The Ultimate IT Security Checklist January 2021

In the U.S., 3 out of 4 jobs require employees to work on a computer. Technology is vital to our economy and especially vital to the work that you do, which is why you are reading this resource guide. Computers are one of the most valuable tools in your business, and consequently, the most vulnerable to attack. Does that sound a little unnerving? While the threat of attack on your computers is real, rest assured that with the right safety procedures in place, protecting your business’ technology is possible.

There’s no silver bullet or magic potion when it comes to IT security. However, with a combination of products and services, you can protect yourself in a layered approach much like you protect your home. At home, you lock the doors, shut the windows, and set the alarm when you leave. You have smoke and carbon monoxide detectors installed to alert you of possible dangers and also insurance coverage in case of unforeseen disasters. Sure, threats still exist but each precaution you take helps you to quickly detect, eliminate, and fix any attack that gets past your first line of defense. This Ultimate IT Security Checklist is designed to help guide you into building and implementing a full security plan for your business’ technology, making sure you’re covered from every angle.

7 Checks to Ensure IT Security

  1. Secure Your Networks – Just a few precautions can help you from unauthorized access, snooping, and more
  2. Secure Emails – Avoid risks like loss of data through one of the most popular forms of communication
  3. Secure Workstations – Learn about preventative measures and proper work station security
  4. Introduce & Enforce Password Policy – Passwords are the keys to the information you want protected, so let’s make sure they are secure!
  5. Perform Systems Hardening – Using the principle of least privilege only allow what is necessary for business. Remove what is not necessary
  6. Implement Staff Training – Train employees how to recognize malicious e-mails and what to do when encountered
  7. Disaster Recovery – Create a backup routine, define what to backup and how frequently. Test your backups!

1. Secure Your Networks

Devices connected to the Internet could be used by hackers to collect your personal information, steal identities, compromise financial data, and silently listen to or watch users. Taking a few precautions can help protect you from unwanted things, such as piggybacking, wardriving, wireless sniffing, and unauthorized computer access. Here are some simple ways to ensure your networks are secure:

Create Secure Passwords

Most network devices, including wireless access points, come with default administrator passwords to simplify set-up. These default passwords are easily found online, making their protection marginal. Therefore, changing default passwords makes it harder for attackers to access a device. As your first line of defense, use a complex password and change it periodically. (For more information on secure passwords, see step four.)

Restrict Access Only

allow authorized users to access your network. Grant access to guests on segmented wireless networks with a different password. Creating this separate wireless network will help you maintain the privacy of your authorized users.

Encrypt the Data on Your Network

Encrypting your wireless authentication mechanisms prevents unauthorized access to your network. There are several encryption protocols available: Wi-Fi Protected Access (WPA), WPA2, and WPA3.

Protect Your Service Set Identifier (SSID)

To prevent outsiders from easily accessing your network, change your SSID to something unique. Leaving it as the manufacturer’s default creates the potential for an attacker to identify the type of router you’re using and exploit any known vulnerabilities.

Install a Firewall

Install a firewall for your network, as well as directly on endpoint devices. If attackers are able to directly tap into your network, they have already circumvented your network firewall—a host-based firewall will help add a layer of protection to the data on your computer.

Use File Sharing with Caution

Disable file sharing between devices when it’s not needed. Never allow file sharing over public networks. You can create a dedicated directory for file sharing and restrict access to all others. Again, as always, you should password protect anything you share and never open an entire hard drive for file sharing.

Connect Using a Virtual Private Network (VPN)

VPNs allow employees to connect securely to their network when they’re away from the office. VPNs provide end-to-end encryption and keep out traffic that is not authorized. Any time you need to use a public wireless access point, use your VPN.

2. Secure Emails

Because email is such a popular way to communicate, it is one of your most vulnerable areas for attack. It is critical to take measures to secure your email accounts. By educating your employees on email security and enforcing protective measures, you can avoid many of the risks that come with email usage, like sensitive data loss and malware infections. There are multiple ways to secure email accounts, and for businesses, it’s a two-pronged approach encompassing employee education and comprehensive security protocols. Here are some best practices for email security:

Email Encryption

Use email encryption to protect both email content and attachments.

BYOD Best Practices

Implement security best practices for BYOD (Bring Your Own Device) if your company allows employees to access corporate email on personal devices.

Be Cautious About Attachments

Never open attachments or click on links in email messages from unknown senders.

Frequently Update Passwords

Change passwords often and use best practices for creating strong passwords. Never share passwords with anyone, including co-workers.

Use Spam Filters and Antivirus Software

Spam and antivirus filters have multiple mechanisms to detect spam and malware, because spammers and hackers use a variety of techniques to send malicious emails. No single tool or process can eliminate all threats, so filtering solutions have a multilayered approach to filtering.

Use VPN Software to Access Corporate Email

If accessing emails away from the office, use a VPN to connect securely and encrypt your connection.

3. Secure Workstations

Hopefully you’ve never experienced the total frustration of dealing with a system infested with malware. It may take hours to detect and remove all of the malware-affected files on a system. Because of this, many IT people prefer a “clean install,” which erases the drive and replaces everything on it. But with a clean install, you’ll lose any information not saved elsewhere. It is much easier to prevent this situation with proper workstation security. The following practices can help prevent problems and increase the security of your workstation:

Use an Active Security Suite

A security suite works to protect your system from viruses, malware, spyware, and network attacks. A product that provides just antivirus isn’t enough, because not all malicious programs are viruses. Some programs present themselves as useful but are actually spyware. For example, a program that offers to alert you of discounts and deals but also monitors everything you do online. Your security suite should detect malicious activity and disable it. You should make sure that your security software is running and active. If it isn’t, turn it on and immediately run a full system scan.

Update Your Software

Keep your operating system, security suite, and programs up-to-date. Microsoft releases patches on the second Tuesday of each month. If you update your own system, set a calendar reminder to check for updates. Applications, especially programs that connect to the Internet, also offer a way for attackers to access your system. For example, the makers of Java and Flash issue frequent updates to patch problems identified with those applications. If you use an application, keep it upto-date. If you don’t use an application, uninstall it.

Never Leave Your System Logged In and Unattended

Never. Not in your office at work, your desk at home, or your favorite local coffee shop. When you walk out of eyesight of your device, lock it and/or log out. Configure your system to automatically lock and logout after a few minutes, if not in use.

Full Disk Encryption

Disk encryption is a technology that protects information by converting it into unreadable code, which cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume.

4. Introduce and Enforce Password Policy

If we haven’t made it clear yet, passwords are a big deal. Passwords are the keys to the information you want protected, so let’s make sure they are secure! Here are some practices and policies you can implement for you and your entire business to help keep your passwords as safe as possible:

Use a Phrase

  • Around 12 characters long
  • Something simple to remember but not predictable
  • Can integrate things you like or do to make it more memorable
  • For example: Somewhere over the rainbow

Keep Each Account Unique

  • Never use the same password more than once
  • For example: All You Need is Love

Play with Spellings

  • Use homonyms – Example: “Two” instead of “To” or “Ant” instead of “Aunt”

Random Capitalizations and Numbers

  • Use numbers and capitalizations but keep it memorable— If you go overboard, your password will be impossible to remember
  • Idea: Can use a capital letter on the second word of every password
  • Idea: Can use the same number behind the first word of every password

Set Up Multi-Factor Authentication or 2 Factor Authentication

Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA) is a security enhancement that allows you to present two pieces of evidence, such as your credentials when logging into an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). MFA helps protect you by adding an additional layer of security, making it harder for bad guys to log in as if they were you because they would need to steal both your password and your phone. You would definitely notice if your phone went missing, so you’d report it before a thief could use it to log in. Plus, your phone should be locked, requiring a PIN or fingerprint to unlock, rendering it even less useful if someone wants to use your MFA credentials.

5. Perform Systems Hardening

Systems hardening is a collection of tools, techniques, and best practices to reduce vulnerability in technology applications, systems, infrastructure, firmware, and other areas. The goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface.

Audit Your Existing Systems

Carry out a comprehensive audit of your existing technology. Use penetration testing, vulnerability scanning, configuration management, and other security auditing tools to find flaws in the system and prioritize fixes. Conduct systems hardening assessments against resources using industry standards from NIST, Microsoft, CIS, and DISA.

Eliminate Unnecessary Accounts and Privileges

Enforce least privilege by removing unnecessary accounts (such as orphaned and unused accounts) and privileges throughout your IT infrastructure.

Network Hardening

Ensure your firewall is properly configured and that all rules are regularly audited; secure remote access points and users; block any unused or unneeded open network ports; disable and remove unnecessary protocols and services; implement access lists; encrypt network traffic.

Server Hardening

Put all servers in a secure datacenter; never test hardening on production servers; always harden servers before connecting them to the Internet or external networks; avoid installing unnecessary software on a server; segregate servers appropriately; ensure superuser and administrative shares are properly setup and that rights and access are limited and in line with the principle of least privilege.

Application Hardening

Remove any components or functions you do not need; restrict access to applications based on user roles and context (such as with application control); remove all sample files and default passwords. Application passwords should then be managed via a privileged password management solution that enforces password best practices (password rotation, length, etc.). Hardening of applications should also entail inspecting integrations with other applications and systems and removing or reducing that are unnecessary.

Database Hardening

Create Admin restrictions, such as controlling privileged access on what users can do in a database; turn on node checking to verify applications and users; encrypt database information—both in transit and at rest; enforce secure passwords; introduce role-based access control (RBAC) privileges; remove unused accounts.

Operating Systems Hardening

Apply OS updates, service packs, and patches automatically; remove unnecessary drivers, file sharing, libraries, software, services, and functionality; encrypt local storage; tighten registry and other systems permissions; log all activity, errors, and warnings; implement privileged user controls.

6. Implement Staff Training

The simplest, and probably most important, way to be successful with each layer of your security is making sure your entire team has the correct tools in their hands. Spending time educating employees on what to do and not to do will prove to save you more time (and headaches) in the long run. The world of technology is always evolving and changing, so education will likely be ongoing, but here are some simple things every single team member should know:

How to Recognize Malicious Emails and Websites

Email and Internet use are vulnerable areas for attack. Educating your employees on how to identify malicious emails and websites is the easiest first line of defense. Provide them a copy of this checklist so they are on the same page about the policies being implemented. IT Security is a team effort.

Utilize Pop-Up Blockers

Pop-up ads are not only annoying, they often contain malicious code like spyware or computer viruses. Requiring your employees to use blockers add another layer of defense.

Follow Password Policies and Best Practices

As we covered earlier, strong passwords are instrumental in keeping things secure. Set-up password policies for every person on your team. Require passwords to be changed often and share with them the tips and best practices we listed earlier in this checklist.

7. Disaster Recovery

A backup is a copy of data that can be recovered in the event of a primary data failure. Primary data failures can happen because of hardware or software failure, data corruption, a malicious attack (virus or malware), or by accidental deletion of data. Backup copies allow data to be restored from an earlier point in time to help the business recover from an unplanned event.

Multi-Location: Local, Physical, & Cloud

Storing a copy of your data in multiple locations is critical to protect against primary data loss or corruption. Create a local, physical, and cloud backup to cover all of your bases.

Frequency

For best results, backup copies are made on a consistent, regular basis to minimize the amount of data lost between backups. The more time that passes between backup copies, the more potential for data loss when recovering from a backup. Retaining multiple copies of data provides the insurance and flexibility to restore to a point in time not affected by data corruption or malicious attacks.

Testing Frequency

Regularly test your backups to ensure they are working properly. Depending on the importance of your data, you may want to do a test daily, weekly, or monthly.

Conclusion

We understand that maintaining your business’ IT and cybersecurity can be complex and stressful, but it doesn’t have to be. Start with this checklist as a guide. If you still find that the stress is keeping you from the work that matters most, like growing your business, we’re here to help. At SimplicIT Technical Solutions, we manage your IT frustrations for you, so you can manage your business.