Keeping your information safe from online threats can be complex, with new threats and new solutions emerging all the time. For many organisations, working with a good IT support provider is one of the best ways to make sure your computers and website are safe.
These five key areas cover points where your organisations IT may be at risk from online threats.
1) Staff awareness of online security
An ‘acceptable use of information technology’ policy, developed in consultation with staff, can do more to keep your workplace computers safe than any piece of software. Your acceptable use policy should guide staff and volunteers to use the internet and other communications technologies appropriately and cover topics such as which uses of email and the internet are acceptable, how to handle sensitive data, keeping equipment secure, how to use the internet safely and what to do if working off-site. You should run through it with new staff and train them in safe use of technology. There’s more on training staff on the Australian Government site, Stay Smart Online.
You can also download and adapt Infoxchange's acceptable use policy to suit your organisations needs.
2) Desktop and device security
Having regularly updated anti-virus and anti-spyware software is a simple and reliable way of keeping your computer secure. This software will check incoming data for viruses, scan your computer for existing viruses, and make sure no one is installing data-collecting software on your computer without you knowing. Choose a reputable program and set it to auto-update, and most of your security work is done for you.
When you’re using mobile devices – phones, tablets or laptops – to do your work you need to make sure they’re kept safe. If you’re keeping work data on your device or have a device which connects to office files, losing that device means unauthorised people can access your organisations information. Password protect all mobile devices to make it harder for others to use them if they’re lost or stolen. Don’t leave devices unattended in your car or out in public. If you’re storing data on the device (or if you’re using portable data storage such as USB drives or removable hard drives), get advice from an expert on how to encrypt that data.
If you use your home computer for work, talk to your IT person about how to make it secure. You may need to install additional software to make sure that it complies with your workplace’s IT policies.
3) Email security
Because of its heavy use, email can unfortunately be a security risk. Staff may unintentionally install harmful programs by opening links to dodgy websites or opening infected attachment. This may lead to the loss of data, or external parties having access to private information. Email scammers put a great deal of effort into creating believable, hard-to-ignore messages, so you really do have to be on your guard every time you get a message from someone you don’t know (and sometimes when you get a message from someone you do know – if someone has hacked a friend’s email account, that account may be sending you suspicious messages without your friend knowing).
There are a few simple rules for safely opening email:
- Be cautious of any email that asks you for passwords, log in information or personal details (especially banking details!)
- Check that the email address that it's being sent from is legitimate
- Only open attachments or click on links from people you know
- If you're unsure, ask for help
- Know who your IT support person is in case of an emergency
- Stay up-to-date with online scams by checking ACMA’s Spam site
Email isn’t a good way to send sensitive information, and in the case of some information – for example when you’re dealing with clients’ health data – you’re required to use a secure messaging system instead.
4) Network security
Protecting your organisations network would generally need to be done by an experienced IT professional. One of the key ways you can add an extra layer of security to your network is to use a firewall. Firewalls can act as a gatekeeper between the internet and your network or computer.
Many broadband routers will have a firewall built-in with basic settings available to get started quickly. Individual computers may also have firewalls installed as software or operating system.
Depending on your security needs, you may want to purchase more robust firewalls or be more stringent in the settings available to you in any existing firewalls you may already have.
5) Working safely with online applications, websites and the Cloud
If you are using internet and Cloud-based applications, including a website, hosted email, databases or collaborative documents, you should also check if those are being kept properly secure. Contact your application provider and find out:
- whether they have a backup plan, whether you’ll still be able to get your data if their site goes down, and whether they can recover your data if it’s lost
- what your responsibilities are for keeping data secure
- whether they regularly update their software and servers to protect from threats as they emerge
- whether there are additional tools or add-ons you should be using to enhance your data security
- how they dispose of data if you stop using their service.
If your organisation has a website, talk to your internet service provider or the practice hosting the site about what they do to make sure it is secure and isn’t being used to pass on viruses or other malware to people who visit it.
Taking the next step with security: professional help
Security is one area where professional help can really add value. You should either have external IT support, or an internal IT support team or person with IT skills, up-to-date knowledge and a passion for maintaining your IT. If your support is external, someone within the organisation should have responsibility for making sure the business takes security seriously (uses passwords, does backups and so on).
Talk to your IT support service about security and ask them:
- do we have security software, including a firewall, anti-virus and anti-spyware? How often should it be updated and whose responsibility is it to do that?
- can you help us develop an acceptable use policy? (there is more information on this below, but you may want to get an IT expert to review your policy)
- is all our software from reputable sources and is it being regularly updated? Is it our responsibility to update software or does it happen automatically?
- are we using spam filters for our email? What can staff do to make sure we stay spam-free? (there is more on email security below)
- are you being updated about new threats to online safety and security? What responsibility should staff take for keeping updated?
If you store client data, security becomes even more important. Review the Australian Privacy Principles and New Zealand's Privacy Act to see what is required of you, and look at the Australian Government’s guide to protecting your customers for more help.