Protecting Financial Data
COVID19 has forced many organisations to work differently, and as a result, there may be an increased risk to your financial data. Sentaris, in partnership with Hamilton Morello, has brought together some of the key recommendations to help you mitigate some of those risks. This first instalment focuses on general security practices, with the second instalment focusing on specific to key business practices to follow.
General Cyber Security Recommendations
Keep it patched. Every device connected to your network, and in the cloud, should always have the latest patches applied. This means ensuring updates are installed on the operating system (such as Windows), as well as all applications installed on the device. This process should be performed regularly and is one of the best ways to protect yourself from many online threats.
Use more than just a password. You may have heard or read about 2FA (two-factor authentication) or MFA (multi-factor authentication). Think of the two factors as something that you know (like a password) and something you have(like a mobile phone, or a keyring with random numbers). This way, if for any reason your password is disclosed, cyber criminals still cannot gain access unless they also have your phone, keyring, fob, etc. This protection provides significant security over and above passwords and goes a long way to limiting the likelihood of account compromise and fraud.
Avoid untrusted networks. When accessing services containing sensitive information such as your email, accounting service, CRM etc., ensure you are only using trusted networks. It is easy to capture your passwords and other information on a network, so it is critical to ensure you never use Public Wifi (regardless of whether they are encrypted or not). As a rule of thumb: consider your home, work and tethering to your phone as more trusted. If you have no choice but to use another network, ensure that you always use a VPN first.
Turn on encryption at rest. Windows Pro has a feature called Bitlocker which encrypts your hard drive. Why is that important? If you lose your device, somebody could simply remove the hard drive from your laptop and gain direct access to all your files without needing your passwords.
AntiVirus isn’t perfect, but it is mandatory. AntiVirus has come a long way and will catch a lot of malicious software, but it’s not perfect. While you should never use a system without it, you shouldn’t assume you are 100% protected.
Send links not files. Limit the duplication of financial data by storing information in a central location and only sharing the link to the file location rather than the file itself. Office 365 and Google make this process simple. Limiting data this way can avoid accidental leakage if a device is lost, stolen or compromised as additional access is required to obtain the file.
Encrypt sensitive files in transit. Ensure all email attachments containing sensitive data are encrypted/password protected with the password sent to the recipient using SMS.
Not everyone needs to see everything. Unfortunately, the natural evolution of a growing business often results in poorly configured permissions on file shares and online services where the people can have too much access. Even though you may trust everyone in your company because they all feel like family, it means attackers have more targets and opportunities to exfiltrate your critical information or make fraudulent transactions. Instead, work on the principle of least privilege and only permit access based on a persons job role. It is often easier doing this in job roles such as Management, Accounts, Marketing, Analyst etc. Assign access to data based on the groups instead of individuals, then allocate users to those groups. This makes access management more streamlined and less prone to error for when new people join, leave or change roles.
Stop trying to remember your password or writing them down! Instead, let a Password Manager auto-generate and store it for you. Password managers such as Lastpass will generate random passwords for your sites which makes them a lot more secure than “Betty12!” that you use on all your websites because it is too hard to remember OSDIFWh78@. Make sure you never use the same password twice between different applications and services. There are business versions of many password management services that provide holistic management for all employees.
Be suspicious of every email. It’s not nice feeling as though you cannot trust anyone, but unfortunately, bad guys can pretend to be anyone over email, including your boss or friend. So be very careful clicking on a link or opening an attachment. If it asks you for your password, or it seems suspicious in any way, don’t trust it and call the sender to ensure you can open the email.
Report and Review. Ensure that every month there is a reporting and review cycle to catch anomalies such as changes in employee, customer or supplier information, unusual transactions, failed logins to systems etc. Including a regular review of credit card and other bank statements to ensure small unauthorised transactions are not slipping through unnoticed.
Who are we?
Hamilton Morello has a proud history of working closely with small to medium businesses and individuals. We take the time to understand our clients’ circumstances to ensure your financial growth and peace of mind.
Our skilled accountants and financial planners have the knowledge to give you the right advice at the right time. With our diverse and specialised team, we offer a holistic approach to managing your finances.
Sentaris offers specialist cyber security services with a strong focus on both assurance and response. Our extensive business and specialised IT experience allows us to understand your business requirements and provide individually tailored security solutions across a broad spectrum of technologies.
We pride ourselves on our ability to nurture a collaborative relationship with both technical and non-technical staff, and work alongside you to provide optimal risk-based and cost-effective outcomes for your business.