Advent Calendar 2018

The Digital Craftsmen Silent Night Advent Calendar

Welcome to our Silent Night Christmas advent calendar blog post

For the next 24 days we’re going to publish a daily security themed post – yes it’s our first Digital Craftsmen Security themed advent calendar.


Day 11 - Monitor all the things

It was Peter Drucker who first said “If you can’t measure it, you can’t improve it”. If you run any kind of IT system you should be monitoring it. Not only will it give you a timely warning if a disk is running out of space but it will also allow you to understand what “normal” looks like. Server slows down and it looks like a huge spike of traffic, is that normal, or indicative of something else afoot ?

There are many different types of monitoring systems from SaaS based offerings like NewRelic  and Rollbar, cloud specific monitors such as Cloudwatch in AWS or Azure Monitor in Azure through to advanced infrastructure monitoring tools including Opsview and PRTG. Choosing the right one for you can be a daunting challenge. Contact a Craftsman for help with specifying a monitoring solution.


Day 10 - Make sure you're GDPR compliant

Keeping everything secure is a mindset to be adopted by everyone in the company as well as a set of technical tools. Taking GDPR seriously and following the proper processes to audit, understand, protect and manage the data you hold about individuals, leads to good practices that benefit all of your data and systems. We work with organisations big and small to help protect their server infrastructure, just one part of the overall GDPR compliance landscape. There are no official standards yet in place for GDPR compliance but a good place to start is the guidance provided by the ICO for small businesses.


Day 9 - Set your devices to auto-lock when inactive

Never, ever leave your devices unlocked in a place where unauthorised users may get access to them. Sounds obvious but I’m constantly amazed by the number of screens I see unlocked around office buildings. It only takes a minute to install malware on an unattended laptop or phone. We instil a habit of always locking screens into our team but as a back stop, configure your devices to auto-lock after a few minutes of inactivity. You never know when it might protect you from an opportunistic bad guy.


Day 8 - Set up a leavers procedure to protect your SaaS applications

Software as a Service (SaaS) is a great way to reduce the costs of IT and improve business continuity. The downside to this, however, is that SaaS access is available globally. This means that when people leave your business the old defence of them being outside the building no longer works. If it’s available, you will have single sign on enabled, so as soon as their internal account is deactivated, their SaaS access is too. Unfortunately, these integrations are usually only available on the most expensive plans and it’s still necessary to remember to block their internal account. Although this may seem simple, a written checklist of SaaS applications as part of a formal leavers procedure really helps to remind you of which applications need to be updated when someone leaves. A formal leavers process can include much more, including recovering company assets, renewing NDAs and getting GDPR compliant permission to respond to reference requests.


Day 7 - Get Cyber Essentials to protect your systems

The Cyber Essentials standard is a really good way to help businesses adopt a security mindset. Created by the UK government, Cyber Essentials is a pragmatic and achievable standard that demonstrates good security practice and helps your customers to feel confident that you take cyber security seriously.


Day 6 - Use a password manager to keep passwords safe

If you follow all of the advice to create strong passwords and make them unique on each site, you quickly run into a problem of safely managing all of those passwords. A spreadsheet on your laptop is not secure, even with a password. You could use the password manager built into your browser but that only covers one class of passwords (for websites). We recommend the use of a separate password manager to store ALL of the credentials that you use. These applications use a strong master password to encrypt all the other details so you only have to remember one password.


Day 5 - Keep your login credentials private

Sounds obvious but you might be surprised at how readily people will give up their access credentials. NEVER share your login credentials. It’s incredibly rare that a software provider will need your access details. When you get asked, it’s a really good sign that it might be an attempt at phishing, sending legitimate looking and plausible emails in an attempt to get you to give up your credentials. At work, it’s not a good idea to share your passwords with colleagues either. You risk getting the blame if something bad happens.

Want to know one of the best tools for managing passwords? Come back tomorrow when we publish our recommendations.


Day 4 - Create unique passwords for all your accounts

Sharing passwords across multiple accounts is a really bad idea. Once a hacker gets hold of one password, they will use it to try and gain access to other accounts. Creating unique passwords helps ensure that any damage caused by poor security elsewhere doesn’t jeopardise your other accounts. Dunkin Donuts recently revealed a data loss caused, it is believed, by a password reuse attack.


Day 3 - Use a secure internet connection


Google has been championing “HTTPS Everywhere” for several years. The launch of Let’s Encrypt in April 2016 made free certificates widely available and the SSL certificate industry has had a huge shakeup in the last 12 months. Even paid-for certificates with warranties and trust marks are now available for just a few pounds. There is now no reason at all not to run your entire site under https and you will be ranked better by the search engines when you do. If you need implementing https site-wide, get in touch.


Day 2 - Check your webpages are secured


Once you have secured the data in transit (see day 1) the next step is to make sure that you have secured the web pages themselves from being altered or interfered with in the browser. We recommend this analysis tool to confirm that the latest best practises have been implemented on your site. These include headers such as X-Frame-Options which tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Implementing these measures can have some side effects so if you need help, get in contact.


Day 1 - Check your website configuration


Configuring a website for SSL can be complicated, what with multiple software libraries, insecure default settings and many new configuration best practices. Qualys (a DCL partner) provide a free to use tool that checks the configuration of your website and can help identify misconfigurations that make the traffic more vulnerable in interception and unauthorised decryption. Give it a go and see how secure you are. If you need help, contact us.


24 days of security tips, advice and useful tools to check your website …. As we believe peace of mind is the best present we can offer to help you make sure your business keeps secured from the risk of hackers and potential data breaches.

24 days which we hope can bring you a December filled with Silent Nights and a Peaceful Christmas break.

It starts this Saturday, so stay tuned to this blog post, or follow our social channels Twitter, LinkedIn, Facebook for the latest posts.


Want to improve, increase and build stronger defences around your business online operations, then speak to one of our security experts.

Our team are fully ISO270001 verified and run an ITIL certified helpdesk. It’s our mission to keep clients secure online.


Leave a Reply

Your email address will not be published. Required fields are marked *