compromised. This is important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account.
Access to software Another simple and effective way to ensure your devices stay secure and malware-free is to only use software from official sources. The easiest way to do this is to only allow your users to install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
Cyber Essentials Certification requires that you control access to your data through user accounts, that administration privileges are only given to those that need them, and that what an administrator can do with those accounts is controlled. Control who has access to your data and services
Protect yourself from viruses and other malware
Malware is short for ‘malicious software’. One specific example is ransomware, which you may have heard mentioned in the news. This form of malware makes data or systems it has infected unusable until the victim makes a payment. Viruses are another well-known form of malware. These programs are designed to infect legitimate software, passing unnoticed between machines, whenever they can.
Where does malware come from? There are various ways in which malware can find its way onto a computer. A user may open an infected email attachment, browse a malicious website, or use a removable storage drive, such as a USB memory stick, which is carrying malware.
How to defend against malware Anti-malware measures are often included for free within popular operating systems. For example, Windows has Defender and MacOS has XProtect. These should be used on all computers and laptops. For your office equipment, you can pretty much click ‘enable’, and you’re instantly safer.
Smartphones and tablets should be kept up to date, password protected and where possible, you should turn on the ability to track and erase lost devices. If you can avoid connecting to unknown wi-fi networks, this will help to keep your devices free of malware too.
Whitelisting: can also be used to prevent users installing and running applications that may contain malware. The process involves an administrator creating a list of applications allowed on a device. Any application not on this list will be blocked from running. This is a strong protection as it works even if the malware is undetectable to anti-virus software. It also requires little maintenance.
Sandboxing: Where possible, use versions of the applications that support sandboxing. For instance, most modern web browsers implement some form of sandbox protection. A sandboxed application is run in an isolated environment with very restricted access to the rest of your device and network. In other words, your files and other applications are kept beyond the reach of malware, if possible. If you would like to learn more about preventing malware, the NCSC has guidance which you may find useful.
Cyber Essentials Certification requires that you implement at least one of the approaches listed above to defend against malware. Protect yourself from viruses and other malware
Keep your devices and software up to date
No matter which phones, tablets, laptops or computers your organisation is using, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software. Happily, doing so is quick, easy, and free. Also known as ‘Patching’ Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Applying these updates is one of the most important things you can do to improve security.
Operating systems, programmes, phones and apps should all be set to ‘automatically update’ wherever this is an option. This way, you will be protected as soon as the update is released. However, all IT has a limited lifespan. When the manufacturer no longer supports your hardware or software and new updates cease to appear, you should consider a modern replacement.
Cyber Essentials Certification requires that you keep your devices, software and apps up to date. Keep your devices and software up to date