Simon Heron – SecureNet

Most people probably wouldn’t admit to using Facebook at work. Some organisations try to ban or block the website, fearing that employees will only waste time on it when they should be working. However, some companies take the opposite approach – setting up a brand presence on the social networking site and encouraging employees to connect and communicate with them on the website.

Whichever approach your company takes, one thing is clear – most people check their profile from work. We’ve just released figures that show Facebook as being the primary destination for outgoing web traffic from corporate networks – that’s almost six per cent of all web traffic from business networks accessing Facebook. When you consider that the second most popular website to visit from work is Google (at just over four per cent) you start to realise just how integral social networking has become to people lives. (We published a guide on the secure use of Facebook as part of our securing social media series – which can be downloaded for free from the Network Box site).

We’ve also found that visiting YouTube, downloading and viewing the videos, accounts for eight per cent of all corporate bandwidth. Windows Updates takes up 3.8 per cent – an indication of just how often the operating system needs to be patched.

To get the figures, we analysed traffic to more than 19 billion URLs through our global network security operations centres, over a five month period. Further details can be found over at the Network Box site.

The fourth guide in our ‘Forgotten Security’ series is published today. Forgotten Security: Keeping up to date, is targeted at IT teams, encouraging them to take another look at their procedures, ensuring that they cover both software and equipment.

A fully updated system is protected against the latest threats. For example, we’ve seen hospitals falling victim to the Conficker attack months after the patches were released. If the systems had been updated as soon as the patches were available they would have been immune to infection.

It’s not just software we need to keep updated. Failure to update equipment such as routers could result in organisations’ websites falling victim to denial of service attacks which could impact reputation and sales.

The guide, which is published today and available for free download from our website or as a pdf, here http://www.network-box.co.uk/sites/default/files/NBWP_forgotten_security_4_up_to-date.pdf, advocates a considered approach to installing updates. Before installing, it’s important to ask whether the update is actually needed, as installing the wrong patch can crash an entire system.

To help clarify the situation, the guide provides a checklist for IT teams to use before initialising the update process. For example, is the patch provided by the system vendor? Is the patch compatible with the company’s system?

Having fully updated and patched software and equipment is a vitally important element of a company’s IT security, but is often overlooked. Businesses need to make system security the primary concern when they purchase a system, service or device. They need to ask essential questions such as:

•    How easy is the system to update?
•    What does the vendor do to make you aware about any issues?
•    Where can solutions be downloaded and installed?
•    How can patches be tested?
•    Can to roll back the system to its pre-update status?

All of the ‘Forgotten Security’ guides are available for free download from the Network Box website.

We’ve just released a free guide for businesses on securing remote workers.

Remote working, or working from home, is becoming increasingly popular as companies seek the economic benefits of moving some of its team out of the office, or having employees that are able to log on at home. But, businesses could be exposing themselves to more risk by using remote workers, if the process is not properly thought through and monitored.

Employees that work from home, even on an occasional basis, may do so from their personal computer, rather than a company provided system. The family computer is highly unlikely to match the level of security found on the office systems, company data can be easily stored on the machine, and will stay there unless the employee knows how to purge the data from the system. Other members of the household are likely to use the PC for their own purposes, such as file-sharing and gaming, which may break company guidelines and bring additional risk of infection.

In the guide, published last week, we advise businesses to carry out the following in order to minimise the risk involved in remote working:

1.    Provide the remote worker with a company computer, making this the only way that the worker can connect to the company network.
2.    Ensure that the approved computer is updated with the latest patches, anti-virus software and endpoint security.
3.    If the employee does connect from a home computer, put policies in place to keep this computer updated with security software (maybe issue an endpoint security license to the user). Limit access to company files and the network, to minimise the threat of a breach.
4.    Keep full control over what’s installed on the approved computer, and how it is configured. Do not allow unauthorised software or applications to be used.
5.    Only allow internet access via the VPN so that company policy on internet access can be enforced at the company’s gateway.
6.    Have strict guidelines in place to prevent others using the company computer (for example children of employees). Educate employees on the risks, and consequences of breaching security policy
7.    Ensure that password protection is strong. For more information on passwords, see Network Box’s guide to password security.
8.    Encrypt data, particularly for workers ‘on the road’ with laptops that may be stolen.
9.    Limit risk by avoiding highly confidential data being transferred to the remote computer altogether, by using technology such as thin client (Terminal Services over VPN or third parties like Citrix) which process data on the server, without that data leaving the server.

Remote working may be a good economic move in times such as these, but failure to produce and enforce procedures designed to control the risk involved in remote working, undermines all of the stringent security measures the business has implemented internally and ultimately risks breaching the security of the entire network.

Microsoft’s patch Tuesday this week included two security bulletins for Microsoft Office. Critically, these affect Office running on Apple Macs.

Mac users are not as used to worrying about their security as Microsoft users; they have traditionally thought themselves to be immune from threats. Of course, this is not the case – Macs have had vulnerabilities through the years but only a few have been exploited – but the popular myth means that Mac users are less likely to concern themselves with their protection, and are less likely to have their Office auto-updated switched on.

So, if you’re a Mac user, and you use Office software, update it. For more details, see our Patch Tuesday information here http://www.network-box.co.uk/aboutus/news/microsoft-november-patch-tuesday.