To celebrate Cyber Security Awareness Month, we’re excited to share a series of interviews featuring the Toro team.
This week we are joined by the excellent MSP team. Let's delve into the conversation!
What would your top tip for protecting your devices?
Lily: Update your passwords. A lot of people use the same password across multiple accounts, which is a massive vulnerability. Using a password manager helps you keep track of all your different passwords securely.
N’yahh: VPNs and Conditional Access. At home, you’re generally in a safer environment, but when you're out and about, especially on public networks, you're more exposed to threats like man-in-the-middle attacks. There are even cases where people set up fake Wi-Fi networks to intercept data, like we’ve seen a lot recently in the news. So, it’s essential to ensure your traffic is encrypted in transit, especially when you’re doing things like online banking or accessing sensitive documents on the move.
Tara: However, it’s important to be mindful that VPNs aren’t always available to everyone. In cases where someone can’t use a VPN, make sure you use your phone's hotspot rather connecting to a public wife, particularly for sensitive tasks. Some VPN types are harder to block, so worth finding out if your VPN provider can use protocols that are less restrictive too.
Dorian: Keeping your software up to date is crucial. Also, deleting apps or programmes you no longer use is key. I often see people’s personal devices loaded with old, unused software that hasn’t been patched in years. That stuff is vulnerable, especially if there’s no automated updating system in place. When it comes to device security as the others have said it’s quite often the basics people aren’t doing. It’s about simple things like ensuring your home network is secure—do you have a strong password, and is your router hardened? Is Wi-Fi encryption enabled and using the most secure protocol available? You’d be surprised how many people, especially older generations, still use default passwords or weak encryption on their home Wi-Fi.
Lyubo: Secure network connectivity is important, and you should be mindful of what you are connected or connecting to. Another important thing is IoT devices which present risk to corporate devices, attackers can pivot from less secure devices and attack corporate networks from IoT devices.
Tara: Yes! People overlook IoT devices—smart lights, TVs, and even things like connected doorbells, down to your fridge freezer these days. These devices often get forgotten about when it comes to updates, but they’re just as vulnerable as your computer or phone. There have been cases in the past year where unpatched IoT devices have been exploited.
Ray: IoT devices should be segregated on separate networks ideally. VLANs can be used to secure IoT devices away from the main network, even in someone’s home as well as in the office.
N’yahh: Yeah, even smart TVs, which people rarely think about updating. All these devices are potential vulnerabilities if they aren’t patched regularly.
Do you think most people even know what IoT devices they have connected to their networks?
Dorian: Honestly, no. People often lose track of what’s connected. Someone might set up a smart photo frame at Christmas, connect it to their Wi-Fi, and then forget all about it. The typical home user doesn’t think about network security beyond the basics, so they’ll often have multiple devices sitting on their network, not knowing what kind of risks they might pose.
Tara: People should ask themselves the question ‘Do I know what’s connected to my network?
Dorian: Yes, and with the shift to remote work, there’s an overlap between personal and business security. The perimeter isn’t what it used to be, before the pandemic. We can't expect the average user to know about network security. They might have all these smart devices connected, forgotten, and unmonitored, which leaves their networks vulnerable and exposed to threats.
Tara: That’s exactly it—people need educating on this. Most don’t realise that even their internet service provider’s router might not be the most secure option.
What would you say are the best practices businesses should adopt in terms of IT security for home workers?
Dorian: The focus needs to start with basic security measures. The key question is - do you trust your network? Many people think they do, but they might not realise who else is using it. For instance, do you feel comfortable letting your children’s friends use your Wi-Fi? Or do you freely give your password to guests? Most people just hand out their Wi-Fi password without a second thought. Even if you don’t share the password directly, connecting a guest can allow them to access your network and view your password. Basically, anyone who has access to your network can then share that access. This means that unknown devices could connect to your network, which can lead to security breaches.
Tara: Changing your Wi-Fi password regularly is essential.
What other home-based advice would you give to organisations with many remote workers?
Lyubo: Device backups are critical. Regardless of whether it’s a company or personal device, having a backup plan is essential. Many users don’t encrypt their backups or are unaware of the security features available, like stolen device protection.
N’yahh: One of the most important things is not letting the user have admin access.
Dorian: Unfortunately, we see many companies allowing users to have admin privileges, which poses a risk.
Tara: Essentially, everyone should have separate user and admin accounts. Privilege management helps prevent mistakes and delays potential breaches.
Lily: Sharing profiles is also a risk.
Tara: Absolutely. It’s vital that each person has their own account for everything to minimize risks.
Ray: Centralised cyber security tooling that is cloud monitored & managed makes it easier to manage endpoint security and associated security policies and technical controls across dispersed IT infrastructure – and I certainly recommend looking at emerging technologies such as MDR (Managed Detection and Response) to keep users and their devices secure, especially for those that are working from less secure networks such as at home and from internet cafes and airports etc. In a hybrid and remote working environment this is critical to securing your endpoints.
What are you seeing as some of the main issues companies are facing?
Tara: Many companies struggle to manage their own IT, leading to unmanaged devices, incorrect licenses, shared profiles, and weakened security posture.
Dorian: It’s not just about being managed; it’s about being managed correctly.
Tara: Many organisations are unaware of compliance requirements, and that’s where an IT service provider can help. They can set a baseline for security, ensuring that organisations meet essential standards.
What are some of the main challenges organisations are facing if they aren’t managing their IT properly?
Lily: A lot of it revolves around admin privileges. When we onboard new clients, we find that employees often have admin rights when they shouldn't, leading to unauthorised installations of software that aren’t work-related, like Netflix. Additionally, permission structure is often a problem. We usually implement a least-privilege access model, which restricts access initially and allows us to grant permissions as needed. Many clients also don’t keep their software updated. We often implement patch management services to help them stay compliant. To be honest it often boils down to general management. Many clients simply don’t understand what they should be doing. For larger organisations with multiple devices managing everything in-house becomes unmanageable.
Dorian: Keeping track of devices can be challenging, especially when they’re passed around (repurposed) without proper communication.
Lily: Exactly. Moreover, some clients purchase the wrong versions of software for their needs, which can lead to further complications and security weaknesses for example, using Windows Home editions which does not offer Bitlocker, to encrypt devices.
Tara: To properly manage devices, it’s crucial to ensure they meet certain standards for vulnerability management. This way, we can effectively lock or wipe devices if they’re lost or stolen. We've seen small companies fail because they acquire the wrong licensing. They often let employees buy whatever devices or licenses they want without any specification guidelines, which can lead to significant issues. It’s crucial to set up proper management of devices when an organisation comes on board.
How should organisations handle BYOD and is it presenting issues?
Lily: Absolutely. When we onboard new clients, a common issue is the mix of personal and work data on company devices.
N'yahh: I think this highlights the need for companies to have policies in place regarding work profiles, ensuring that corporate data can be wiped from devices without affecting personal information.
Tara: That’s part of what compliance ensures. Regulations requires companies to have information security policies that dictate how they manage data and users. We always encourage organisations to establish these practices, even if they aren't pursuing compliance.
Tara: A lot of companies struggle with Bring Your Own Device (BYOD) policies. They might allow employees to connect outdated devices with vulnerabilities, increasing the risk of breaches. Organisations need to ask themselves do we have a BYOD policy and do we understand the risks of allowing employees to access company data without proper security measures. Conditional access is the answer here.
Lyubo: On that note, the best approach is to restrict device access and establish policies that limit what users can do, like disabling screen sharing or screenshots on company devices. Many companies don't know how to set up effective policies and technical controls to secure their devices.
Tara: Exactly, and without those policies, they can’t manage their data properly. We often ask organisations if they have such policies in place.
Lyubo: Having a policy is one thing; configuring it correctly is another. Sometimes companies believe they have set it up correctly, but in reality, it doesn't function as intended. It’s crucial to have the right technological knowledge and experience to oversee these tasks.
Tara: That’s why we engage with businesses. We explain the importance of having a managed service provider (MSP) or Managed Security Service Provider (MSSP) in place to help orchestrate both compliance and security controls.
Lyubo: What surprises me so often is that companies often neglect the security of their contractors. They don’t check their devices or communicate the necessary policies. A breach can easily occur through someone who accesses the corporate IT infrastructure using their personal devices, and this presents a risk.
Tara: Organisations should ask themselves do you know who has access to your data? A lot of our clients are unaware that many people accessing their data are associates rather than full-time employees. These associates might not even use company-issued devices. It's essential to ensure the right protocols are in place to manage this.
What else do you think is really important for organisations to understand?
N'yahh: User education is crucial, particularly regarding device management. It's important for users to keep their devices updated and be aware of phishing attempts. They should always verify emails, even if they appear familiar. VIP impersonation is on the increase.
Lyubo: I always recommend questioning emails, regardless of their source. Many people get breached by clicking links in seemingly genuine emails, especially if the sender’s account has been compromised.
Tara: It’s also about knowing how to respond to suspicious emails. For example, if an email asks for bank details or seems off, it’s vital to double-check. It’s alarming how easily they can fall victim to such scams. Ongoing education for staff is critical.
Ray: The malicious use of AI is leading to more professional looking scams that are much harder to detect, and will trick even the most hardened security professional if caught off guard. Regular training and awareness, coupled with a culture that allows free reporting of suspicious activity is key in the current cyber security threat landscape.
Why do you think a holistic approach to security, combining cyber and physical security, is important?
Lyubo: Some of the most significant breaches happen due to inadequate physical security. Once someone gains access to the IT Infrastructure, the risk escalates, and attackers can pivot. Companies may invest heavily in alarm systems and access control, but if a receptionist inadvertently lets someone in, it undermines all that effort. Insider threat management is key – and attacks exploit human nature and principles of trust. Education and understanding of policies and procedures are vital for safeguarding organisations.
N'yahh: It all comes back to training and security awareness.
Tara: Yes, we train your staff and ensure they understand the importance of these measures. It's all-encompassing, isn't it?
Lyubo: It’s crazy how easily one can breach security without even entering the company. Sometimes, simply befriending an employee or borrowing a pass can grant you access. Failing that, apply for a job, this is what attackers are doing!
Ray: There is no easier way of breaking into an organisation than being handed the credentials on your first day working there, and this is happening! Attackers will not stop in their persistence to gain access to your assets, and it is vital to think holistically when architecting security solutions in the current cyber security threat landscape.
If you would like to speak to any of the team about any points raised please get in touch.