Free Stuff
Checklist for Company Bosses and Managers
This is one of a set of 6 free security checklists. To see the others, click the "free checklists" link above. To use the checklist, we suggest that you print it out, consider each point in turn, then tick the box when you've dealt with it.
Remember, this isn't a quiz or a test. You don't score points for each box you tick or leave blank, and there's no league table of top scorers.
| What | Why | ||
| 1 | c | Ensure that every computer in the company has up-to-date antivirus software, is regularly scanned with anti-spyware tools, and is configured to download and install all important security patches automatically. If you don't have a company-wide firewall, you should also enable the built-in Windows firewall. | These basic security precautions will help to protect your company's systems from viruses, Trojans, and other malware that arrives via the internet. |
| 2 | c | Ensure that each employee has their own user account. Do not allow staff to share passwords with each other. | This will ensure that any abuse of your systems by staff can easily be traced. It also makes staff aware that their actions are not anonymous. |
| 3 | c | Never allow staff to use a computer account that has "administrator" priviliges. | Such privileged access is unnecessary, and could allow dishonest staff to make harmful changes to their computer such as disabling security features. In addition, if a staff member inadvertently clicks on a virus-infected web link, the virus will not be able to install itself because the staff member doesn't have sufficient privileges. |
| 4 | c | Ensure that your company and all staff comply with all relevant data protection and IT-related legislation. In the UK, this means the Data Protection Act and the Computer Misuse Act. | Failure to adhere to the law as regards things like pirated software and unauthorised use of personal information can, at best, result in bad publicity for the company. At worst it can land the directors in prison. |
| 5 | c | Take regular backup copies of all important data. Store the backups away from the computers that hold the original copies (arranging for staff to take them home will often suffice). Test the backups regularly to ensure that they can be accessed correctly and that you're backing up the right files. | Without backups of important files, a minor disaster such as a power surge, flood or burglary could (and likely will) put you out of business. |
| 6 | c | Use data encryption to protect confidential information, especially on laptops and backups. | Without data encryption, anyone who steals one of your company's laptops, or one of your backup tapes, can read all the information on it. Even if the laptop or the backup is password-protected. For Windows-based laptops, search the internet for details of the Encrypting File System, which is a free encryption facility that's part of Windows. Also look at a free program called TrueCrypt. |
| 7 | c | If you have staff who work at home or in other locations away from the office, make sure you consider the IT security implications. Do you allow staff to dial into the office network? Do you allow staff to take confidential files home on their laptops? | It's important to consider the safest way to allow staff to work off-site, such as at hotels, client sites and at home. Ideally, confidential information should never be taken off site, and especially not in unencrypted form. And such files should not be allowed onto "family" PCs in employees' homes that are also used for non-business purposes, as hackers who access the machine could then access your confidential files. |
| 8 | c | Windows has lots of automatic logging facilities built in, such as internet surfing history, documents opened, and user logins. Ensure that all are enabled, and that the logs are set to a long duration. For example, configure Internet Explorer to store the web browsing history for at least 90 days. | This will help you to gather evidence if you suspect that someone has been misusing their company PC. Also, awareness of the logs will act as a useful deterrent to staff considering making unauthorised use of their company computer or looking at prohibited web sites. |
| 9 | c | Your web site is the public face of your company online. Ensure that you take steps to prevent the site being subjected to a Denial of Service attack. Also, ensure that the web site is regularly backed up, and that you keep tight control over who has the necessary passwords to amend or update the site. | Hackers often manage to deface web sites by guessing passwords or by exploiting bugs in the web server. If this happens to your company, it could prove embarrassing. Especially if it takes you a while to discover that the site has been attacked. |
| 10 | c | Every company should have an Acceptable Use Policy and a Disaster Recovery Plan. The AUP tells staff what they can, and can't, use their office computer for. Eg, accessing private email, buying things on ebay during lunch time, maintaining a blog which makes mention of where they work. The DRP is for management, and explains the procedures for recovering from a major IT disaster, such as how to retrieve the backups and load them onto spare computers in another location. | An AUP and a DRP are vital. They help with the day-to-day running of the company, and in the handling of an IT-related emergency. If you don't already have these 2 documents, it's important to prepare, test and maintain them as soon as possible. If you do already have them, you should revise the AUP at least once a year (and ensure that all staff sign it), and test the DRP (by discussing it among senior staff) at least once every 6 months. |
| 11 | c | Undertake a basic risk analysis at least once a year. | Risk analysis involves considering all of the computers in your organisation which hold or process information, and specifying, for each system, the risk of that system being affected by a problem (anything from power failure to a full-scale hack), and the impact that such a problem would have. You can then use this analysis to prioritise your IT security efforts and budget to ensure that they are being used in the places that matter. |
| 12 | c | If you use wireless (Wi-Fi) networking, ensure that it's set up correctly and securely. | A poorly protected Wi-Fi network could mean that your systems are accessible to any passers-by within 200 feet of your office. Most importantly, enable WPA or WPA2 encryption. For ultimate security over wireless links, use VPN technology. |
| 13 | c | Never store files on your web server unless you are prepared for them to become public information. | Search engines such as Google will find everything on your Web server and make it available to searchers, even if you don't public explicit links to it. Just try searching Google for phrases such as "company confidential" and you'll see the scale of the problem. |
| 14 | c | Dispose of old hardware safely. Wipe the hard disk of all information or, better still, remove the hard disk and physically damage it with a hammer. | By simply dumping an old computer in a skip, or selling it via a web site such as eBay, there is a real risk that information stored on the machine can fall into the wrong hands. You must always remove all programs and data from computers before disposing of them. |
| 15 | c | Implement a basic Security Awareness Training programme for all staff. | Staff are the weakest link in your security chain. No firewall or other security product will protect you from a staff member who hands out a password to a colleague over the phone who turns out to be nothing of the sort. A basic programme of security education will help. |