Computers and mobile devices
How securely are your organization’s computers, mobile phones and tablets connected? Basically all computers today have to be connected to the internet in various ways to be able to address the organization’s needs. Mobile phones and tablets frequently have the same access as computers at the workplace. Several measures are needed to avoid the risk of intrusion and loss of information. Utilization of strong passwords and encryption are two of the measures required to protect the organization.
Passwords protect your data. It is important to select a strong and unique password that is difficult for unauthorized parties to hack. Passwords must not be re-used or be used for personal accounts. A strong password must not appear in known password dumps/password lists, and it must contain at least 10 characters. Passwords must be made up of upper and lower case letters, numbers and special characters, and not include a word that appears in a dictionary or similar where substitution has occurred (e.g. replacing a letter in a word with a number).
A more secure password
- Generate a password with a password generator.
- Use a combination of at least 6 arbitrary words (“CloudRailwayDeepSpeakDanceJail”, “CorrectHorseBatteryStaplerJoySing”)
- Make an acronym out of a sentence (“When Bert and his 17 friends dance in the rain Bert feels happy, especially in the Summer” → “WBah17fditrBfh,eitS”)
Read more and test your password with this service (in Swedish) offered by The Swedish Post and Telecom Authority (PTS).
Encryption entails transforming data to conceal the information content from unauthorized parties. The aim is to protect important or sensitive information that is to be stored or transferred, and to prevent outsiders from accessing the information.
Today there are integrated features in both computers and mobile devices which enable encryption of the storage space for sensitive information. Storage space on computers can be encrypted with BitLocker, FileVault, TrueCrypt and loop-AES, for example.
Information that is important to the organization must always be encrypted.
Creating backups is one of the most important security aspects in terms of ensuring that important information does not get lost. Creating backups means information is preserved even if files are deleted or damaged. The backup process should be automatic if possible.
If you have irreplaceable data, you should save it in two different places to safeguard against fire or flooding, for example.
Do, for instance, random checks of backed-up data to ensure that backups are really being created and that the backup copies can be used if necessary.
Protection against malicious code
Being impacted by malicious code, such as a virus, means that undesired programs are given access to IT systems where they can damage or disrupt the system and steal data. The most common reason users are affected by malicious code is that they click links or email attachments from unknown senders or visit unsecured websites.
Malicious code is commonly spread via USB sticks since these are generally regarded as reliable and have to be opened for content to be shown.
Activating the “show file extensions” feature helps the user determine which files are safe to open. It is generally acceptable to download .docx files without a macro, while .zip can be more sensitive due to the risk of malicious code. It is almost never acceptable to open .exe files without first verifying that they come from a reliable source such as a well-known software publisher’s website.
If a file is suspected of potentially containing malicious code, the file should not be downloaded and an administrator should be contacted.
Use of resources for personal use and use of personal equipment
In many cases, employees can use the company’s computers and mobile phones privately as well. For example, it might be possible to have a personal email account on the company phone or download apps such as Mobile BankID for personal use.
The risk of the organization’s equipment being exposed to malicious code increases, for example, if it is connected to a home network that lacks the same type of security found at the company or if the company’s and the individual’s data is mixed together.
If employees are allowed to utilize the company’s equipment for personal use, there must be an agreement or policy in place which specifies the procedures and extent to which the equipment may be used. The same applies to personal equipment used within the organization regarding whether it is to be subject to the same security requirements as the rest of the organization's equipment.