Six simple ways to protect your staff and your business

“People are part of the design, it’s dangerous to forget that”

The above is a quote from “Star Cops“, a mostly forgotten but very underrated BBC Sci-fi show of the late 1980s. It refers to a scene where you can have the best-designed systems and processes but all it can take is one careless mistake. To better illustrate my point, one of my favourite cartoons features a boxing ring, with a bunch of hardware in one corner and a boxer in the other, the caption reads:

“In this corner, we have firewalls, encryption, antivirus software, etc. And in this corner we have Dave!”

A completely secure system wouldn’t be usable, so it’s all about treading the tightrope between security and usability, with users straddling the line.

So, what six simple things can you implement now to protect your systems, whilst at the same time giving users a usable experience?

1 – Passwords and password policies
One of the very first things a new user will have to do is to change their password. Your password policy will probably now be the first gripe a user has. From minimum and maximum length, complexity and special character requirements,  and then the worst thing, expiration. How many calls do you get from users when their password has expired and needs to be reset? Even length can be an issue, one of our clients once had a minimum of 16 characters requirement – this policy was only relented when two factor authentication was implemented.

2 – Automatic Screen Locking
Another potential bugbear – screens that are programmed to lock after so much idle time. We’ve heard of companies implementing a disciplinary procedure if unlocked desktops are encountered. Sometimes it seems you glance away and when you look back, your desktop is locked and you need to enter your password again, It’s a trivial thing, but it does provide a degree of security.

3 – Anti-Virus and Anti-Malware software
This normally just sits quietly in the system tray and never bothers the user (hopefully!). Only when they download something they shouldn’t or open an attachment does it then get involved. Typically, the user might not see anything apart from an alert – but we’re always watching (hint: we get an alert too!); the number of times we’ve had to call a user for them to say “I was expecting your call’ after seeing the dreaded popup.

4 – Firewalls
If we’ve done our job right, most users will never know these devices exist until they encounter a website they want to access but can’t.
There could be multiple reasons we block access to a web site:

• It’s been flagged as inappropriate
• It belongs to a banned category (such as weapons) – and sometimes, it may have been categorised incorrectly.
• It’s been detected as trying to spread malware.

But what if the website in question is innocent? What if a user wants to log onto what should be a fairly innocuous website but it gets blocked by your firewall? We can unblock the website or investigate further as to why it’s blocked – incorrect categorisation is a common culprit, but not the only one. Incorrectly configured webservers can harbour all manner of unknown threats and should always be avoided and in this case, we would refuse the exemption, even to the annoyance of the user.

5 – Device Control policies – such as blocking USB storage access
USB storage is an absolute boon. People who have grown up with it can’t imagine not having the convenience of plugging devices into a computer and they just work. I can still remember when I bought my 32MB USB Drive (that came with a driver disc) into my NT4 workstation and it appeared as a new drive letter. However, these devices can easily get swapped around, people bring them in from home, copy work onto them and then lose them. Device Control (there are various software solutions for achieving this – we typically recommend Sophos) can go some way to protecting your network by establishing what devices can work if they are plugged in (if any).

In one project we were involved with, we only allowed encrypted USB drives and anything else was blocked. We did encounter an irate user after the policy was applied (after multiple emails had been sent!) complaining that they couldn’t use her USB stick – so I had to I explain to them that the policy was to protect both them and the network should they lose it; no-one wants to be a headline in the local press for lost data on a train!

6 – Enforcing Windows Updates
This is a contentious one. Windows 10 updates have become more invasive than any other OS before it. I was in a GP’s surgery (remember doing that before lockdown?) and I heard one of the nurses complaining that they had shut their PC down and now it was updating during startup and taking ages.

Windows Updates are a necessary part of life with Windows, Feature Updates are an added complication as they typically take 2-3 times the amount of time of normal updates if not longer. The best way to manage these updates is through group policy (GPO) as that provides various options for management. From automatic approvals, overnight restarts, and all the way to enforced restarts. If the device supports it then PC’s can ‘wake up’, update and then restart all by themselves – of course if your user left a bunch of work or open tabs, then they might not be so happy.

Over 20 years ago, NT4 was awarded a C2 security rating, as long it wasn’t plugged into a network! Users will never be happy at what they think is a restrictive system, despite the fact it’s all done for their benefit and security.  That’s why IT support providers such as ourselves are the gatekeepers and the key masters for our clients – it’s our job to walk this tightrope, ensuring the system is both usable, but secure at the same time.

Posted on: 19th January 2021.