Protect your assets

Attacks and viruses usually spread through users. The more rights the user has, the easier it is for the attacker or the virus to act.

Therefore, with every access it must be considered whether the access/rights (e.g. access to a shared folder, business software, or administrator’s rights to a computer) are actually required for work. If it has been decided that they are really needed, the rights should be granted on the basis of the principle of least privilege, i.e. an employee should be given exactly as few rights as they need for their work and no more. Often companies take the path of least resistance and rights are granted to the whole catalogue, so an employee may have access to data to which they should not have access. Even if the employee does nothing with this access, attackers can still exploit it.

Day-to-day work should be done with a standard user account, not an administrator account. There are a number of risks associated with administrator rights:

1. employees may install programs in their computer that may result in security vulnerabilities and malware;
2. the damage caused by malicious software is greater if employees have administrator rights;
3. the attackers can then more easily take control of a computer, etc.

However, if administrator rights are required, a separate administrator account with privileges should be created for that user, to be used only when necessary and not for day-to-day operations. This reduces the likelihood of a user inadvertently installing malware, and in the event of a leak of employee account details, the attacker will not immediately gain administrator rights.

When the IT department or service provider grants access rights, they should also document when, where, and to whom access was given to maintain an up-to-date overview of access permissions. This information is also helpful when an employee leaves, as it indicates which accesses need to be closed. It is important to remember that access must be revoked and rights removed for individuals who have left the company.

The use of software of all kinds is a normal part of work today. Vulnerabilities and other weaknesses are constantly being discovered in software that attackers can exploit to install malware, take control of a computer, and/or steal data. Regular software updates are therefore essential and one of the simplest activities to protect your company’s assets.

If automatic software updates are available (e.g. for computers and smart device operating systems), they should be enabled. However, if the software does not contain that feature (for example, various programs or software for network devices), you will have to do it manually (by yourself or with the help of the IT department or service provider) or use a solution that helps you do it automatically. For example, many of today’s antivirus solutions offer functionality to help you conveniently and automatically update your programs.

If the software or hardware is no longer supported or updated by the manufacturer, it should be upgraded or replaced. For example, Microsoft will no longer support computers running Windows 10 starting in 2025. In this case, it is recommended to upgrade to the latest version of the Windows operating system or consider adopting an alternative operating system. Using outdated software can impact the device’s security, compatibility, and support services, introducing various risks. For instance, new security vulnerabilities and flaws will remain unpatched, making the system more susceptible to cyber attacks. Even if no security issues have been discovered in the old software yet, it is only a matter of time before they are found and exploited. You may think about it this way: if there is a security vulnerability, there is an attacker who will be happy to exploit it. Good asset management helps to monitor, for example, the installation of updates or the need to install them.

The boundary between the public Internet and the office network is called the perimeter. The less suspicious traffic there is entering the office network, the lower the risk to employees and devices on the network. The perimeter is protected by a firewall, which acts as a mediator or gateway between the public and office network, filtering out dangerous traffic. Firewalls with more features can detect and also prevent attacks against the office network. Such firewalls are also able to limit which pages employees are permitted or prohibited to access. For example, it is possible to block known dangerous pages or other suspicious pages that may be infected with viruses. You can also check which applications the employees use to access the Internet (for example, you can disable downloading films and music from the web).

As many viruses and attacks are delivered via email, it is essential to have antivirus and antispam protection on the email server. This software filters out suspicious messages (such as spam, phishing, viruses, etc.) to prevent them from reaching employees. Most email servers include some level of spam filtering. Spam protection can also be provided as an external service in the cloud or via hosted solutions (outside the office network), or as a separate server within the office network. Advanced spam protection software includes a number of features that make the life of employees easier – spam quarantine reports, email release options, sender blocking, and more.

As attackers are constantly finding new tactics, some malware still occasionally reaches users. It is therefore important that all devices are equipped with antivirus software to protect against it. When it comes to antivirus software, it is also important to ensure that it is the latest version, that it is up to date, and that all the functionalities are turned on, because otherwise the protection is not effective.

There will inevitably be times when employees lose their devices (smartphones, tablets, laptops, etc.) or they are stolen. As the devices may contain confidential company data or other information that cannot be disclosed to third parties, you should plan ahead for what to do in that situation.

One feature that helps is the central management, which allows you to remotely lock, locate, or erase
all data from a device in case of loss. Smart devices, such as phones and tablets, are also equipped with free apps that allow you to perform the same activities and they should be used.

Encryption can also help to prevent access to data. If a computer or external hard drive is stolen or lost, no one can read the data on it without the correct password or key. Encryption makes the data unreadable, which is especially important if it contains sensitive information (e.g. financial data, personal information, or trade secrets). Modern computers already have tools to encrypt data (such as BitLocker or FileVault). There are also other encryption software options that can provide additional security. It is important to remember that encryption works well only if you use a strong password and keep it in a secure place.

In addition to software protection measures, you must also pay attention to the physical protection of devices. All devices containing important data must be protected from access by unauthorised persons. For example, a firewall does not help if a stranger can wonder freely to the office, walk to the server room, and thus access the equipment directly.

Servers, network devices, and other important devices containing data must be stored in a separate device cabinet or a dedicated server room. The door to the device cabinet or server room must be locked and the key kept in a safe place. You should also maintain a log of server room visitors – including who accessed it, when, and for what purpose – to ensure traceability and accountability.

For the server to run smoothly, it needs to be sufficiently cooled (air-conditioned server room) and connected to a UPS to protect it from power outages. Otherwise, the server may stop running on hot summer days or data may be corrupted if the power fails.

If there are unused network sockets in the office, you should not be able to access the network from these sockets (have your IT department or service provider disable the access). Otherwise, you could have a situation where a random person connects their computer to the network and can access all the devices in the office. The next step would be to configure the computers and servers to be on separate networks, i.e. if someone can access the computer network, they cannot immediately access the servers as well. Separate Wi-Fi networks should be set up for employees and guests to prevent strangers accessing the company’s internal network.

It is equally important to teach employees to lock their computers when leaving their workstation, avoid leaving devices unattended in public places, and prevent unauthorised access.