The security landscape keeps changing all the time. I'm often asked what are the top 5 things that all organisations should be doing to improve their security posture. There's a lot more than 5 things that you should be doing, but since I have to choose only 5 here they are.
Antivirus (AV) software is important. Windows has included a built-in basic AV for some time now - Security Essentials. But AV alone is not enough because it's too far down the food chain. As it's name implies, DNS Protection works at the Domain Name System (DNS) level. When you access a website, download a file, etc. your computer looks up the IP address for whatever it is that you want to access. DNS is like a middleman between web based applications and the content. DNS protection is essentially a blacklist of IP addresses that are known to host malicious content. Over 90% of malware relies of DNS, so blocking it at this level is an extremely effective mitigation strategy.
When it comes down to it, Antivirus software, DNS protection and other systems most rely on known quantities. Someone else has to get compromised first and then the blacklist or AV signature is updated. But what happens when a new form of malware is out in the open, often referred to as a zero-day attack? This is where sandboxing helps. Before an unknown file is executed on your computer, it's sent to a sandbox which is just a virtual computer somewhere in the cloud. The file is opened/executed and whatever transpires next is examined in thorough detail. If malicious activity is detected, then you are blocked from access the file. If nothing happens, then you are allowed to access the file. Sandboxing provides protection from the unknown, by examining unknown quantities in a safe isolated environment.
For malware to be effective, it needs access to low level subsystems in your operating system. By restricting who and what has administrative access, which is the highest level of privileges, you can mitigate most forms of malware. Furthermore, each member of staff should only have access to IT resources they need to perform their duties. This is referred to as the Principle of Least Privilege (PoLP). By restricting access in this way, should a PC get compromised, you are significantly limiting the damage that can be done. By conducting a privilege audit of your IT systems, you can discover where the vulnerabilities exist and then implement strategies to remove them.
This is a common tip that you'll always hear about when talking about IT security. However, simply setting your computer to automatically update Windows is not enough. Firstly, what if something goes wrong with the updating process which prevents it from working properly? What if an update doesn't install properly? You need a system to check that the updating system is working properly and ensure that every single update that supposed to get installed, does get installed. Secondly, you need to patch more than just the operating system. Vulnerabilies in common applications such as Adobe Acrobat, web browsers, Java, etc. are commonly used to compromise systems. These third party applications also need to be patched. Windows does not include automatic patching of non-Microsoft applications, but there are other systems that can be deployed which do.
Another common tip that always comes up. While backups won't increase your security, they are the last line of defense when all else fails. Therefore, it's critical that you have a robust backup system that is continuously backing up all your data, with multiple versions of each file, to an off-site location. It's also imperative that your backups are not accessible by malware, which comes back to the restriction of privileges discussed above. Last, but not least, your backups must be monitored to ensure they are working properly and that files can be restored if required. Just because someone set up backups in the past, doesn't mean it's working in the present.