Top 5 Tips: Essential Steps for IT Risk Management

We are often inundated with advice around how to remain secure digitally, sometimes, it can be hard to filter out the practical and useful information when it comes to implementation of digital safety; and in an emergency, recovery of your digital property such as documents, private information and online persona or digital presence tools such as your website, Facebook and search engine listings.

Our Information Systems Manager, Richard shares his top 5 tips for IT risk management, ideal for small business but applicable for home or corporate users.

Tip #1: Have good, unique passwords

Most of us like our dogs, but while we would expect them to alert us to intruders in the house, their name isn’t the most secure option on the planet for a password. Having a good, unique password that’s a decent length (12 or more characters), and including symbols, numbers, uppercase, lowercase and isn’t a simple word, group of words or phrase is a great start.

Avoid reusing a password for multiple things. If you struggle to recall passwords, you could use a password manager such as LastPass or Dashlane to (depending on the version), have ease of use, storage of passwords, password generation and password autofill which means you will only need to remember one strong password then use the password storage tools to create, store and fill your passwords with security and efficiency. 

Tip #2: Back up your data

In the event you do have a digital security incident, it is essential to have backups of your data. To prevent further risks of data loss, we often suggest to clients to use the 3,2,1 backup rule which is: 3 backups, 2 media types, 1 being offsite, pictured below:

Credit: Best Practice: 3-2-1 Backup Strategy

Tip #3: Protect your house (Limit access to only what people need, when they need it) 

We like to think of passwords in the same way as you would a key for your house. You wouldn’t just hand out a key to anyone that asks for one, and you should treat the security of your passwords the same way.  Passwords and other tools like Multifactor Authentication (MFA) are useful strategies to protect your data but if you aren’t careful with protecting your passwords people can access a great deal of your private data – in the same way they could if they had a key to your house. If you do need to give trusted people your password for some reason, ensure that you limit the access to only access what they need, when they need it. 

Tip #4: Before you click, check! (Be wary of phishing)

Phishing is a term used for when someone presents false but seemingly real information to you to then get information from you. It’s part of a wider tactic called social engineering that you can find out more about from Cisco here. The easiest way to avoid it is by keeping in mind that if you are receiving an email, phone call, message or advertisement on the internet be wary of where it comes from. For example, large organisations such as the ATO, Centrelink or Amazon are not going to call you to confirm your details or ask for your card details over the phone.

If you are receiving emails from groups asking for your money or for your personal details, ensure they are from legitimate sources and that you log in to your proper account if you want to double check, not using the links provided in the emails. Please read over this email from someone impersonating PayPal and see if you can pick up on what is wrong with it:

You can see if you look at the email address, it may say PayPal as the name, but the email address is not correct, they have included confusing details such as a receipt number when it’s not a receipt and provided a sense of urgency saying, “account will expire in less than 48h” and not without using proper phrasing. They provide links to fake versions of the site using links to lure you in to providing your personal details. 

Tip #5: Update and restart regularly

We know these are two separate things but think of it as a bonus! With updates being so frequent is may be more time efficient to adopt a strategy of “n -1” n being the most recent just launched version; this is where you would make sure that when a new system update, e.g. Windows 10 to Windows 11 comes along that you don’t update the day it comes out unless you are testing. It gives you a little more time to prepare your systems for the new version and allows for patching and fixing as new products always have teething issues that are fixed within the first update or so.

So, that’s major updates, but what about minor ones, the ones that come along at the inconvenient hours during your workday and want you to restart while your deep in spreadsheets, memes or client correspondence. These should be done regularly. While some IT system controllers have it running automatically on all computers to install these updates within 48 hours of release, it’s good practice to open up your computer’s update window to check if a new update has come through. Then while a lot of the time updates restart your computer, it is also good practice to shut down your computer regularly (e.g. at end of day) rather than in just packing it into your bag or leaving in on from start of day Monday to close of business Friday if you leave it on your desk at work. 

This is not an exhaustive list of tactics and strategies you can use to protect your self online, it’s always good to find a reliable source of information to assist you in learning new threats and strategies to protect yourself. For more information, you could access Australian Cyber Security Centre at https://cyber.gov.au or if you need to chat, reach out via our websites at https://vdp.com.au or https://digitalsolutionstas.com.au to book an appointment with a subject matter expert.