How do you ensure new devices are secure from cyber attacks?
Nearly half of businesses (45%) say that staff in their organisation regularly use their own devices at work. But with most employers still handing over a new laptop or mobile phone to new employees, employers must keep these devices secure from cyber attacks.
The most common threat to businesses remains phishing attacks - 59% of businesses said they had experienced a phishing attack in the last 12 months, according to the 2023 Cyber Security Breaches Survey. Any device you hand over must have some key security barriers in place.
But what barriers, software & hardware should an employer ensure is in place before handing over a new device to an employee?
To help, we have created a Cyber Security: New Device Checklist for Employers; this checklist will help your business improve its resilience to cybercrime and ensure your employees stay secure working in the office or remotely.
Cyber Security: New Device Checklist for Employers
You must ensure the basics are covered with new/current employees who receive a new mobile phone, laptop or tablet. When sharing guidance on new devices, remember to consider where the device is being used and if your employees are aware of the dangers of cyber security.
Cyber Security Guidance specific to Laptops/Desktop Computers
Asset management - Ensure you've recorded the following:
Device make, model, serial number
Who is it assigned to, when was it given to them, and if applicable, when should it be returned
Does the device need to be installed onto your works network?
Ensure firewalls and anti-virus software are enabled
Where possible, built-in firewalls on devices should be configured to use the strictest settings possible - without interrupting the usage of the device
Ensure relevant updates for the operating system and applications are installed. It's recommended that automatic updates are enabled
Make sure that physical and digital files are encrypted and that a daily or weekly file backup is in place
Restrict the use and downloading of applications which aren't specific to their job role - installing applications should only be carried out by an Administrator
Ensure the user profiles are setup with the correct permission levels
Review plugin device settings to ensure they are secure
Cyber Security Guidance specific to Mobile Devices (Phones & Tablets)
Ensure that all accounts have Two-Factor Authentication (2FA) enabled and that staff are using strong passwords - ideally, 2FA will be implemented through an Authenticator Application such as Google Authenticator or equivalent
Promote the use of a password manager to keep them secure and encrypted - password managers also offer the ability to generate strong, unique passwords for each of your accounts
Ensure employees are making use of strong passcodes and Face ID
Ensure application updates are set as 'Auto-update.'
Review all applications - if you want to restrict what employees can download, this should be covered in your company's Device/Security Policy.
Review the location settings - set up 'Find my iPhone.'
Top tips for devices used in the office
Offline/Cloud backups - ensure that devices are backed up regularly, daily or weekly. This can be done to a cloud provider or manually using a storage device
Security Policies - Ensure your staff review your company's security policies. This may include a general Cyber Security Policy, Working from Home Policy, Acceptable Usage Policy, Updates Policy & Password Policy
Top tips for devices being used remotely or for staff working from home
VPN - ensure a paid VPN is in use when working remotely. This will keep your IP Address secure and data safe and encrypted should you be required to connect to public Wi-Fi
Wi-Fi security - when the use of public Wi-Fi cannot be avoided, follow these tips:
Always ensure that you use a unique email address AND password if you are required to sign up for public Wi-Fi
Review the web address (URL) of any website you visit/use, ensuring that it is legitimate and where you expect to be
Review and ensure each website you visit uses HTTPS by checking for the padlock icon on the left-hand side of the web address (URL)
Screen Protector / Webcam Cover / Cases
If you work remotely in public places, implement a screen protector with a privacy filter. This will protect you from shoulder-surfing and potentially leaking sensitive information.
Security Awareness Training provides simple and practical knowledge for your staff to understand the risks of working online and provides the confidence to challenge something that doesn't look right.
Cyber attacks continue to evolve and use more sophisticated attack techniques designed to fool employees. Training your staff will reduce the risk that your business will face data loss, financial fraud, operating time lost or negative PR.
Cyber Security: New Device Checklist for Employees
You've been given a new mobile phone, laptop or tablet at work, but what should you do to ensure that device is cyber secure?
Review your employer's security policies - this may include Cyber Security Policy, Working from Home Policy, Acceptable Usage Policy, Updates Policy & Password Policy.
Ensure you are using Face ID and Passcodes, which give your accounts an extra layer of security.
If your organisation uses a Password Manager, make this part of your routine with any new accounts or profiles you create. Many password managers will allow you to save passwords across devices to make life easier.
Don't forget to enable two-factor authentication on all your accounts
Do not use unapproved external devices
USB / Hard Drives - USB/external hard drives should be limited to employer-issued devices. These should always have encryption enabled and have been scanned for viruses/malware before use/deployment.
Mouse / Keyboards - These devices should be provided to you by your employer and confirmed to be safe to use with your device.
Don't forget your Software/Application Updates and Backups!
Setting up 'automatic updates' eliminates the need to manually check for and install updates. You don't have to remember to manually update your software every time a new patch is released - these often will include security updates.
Backups - Backups should be done via a cloud solution for ease of use. These should be conducted daily or weekly as per business needs and linked to your work email address/account.
Only use approved software or applications - only install software/applications from the official source for your device.
Mobile devices should come preinstalled with required work applications and then have restrictions implemented to prevent any further installations.
Laptops/Desktops should have appropriate permissions placed on the account so that software installation requires Administrator approval.
Don't use personal accounts.
Social Media applications on work devices should be restricted to only those used by the company. Furthermore, the only accounts used to access these applications should be approved work accounts.
Don't use your work email for personal accounts.
Utilising work email accounts for personal accounts exposes your employer to another route for attackers. Your personal lives will then be linked to your work account, offering valuable information for someone to target that individual or your business.
If your accounts are hacked, your data could be sold on the dark web - where other criminals may take advantage of social engineering techniques to perform further attacks on you and your employer.
A data breach could result in the termination of your employment due to breaching your contract.
Worried about Data Exposure?
Searching your email address will enable you to review if any associated accounts have been included in a data breach. If so, it is recommended to change the password for that account immediately (setting a new strong, unique password) and enable 2FA if not already enabled.
You can use the "Notify Me" option to receive alerts from HaveIBeenPwned when your email address is included in a new data breach - meaning you do not have to check each time manually.
Don't save financial details - do not use the Notes app to store work credit card details or bank information.
If you use the Notes app on a device to store Personal Identifiable Information (PII), move it and keep it inside your password manager ASAP so it is encrypted and safe.
Public Wi-Fi risks
Always be wary of connecting to public Wi-Fi that does not require you to sign in using a username/password.
If you need to sign in to public Wi-Fi, use a unique email address AND a unique password.
Remote working with work devices
VPN - when working remotely, it is best practice to use a VPN when connected to public Wi-Fi as it will hide your IP Address and ensure that your data is encrypted and safe
Has your business recently bought new devices, but you're unsure if they're secure? Do you want to secure your network after buying new laptop devices?
Contact us today to discuss any cybersecurity questions relating to device security, and you can learn more about our Network & Website Vulnerability Assessment(s). We can ensure your company is not open to cyber-attacks and start building your cyber resilience today.