Security Policies
Protecting Your Computers & Network
Creating Policies | Business | Home | Servicing Computers
Be sure to read Security Basics because it introduces preventing unauthorized access and key elements of security upon which this page builds.
Now we live in a world that is strictly bounded by our capacity to understand it, by our ability to keep up with the pace of technological change, and to manage the new risks and security challenges that come with limitless storage capacity, limitless transmission capacity, limitless data mining capacity.We are bounded by our own limited capacity to understand, to imagine the implications of data flow and data aggregation, and our ability to teach. — Privacy Commissioner of Canada
Creating a Security Policy
Create a security policy for the computers in your home or business. This will provide guidelines in making security decisions and help your family or employees understand the need for security.
Your protection depends on:
- protecting your computers and devices with good quality security software that is updated regularly;
- knowing how that security software operates so you're not fooled by fakes; and
- your knowledge about other security threats (including hoaxes) and how to respond to them correctly.
A Written Policy
A written security policy ensures that you cover all the necessary basics and clarifies responsibilities.
A simplified policy for children may be necessary, but it is better to restrict their access so that bad decisions are less likely.
Security Policy Elements
Your security policy should contain at least these elements:
- Who has access to your Internet (WiFi).
- Who has access to your computers and devices.
- Accessing the Internet outside the home/office environment.
- Who can install and maintain software.
- Who will maintain security software and ensure updates.
- Who can service your computers.
These areas are covered on this page and in other sections of this site. How you apply them depends upon whether it is a business or home environment and who is involved.
Security is Everyone's Responsibility
The user is the point of greatest vulnerability which is why a security policy is useful and necessary if everyone that uses your Internet and devices is to take security seriously.
If others use your computer or devices, they also need to take security seriously.
Educate About Evaluating Risks
Ensure that everyone using your computers understands how to evaluate risks.
Warnings by phone or email indicating your computer is “infected” are common. ALL are scams. Watch for these signs:
- Simply opening an infected image or other attached file can be enough to endanger the data on your computer. More….
- Any warnings that appear on your screen, particularly if they indicate that you have hundreds of infections, are scams. Know how the security software you installed reacts to an infection.
- Do NOT follow instructions given by an unsolicited email or phone call. These are scams, no matter who they say they are. Just hang up.
- There are logs on Windows computers that show errors even when they are operating normally. Scammers may try to use these logs to convince you that your computer is infected.
- If you provide a caller with access to your computer so they can “fix a problem” you'll end up with an infected computer, an expensive credit card bill, or both.
Family members and employees should be instructed NOT to respond to such ploys. If you're concerned, call the person that maintains your computers.
Access to Internet
There needs to be a policy regarding access to your home or business Internet (WiFi) in order to protect your network and the devices connected to it.
Recommendations
BEFORE you connect:
- A secured home or office network is always preferable to an unsecured network.
- Ensure that your security software (antivirus, firewall) is turned on.
- Using a VPN (Virtual Private Network) is recommended.*
- Confirm the WiFi network name with the business owner.
- Be sure to use secure sites, those starting with HTTPS, especially where you need to login to an account.
- Turn on two-factor authentication for your accounts.
- Disable file sharing.
*NEVER access financial sites like banks, PayPal or shopping sites while on a network you don't control without using a trusted VPN.
Protect Your Network
In both homes and businesses the network provides access to the Internet but also can be used to share files and printers between computers and devices.
Vulnerabilities in either the network itself (e.g. the modem or router) or devices connected to it can lead to a compromise of your security.
Not only are computers, tablets, smartphones and networked printers connected to your network, but so are smart assistants (Google Home, Alexa, etc.) and a “smart” devices which can be used to invade your privacy.
Older smart home devices employ obsolete security (short passwords on 2.4 GHz WiFi).
Always change the default passwords on routers and similar equipment and turn off access to insecure devices.
Guest WiFi
Many current routers provide a separate “guest” WiFi so that visitors to your home or business can have access to the Internet without access to your network. You should still consider whether you want users to have access at all since you're responsible for any illegal activity on your internet access account.
Free WiFi Presents a Risk
We're constantly on the go and want to remain connected but choosing an unsecured WiFi network could undo all that we've done to secure our computers and devices.
- Cellular is more secure than public WiFi.
- Turn off automatic WiFi connectivity on your devices to avoid being connected either to unknown networks. If WiFi is enabled it nulls the better security provided by a cellular connection.
- Turn off Bluetooth when you're in public. An unscrupulous person can gain access to your device via an open Bluetooth connection.
- A VPN encrypts all your wireless traffic to protect you and the person or service you're connected with.
Others on the same network could intercept information like passwords and confidential information using easily-available hacking software. Watch this YouTube video.
Captive Portals No Safer
You'll want to ensure that when devices are outside the home or business they don't leak confidential information or download malware that could infect your own network.
The log-in screen requiring you to agree to the WiFi network's terms in coffee shops and elsewhere are called captive portals and are no safer than an open WiFi network, but give you the illusion of safety.
Captive portals can interfere with secure (HTTPS) sites, calling them “untrusted connections” which leads people to ignore such warnings in the future.
- The risks of public hotspots: how free WiFi can harm you.
- How captive portals interfere with wireless security and privacy.
- A Guide to Public WiFi discusses WiFi security and privacy.
Protecting Business Computers
When your employees fall victim to a phishing attack, your entire corporate network and brand is at risk. The cost can be stunning. — Vade Secure
Since 91% of all cyber attacks begin with a phishing email, taking steps to defend against phishing attack might be the single most important aspect of an overall threat defense plan. — DuoCircle
Reliable Backups Critical
Business data is now primarily electronic. Much of the old paper tracking has been replaced with PDFs, e-Transfers, PayPal, online shopping carts, accounting programs, etc. The few remaining paper documents would unlikely suffice to recreate your business if all your electronic documents were wiped out.
According to an industry study by The Diffusion Group, who surveyed small business organisations, 60 percent of companies that lose their data close down within six months of the disaster and a staggering 72 percent of businesses that suffer major data loss disappear within 24 months. — Workspace
You'd need to be able to get up and running in as short a time as possible. Delays could damage your credibility and reputation. Complete and accurate backups are critical.
Restrict Access
You need to restrict access to business computers:
- Only employees with significant understanding of the risks should have administrative rights.
- Your company policies should indicate what software each level of user can or can't add or remove without express permission.
- Software, security and Windows updates are best done by you (or a single trusted employee reporting directly to you) so that you know your computers are protected.
- Access to personal social media sites like Facebook or personal software on business computers can lead to security risks for your business.
- Business social media accounts should be managed by experienced employees that understand the medium as used by a business. It is easy for followers to un-Like you if something goes wrong.
- The use of unsafe media like USB thumb drives can infect computers, including those on your network.
When your employees fall victim to a phishing attack, your entire corporate network and brand is at risk. The cost can be stunning. — Vade Secure
As more people work from home, poor security practices can place your business at risk. Your IT specialists aren't within easy reach and no one is ensuring they are following prescribed policies.
If you are negligent, it may affect your future employability.
- How to enable data theft protection measures discusses the various sources of data theft and how to protect your business.
One creative alternative is Menlo Security's Secure Web Gateway:
For companies that don't want to isolate all web traffic, we are providing greater ability to specify which users or categories of websites to isolate.For example, we can now automatically isolate any web service that was created with software known to be vulnerable to hacking, such as unpatched versions of WordPress and Drupal. End users don't even realize their web sessions are actually occurring on our platform rather than on their PCs.
With our new "Isolate and Read-Only" capability, administrators can allow employees to access — but not interact on — webmail and social media sites. That way, they can't be tricked into providing credentials to clever phishing scams. — Menlo Security Blog
Increase Your Security Budget
Corporate and business Information technology (IT) departments are seriously underfunded and a significant number of employees aren't concerned about the affect their lax security habits could have on the company.
The Equifax data breach, which exposed the sensitive personal information of nearly 146 million Americans, happened because of a mistake by a single employee… — The New York Times (emphasis mine)
Saving money on IT security may benefit you in the short term, but could cost you a great deal in the long term. You could lose your company's credibility if you're hacked and lose critical business information or suffer a data breach revealing your customer database.
- Security awareness training is crucial for your business.
- 9 steps to slowing and stopping your next data breach.
- Q&A: How to think smarter about database security.
- Potential security threats to your computer systems.
Protecting Home Computers
While this section primarily discusses computers, people are increasingly accessing the Internet over tablets and smartphones as well as smart devices like Google Home and Alexa.
Protect the Integrity of Your Devices
Protect the integrity of your computers and devices by restricting access.
- Use secure and unique passwords as well as your answers to security questions (anything based upon information posted on social media sites like Facebook or common knowledge about you can be easily guessed by others).
- Don't put your business data at risk. Business computers in your home or business should be used ONLY for business and should be secured with a decent password.
- Provide your family with a separate computer (they are relatively inexpensive these days).
Reliable Backups Critical
So many of our transactions today are electronic. Our bills come via email or are provided online. Think of the monumental task of recreating your financial history of the last year at tax time if you were to lose everything on your computer.
Then there's your collections of photos, music, videos and personal documents, many of which are irreplaceable.
Complete and accurate backups are critical.
Restrict Children's Access
Your children should not have full access to devices they use, including the ability to install or remove software. This includes:
- administrator privileges, even on their own computers and devices.
- denying the ability for their friends to make changes of any kind to the family's computers.
You are legally liable for any computers and devices as well as the Internet access you provide no matter who uses them. Visits to illegal or unauthorized copyright material could result in very large fines.
Protect Your Children
It's important to know what threats kids are facing so that you can have the right conversations and implement the precautionary measures. It's also hugely important to set some fair and effective ground rules for how your kids use the internet. — 17 Rules to Protect My Child Online
Children are curious and often more comfortable with technology than their parents. It is important that you monitor their activities for their own protection.
- Children are vulnerable because of their ignorance and curiosity. They often want to hide their activities from their parents in their eagerness to be “grown up.”
- While it is important that children's privacy is protected on corporate and public sites and social media, it is important that parents understand what their children are doing online and who they are interacting with.
- Ensure that your children don't share personal information online. Information like age (birth dates), home address, full name, etc. can be used for identity theft.
- Predators want to sexually exploit your children or entice them to meet secretly outside of your home.
- Place computers in common areas of your house and don't allow Internet-accessing devices in their rooms, particularly when the door is closed or at night.
- There is more on 17 Rules to Protect My Child Online.