Thomas G. Stephens, Jr., CPA.CITP, CGMA
Viruses. Malware. Ransomware. Identity Theft. And the list goes on. The number of ways that the sensitive and confidential data, that we have been entrusted to maintain and protect, comes under attack seemingly increases on a daily basis. Yet, that does not mean that we should sit back and take a passive, reactive approach to data security. On the contrary, aggressively and proactively managing the security of your information systems can yield extraordinary results with respect to data security. In this article, you will learn about five simple, but highly effective steps you can take to secure your computer.
Enhance Authentication Controls
For most users, authentication controls focus on using a combination of a user ID and a password to log in to a computer, smartphone, or other device. In these cases, ensure that you are following best practices for “long-and-strong” passwords to minimize the risk of unauthorized access. According to The Sans Institute, in today’s world, that means that your passwords need to be at least twelve characters in length, including a mixture of numbers, letters, and special characters such as punctuation marks. Further, you should never share your passwords with anyone or write them down and you should change them every 60 to 90 days. Of course, from a practical perspective, these guidelines are almost impossible for humans to adhere to; therefore, you should also consider using password management applications such as LastPass, Password Depot, and RoboForm to assist you in creating, managing, and recalling strong passwords.
Do Not Login with Administrative Rights
On a PC, you can log-in with either “Administrative” rights or “Standard” rights, based on how your user ID is established. You should ensure that your user ID provides Standard rights. If you login with Administrative rights, you can make (presumably accidental) changes to the configuration of your PC that could compromise the security of the device. For instance, an Administrative user could disable the firewall or anti-virus software on a computer, whereas a Standard user does not have the ability to affect such changes on the device. In fact, one study published by Avetco indicated that as much as 92% of the security risk associated with operating a Windows-based PC is eliminated when users log-in as Standard users, instead of as Administrative users. Of course, if you occasionally need to operate the computer as an Administrator – such as when installing new software – you can have a second user ID on the machine with those rights attached to it. Then, simply log-in as an Administrator when, and only when, the situation demands it. Otherwise, your default log-in should be as a Standard user.
Disable USB Ports for Data Transfer
USB ports provide incredible convenience for connecting devices such as printers, keyboards, and mice. Yet, this convenience comes at the price of potentially compromised data “leaking” out of the organization through unsecured flash drives and external hard disks connected through USB ports. Accordingly, you should consider blocking your USB ports for data transfer to and from flash drives and external hard disks. To block USB ports from data transfer, talk with your IT staff about implementing a relatively simple registry edit that can be implemented to make your USB ports read-only, while still permitting keyboards, mice, and other peripherals to connect conveniently through these ubiquitous ports.
Encrypt Disk Drives
Particularly so for mobile devices, you should ensure that the hard disks on these devices are encrypted. By encrypting the drives, you minimize the risk that if the device is lost or stolen, someone could access all of the sensitive data on the device. An added potential bonus associated with encrypting a drive is that many states’ security breach notification laws provide for an exemption from notifying potentially impacted parties that their information may have been compromised if the storage on a lost or stolen device is encrypted.
Although encrypting a disk drive sounds like a complex and cumbersome task, in Windows Vista and newer, it can be quite simple. If you are running a business-oriented version of Windows, you have access to two built-in tools – 1) BitLocker (used to encrypt your hard disk) and 2) BitLocker To Go (used to encrypt flash drives and external hard disks, in situations where blocking USB ports from data transfer is impractical.) If you have Administrator rights on your computer, you can access BitLocker and BitLocker To Go from the Control Panel. Simply follow the prompts to secure all of the data on your drive(s) and minimize the risk associated with unauthorized access.
Whitelist Software Applications
As stated at the outset of this article, we face an ever-growing list of threats. One increasingly popular approach is to abandon trying to block all malicious software that can attack our devices and instead block all software from running, except for those applications that we specifically authorize, such as Excel, Outlook, our web browser, and various accounting and tax applications. This approach is known as “whitelisting,” and is proving to be highly effective and enhancing the security of computers and the data that resides on them. However, this is not likely an approach that you can (or should) implement by yourself. Rather, talk with your IT staff about whether whitelisting makes sense for you and others in your organization.
The threats are real and the risks are great. But that does not mean that we cannot effectively secure the sensitive data on our devices. On the contrary, by “layering” the techniques outlined above, you can and will create a highly-secure environment that hackers will find difficult to penetrate. Good Luck!