The list below features a variety of controls that can be put in place to lower the risk of your company's computer system having a breach.
Limit Administrator Access
Malicious software needs administrative level access to install software and propagate. Reduced installation access greatly limits the ability of mal-ware to compromise a computer.
Create a standard user account for normal day-to-day use. Administrator level accounts should only be used when necessary to install or update programs.
Operating systems and software have errors in the programming that can be exploited. Patches are released to fix the errors, reducing the vulnerability of the PC.
Use patch management software or make sure that the Windows automated software patches the PC on a regular basis. Never assume - spot check the PC by manually checking for patches.
Secure Wi-Fi Access
Open Wi-Fi allows an attacker within range to see any devices using the Wi-Fi network. The devices can then be scanned for vulnerabilities and exploited.
Wi-Fi devices have security protocols that can reduce the exposure. Use the WPA2 protocol or better.
Limit Social Media
Social media is a frequently targeted for distribution of mal-ware. Links to sites that download and install malicious software are common.
Company policy is a soft control. Some modern firewalls or software can limit website categories and sites.
Firewalls limiting connections to the types allowed. Modern firewalls can also provide other security features like anti-virus scanning.
Windows includes a limited firewall. Separate firewalls generally give better control and protection at the cost of added complexity.
Anti-virus software scans traffic and downloads for known malicious software. Although modern morphing mal-ware techniques have reduced the effectiveness of signature based anti-virus, it's still a valid protection level.
Install anti-virus software from a reputable company. Verify subscriptions are valid and updating as they should.
Inactivity Screen Locks
An unattended, unlocked screen is an invite for someone to steal data or install mal-ware.
Windows settings can lock the screen after a period of inactivity. The shorter the period the better.
Strong passwords reduce the likelihood of someone guessing the password and accessing the computer. Changing a password reduces the effectiveness of an extended brute force password attack.
Require complex Windows passwords by local policy or domain policy. Require passwords to be changed on a regular basis. Deactivate unused accounts.
Restrict Computers to Business Use
Computers restricted to business activity are less likely to visit and be re-directed to malicious sites.
Modern firewalls often include a expanded security subscription as an option. Software solutions can also limit sites by category or specific sites.
Anti Mal-ware Software
Mal-ware includes many forms of software that can be detrimental to privacy and security of PCs. Some mal-ware may not even try to steal data but may want to use your computer power to perform other illegal activities.
Anti-mal-ware protection is often bundled with anti-virus software but not always! Confirm if you software includes both or if a separate scanner is needed to detect things like ad-ware.
Intrusion detection and/or prevention scans for unusual activity, even if a program is not installed. Unusual activity often indicates mal-ware is involved.
Host based intrusion software resides on the computer. Gateway based intrusion detection is often offered as a firewall security option.
External Remote Access
If an attacker can gain access through remote access mechanisms, they can attack a network from the inside.
When allowed, remote access should be by software that allows for multi-factor authentication.
Training on Email Links
Links in emails are one of the main phishing and mal-ware attack mechanisms. Hyperlinks in email can be easily disguised to link to sites other than what is in the email.
Train employees on dangers of links in email, especially unsolicited or unusual email.