1. Enforce strong passwords and Multi-Factor Authentication for all remote access

Secure the remote access by using strong passwords different for each account (i.e., a combination of upper and lower cases, symbols and numbers), and implementing Multi-Factor Authentication wherever possible. Multi-Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

2. Secure the workstations used for homeworking by controlling what can be accessed remotely

There are two solutions that allow collaborators to work from home: either the organisation provides them with a device, or it allows them to use their private workstations.

The first option, a managed device, ensures that security risks can be controlled by your IT Responsible and the controls put in place (e.g., managing all administrative rights to limit what a user can do the device, forcing the installation of required security updates when needed, etc.). However, the costs of providing each user with the necessary equipment will be higher.

Relying on collaborators’ private workstations can be a more cost-saving method, but the organisation then needs to take additional measures (e.g., limiting what can be accessed remotely, implementing Multi-Factor Authentication to access the organisation’s resources, etc.) to make sure that these devices don’t cause any harm to the organisation. The cost of having to resolve a breach also needs to be brought into account.

3.    Establish guidelines and rules for homeworking

Using managed devices for homeworking is the safest option as the organisation can implement more security controls. If managed devices are not an option, a series of security guidelines and rules should be given to collaborators to adopt the right behaviour when working from home:
•    Locking the workstation when leaving it;
•    Not leaving any passwords written and accessible (e.g., writing it on a sticky note and putting it on the computer screen);
•    Going to a private or secure area when discussing confidential information;
•    Turning off the computer when the work is done to allow necessary updates to be made; and
•    Using secured chat services to discuss rapidly with collaborators.

4.    Encrypt all traffic from/to remote worker with a Virtual Private Network

Whether collaborators use a managed or private workstation, it is important to secure their connection to the organisation’s resources with a Virtual Private Network (VPN). A VPN is a technology that encrypts the connection between a device and the organisation remote servers allowing the encryption of the data transiting from one point to the other and making sure that it cannot be intercepted by external or malicious users. Authentication to the VPN should be done through Multi-Factor Authentication to reinforce the security and make sure only people who are allowed, have access.

5.    Enforce antivirus and local firewalls on devices allowed to connect remotely

There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices allowed to connect to the organisation’s network remotely with an antivirus software upfront.
In addition, a firewall should be used to monitor and filter the access requests to the corporate network based on predefined security rules. The firewall acts as a wall between the corporate network and an untrusted network (e.g., home network, Internet). It will allow the organisation to limit external access only to authorised people.

6.    Update your devices and software as soon as possible

It doesn’t matter how many different systems, applications or devices you use and how frequently they are needed: it only takes one of them for cybercriminals to compromise in order to cause damages and get access to information. Installing updates as soon as they are available is thus crucial to ensure a strong cyber defence and to make sure that the system version being used is still supported by the vendor.

7.    Regularly backup your critical resources

Backup all systems, applications, servers and data to make sure that even if an incident occurs, all important information can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

8.    Collaborators: secure videoconferences

Videoconferences are much used in the context of homeworking. The following tips can help use videoconferences more securely:
•    Only use known products;
•    Only install the solution from official websites;
•    Make sure to keep the solution or software updated;
•    Create a different account, if possible;
•    Secure your account with a strong password and, if possible, the implementation of Multi-Factor Authentication;
•    Only take your videocalls in private or secure areas;
•    Only share the link to join the videocall with intended people;
•    Protect each meeting with a strong password;
•    Cover you webcam if you don’t need to put it on; and
•    Configure the region through which your data can transit, if possible.

9.    Collaborators: secure your network

The first step collaborators should take to secure the network is to secure their router, i.e., the door between Internet et their personal network, by implementing the following controls:
•    Modify your network name by making sure nothing obvious, such as your address, is used;
•    Modify your network passwords, including the router’s one;
•    Install ‘WPA2’ protection, an encryption mean, with a strong password;
•    Update all your equipment;
•    Activate a firewall and use an antivirus;
•    Deactivate the Wi-Fi Protected Setup, a functionality that allows devices to connect more easily to a Wi-Fi network without needing a password;
•    Implementing a host network, a dedicated network separated from your personal one to allow your guests to access your internet connection; and
•    Use an Ethernet cable instead of the Wi-Fi, for devices that you don’t need to move around as the Ethernet cable has less chances of getting hacked compared to a Wi-Fi.
You can find more information on how to configure your router’s parameters on Proximus, Telenet or VOO.

10.    Raise collaborators’ awareness on the risks of using personal devices to access corporate data

Personal devices tend to have less security controls in place compared to professional ones, making it easier to access them or steal confidential information they might contain. Collaborators should be aware of the importance to separate professional and personal usage to make sure no corporate data leakage happens. Several best practices can be adopted to ensure that separation:
•    Using different passwords for professional and personal accounts;
•    Differentiating professional and personal chat services;
•    Differentiating professional and personal backup services;
•    Differentiating professional and personal removable media;
•    Avoiding the use of unknown and public Wi-Fi;
•    Paying attention to what they share online; and
•    Only using official websites to download applications.
More details on those best practices can be found by visiting our dedicated article on the separation of personal and professional usage via LINK.

11.    Raise collaborators’ awareness on scams that aim to steal their credentials

An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

1. Secure the host server

Using a “defence in depth” approach, the website can be protected by setting up independent methods to secure not only the software and hardware of the server, but also its hosting infrastructure. Those methods can include, for example, a firewall, an application firewall, an antivirus, etc. Combined, they aim at protecting the server against common cyber threats (e.g., malware, DDoS, etc.). If the website hosting is externalised, make sure the provider has sufficient security controls in place to ensure that protection.

2. Set up a web application firewall

A particular protection method to include within the defence in depth approach is to set up a Web Application Firewall. This firewall protects the web application server from various attacks such as phishing, ransomware, malware and DDoS (Distributed Denial of Service) attacks by monitoring the incoming and outgoing network traffic and allowing or denying communications based on defined security rules.

The Web Application Firewall acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the organisation’s IT Responsible and their team so they can decide which actions to take next.

3. Configure the server according to your needs

Only the necessary services for the server should be configured, everything else should be forbidden to avoid unused and potentially dangerous access points. Additionally, specific rules can be implemented such as IP address filtering or unauthorising specific file format.

Finally, all unused services and features should be disabled or limited in order to reduce the probability of a getting hacked.

4. Keep all the web server components up-to-date

As with all information and technology systems, updates to the web server components are crucial to make sure any known vulnerabilities is remediated, giving cybercriminals no chance to exploit them.

The typical components of a web server include:

* The BIOS/firmware of the hardware the server is running on;

* The operating system of the server;

* The actual web service used (e.g., Apache, nginx, IIS, etc.);

* The content management system (e.g., Drupal, Joomla, WordPress, etc.);

* Optionally, the virtualisation layer.

Very few companies build their website from scratch. They usually use third parties that come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities, making the updates is thus crucial to have the least vulnerable version of the components being used.

5. Protect the Content Management System (CMS) by keeping it up-to-date, securing the access, installing security plugins and reviewing the users who have access to it

One of the important steps to take to secure the Content Management System is to keep it and its plugins up-to-date. Cybercriminals always look for new vulnerabilities to exploit, however security patches are released through the vendors’ updates to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.

In addition, the CMS can be protected by not using any default configuration for accounts and passwords, but creating your own admin account with a strong enough password and in addition the use of Multi-Factor Authentication (MFA). MFA requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

Also, security plugins need to be installed and enabled on the CMS. Those plugins prevent brute-forcing (i.e. an attacker submit many passwords or passphrases hoping to guess it correctly and gain access to user accounts) and common web attacks.

Finally, a regular review of the user list must be integrated in the access management process. Check at regular interval who are the persons with editing or administrative rights on your website and disable any accounts that are no longer used or relevant.

6. Implement the HTTPS protocol

The HTTPS protocol is used on the Internet for secure communication and data transfer over a computer network. It is the secured version of HTTP. Just like HTTP, HTTPS is used to send data between a web browser and a web server. The difference is that HTTPS encrypts the data to increase the security of the transfer. Through the encryption of all exchanges happening between a web browser and a web server, HTTPS ensures that no outsider can eavesdrop the ongoing communications. In fact, even if an attacker is able to intercept the data, as it is encrypted, they will not be able to understand it nor use it.

7. Protect your database by controlling access and backing it up

Data is one of the most valuable assets an organisation has. This is why it should be protected accordingly. It is important to encrypt the data at rest (i.e., when stored in the database) and strictly control the access to the database.

In addition, those databases should be backed up to make sure that even if an incident occurs, all important data can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

8. Disable directory browsing

Directory browsing offers the possibility for people visiting a website to access its repository content, i.e., all the files and folders. Directory browsing should be disabled so attackers cannot randomly find the data by simply using search engines. In addition, files shouldn’t use default or public accessible locations.

9. Manage and secure all accesses

It is very common for cyber criminals to use an existing account to get access to a company’s resources. The access control management process should be well established and implemented within an organisation. It is important to apply the basic principles of least privilege and need-to-know: a user should only get the accesses they require to perform their job, nothing additional.

In addition, a user access provisioning process defining the procedure to remove or change the access granted to an employee when they switch position or leave the company should also be implemented. An insider attack can always happen, no matter how loyal the

collaborators were at a certain point of time. Their feelings towards the company might always change if they didn’t leave willingly.

Finally, secure the access by using strong passwords, different for each account, and implementing Multi-Factor Authentication wherever possible.

10. Audit for the most common vulnerabilities

Testing a website for well-known vulnerabilities is a great way to establish whether it is ready to go live or not, from a security point of view. Identifying existing vulnerabilities beforehand gives more time to fix them, without any damage. You can get help from experts, used to doing penetration tests and audits, to assess your website security.

11. Regularly monitor your website activity

Monitoring activities related to, for example, the content management system, logins or file submission can help identify rapidly any suspicious activity and take the necessary actions to remediate it.

Cybercriminals often look for profit, and use personal and professional information to gain it. For example, they can try to steal money, or to impersonate a person to access unwanted and/or illegal services. In order to gain that profit, they will try to reach out to their victim and make sure to get a reaction from them, being it to download a file, click on a link, or give them a secret code or password. The victim cannot know in advance that they are being targeted by such malicious activity.

1. Watch out for unexpected messages.

Scams can happen through SMS, email or social media. As it is not possible to predict the time of a potential cyber-attack, all unexpected messages should be paid enough attention to. The most known cyber-attack using unexpected messages is phishing. To help assess the legitimacy of a message, the following questions can serve as a first indication of a scam:

Malicious people try to create websites that will generate the visitor’s interest, such as a web shop or an online game, but also portals of resources attractive for business, by making it look as legitimate as possible. They will then try to trick the visitor into buying a fictional item, making them believe they earned a gift or a special coupon or provide them with a requested document in order to steal their professional and personal information that will help them earn some profit.

How to evaluate the legitimacy of a website?

The following five golden tips and tricks help assess the legitimacy of a website to better identify the malicious ones.

1. Check the address of the website

In order to look like an organisation’s official website, cybercriminals will often provide an address that looks like the legitimate address of that organisation (for example myorganisation [.]be instead of my[.]organisation [.]be). Another option for them is to use a different top-level domain from the legitimate one (such as, .org instead of .com or .be). In addition, they can play with letters and numbers in order to make people think they are on the right website. For example, they might use a capital ‘i’ to replace the letter L or the number zero instead of the letter o.

2. Check the reputation of the website

The website should be known to the public: the IT Responsible of your organization can always be consulted to evaluate the legitimacy of the website. Online reviews can also be checked to ensure that the service provided is real and not a scam. Some antimalware solutions can also provide a websites’ reputation scoring and can be accessed in the features of the antimalware.

3. Check how unbelievable and amazing offers and promotions are

Scammers try to attract a website’s visitors attention by displaying exaggerated discounts. If it is too good to be true, it is probably not.

4. Check how the payment is requested

Filling in personal information for delivery and payment outside of the initial web-shop can be an indicator of scam. Also, requesting payment through a third-party, for example, a parcel or transport organisation, is a common way used by cybercriminals to steal money without providing any service in exchange.

5.    Fill in only the strictly necessary information

Some personal information are not needed for specific services. For example, providing a social security number to buy something is not necessary. A website asking for unusual information for the service provided can be an indicator of scam.

Public Wi-Fi’s allow anyone to connect to the internet from anywhere. It represents a handy solution as people can access professional resources, shop online, browse websites, or manage their social media almost everywhere. However, as its name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, a public Wi-Fi can be used to monitor the activities of people connected to it and steal their information by intercepting the data being transmitted.

1. Only make use of official public Wi-Fi when strictly needed

That includes for example needing to access information online when being at a known airport, train station, bar, restaurant or shop.

2. Never connect to an unknown public Wi-Fi

Cybercriminals might emulate an organisation’s Wi-Fi name to trick people into connecting to it, for example because it offers a stronger connectivity. Organisations should always implement a professional secured Wi-Fi network to ensure a safe access to their internal resources. Alongside this professional Wi-Fi, another can be implemented for personal or guests activities that can require to create an account in order to access it. This separation is important to make sure only the right people can access the organisation’s information. The IT Responsible of your organisation can always be consulted to make sure the available Wi-Fi belongs in fact to the organisation.

3. Use a VPN

A Virtual Private Network is a solution that helps encrypt and hide internet traffic to whomever might be trying to “listen” to the data that is being transmitted. The IT Responsible of an organisation can always be consulted to see if a VPN solution can be provided from the organisation.

4. Implement a guest Wi-Fi for personal and guest activities

Set up a dedicated network to which collaborators and visitors can connect to with personal devices. This dedicated network should be separated from the corporate internal network to make sure not to risk its compromission. The access should only be granted through giving unique credentials (i.e., a username and a password) to people registered. In addition, as a best practice to control which users currently have access, make sure to limit this access for a limited time (e.g., it expires after 24 hours).

What to do if you get scammed?

1. Report the incident to your IT responsible

2. Warn your colleagues, clients and providers that they might be getting a message from a specific collaborator but that they should not trust it.

3. Change all the passwords that were given (if any) on all the accounts they are being used.

4. If the scam was about bank details, immediately contact the finance responsible to inform them of the incident. If you notice that money has been stolen from your bank account, be sure to file a complaint with the police.

5. If you are the responsible of that bank account, call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

The collaborators of an organisation are the first line of defence when it comes to cybersecurity. Their education on that topic is one of the most important parts in building the organisation’s security resilience: by being able to identify a phishing attempt and avoid it or reporting any suspicious event, collaborators greatly participate in your organisation’s safety. With the consequences an incident, even minor, can have on an organisation’s finances, operations and image, the importance of raising collaborators’ awareness on security cannot be overlooked.

1. Build a communication and awareness plan

Building a communication and awareness plan that includes campaigns and informative sessions on different cyber topics, including the current threats and advice, ensures that collaborators always keep security in mind. The different topics that can be included in this plan with practical details to share are developed below in: ‘Cybersecurity threats and advice to share with collaborators’. The content of the trainings should highlight the importance the human factor plays in cyber-attacks (e.g., fraud attempts, phishing, CEO-fraud, installation of malware, etc.) and involve the right people (e.g., CEO Fraud training for people responsible for payments, mobile devices risks and best practices to collaborators with organisation mobile phones, etc.).

Proactivity is one of the key elements to prevent an incident from happening. The plan should define the topics that should be included, the format (e.g., e-learning, exercise, intranet messages, email messages, etc.), the objectives to attain, the audience and the timing (e.g., weekly, monthly, every three months, etc.). Training and communication should be targeted to the risks collaborators are facing. To assess the efficiency of the trainings, evaluations can be included in the format of tests. And to make the training more interactive, quizzes can also be included. For example, you can invite your collaborators to take our phishing test on https://www.safeonweb.be/en/quiz/phishing-test.

In addition to proactivity, repetition is also important. Awareness messages should be repeated at regular intervals to maintain the awareness or enhance it on specific aspects. The organisation should use an open communication culture, not a blaming one, to diffuse information on attempts of a cyberattacks efficiently.

2. Communicate internal procedures and policies and best practices

Would an organisation already have internal policies, procedures or best practices in place, it is important to share the key recommendations and guidelines included in those with collaborators. This way, they can all be aware of the intended behaviour. When

communicating on policies, procedures and best practices, make sure to always stay concrete and practical and underline key messages such as ‘What is it?’, ‘Why is it important’ or ‘What’s in it for us?’.

Involving top management and boards in this communication is necessary and help show the importance an organisation gives to information security. Every collaborator should be part of the communication, no matter their role in the organisation.

3. Communicate how to report an incident

Once collaborators know what to do when facing a cyber threat or incident, they also need to know how they can report any undesirable event they might witness. Raising collaborators’ awareness on security should also include communications on the necessity to notify something unusual they find or see in the offices, on their workstations, on their mobile devices, or on the network. Collaborators need to know when, how, and to whom they can reach out to notify a potential incident.

Our incident management policy template can help organisations define an effective incident management process, including the reporting part.

Cybersecurity threats and advice to share with collaborator

1. Cyber threats

The threat landscape is constantly expanding. There are many common cybersecurity threats organisations are facing nowadays that collaborators need to be aware of and to know how they can react to them:

Phishing

Through the use of fake emails or phone calls, cybercriminals try to collect personal or professional information they can use to make profit. Stay vigilant to potential scam or malicious messages and report any suspected phishing attempt to suspect@safeonweb.be.

For more recommendations on phishing, visit our dedicated article.

Ransomware

By installing a malware on one or multiple organisation’s resources, cybercriminals block the access and information they are willing to give back in

exchange of a payment. Stay vigilant to potential malicious message and ensure thay your systems are updated, backed up and protected by an antivirus.

For more recommendations on ransomware, visit our dedicated article.

Website hacking

Cybercriminals gain unauthorised access to a website configuration and data and use it for malicious purposes (e.g., launch other attacks, access sensitive information, etc.) that will make them earn profit. Some steps you can take to prevent your website from getting hacked are to protect all the accesses to your content management system and to keep all your components updated.

For more recommendations on website hacking, visit our dedicated article.

Website defacement

Cybercriminals modify and/or replace the initial content displayed on a website to share a message or disrupt operations. Pay attention to any change made to your organisation’s website and report it as soon as possible.

For more recommendations on website defacement, visit our dedicated article.

DDoS attack

A Distributed Denial of Service attack aims at disrupting the usual operations of an organisation’s web host or server by overloading an internet server and launching an enormous amount of page requests. You can mitigate DDoS attacks by implementing, amongst others, a firewall and Multi-Factor Authentication for the access. Multi-Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

For more recommendations on DDoS, visit our dedicated article.

Computer virus

A virus represents malicious code that can harm a device and the data it contains either to steal data, encrypt it and request a payment or make the device unavailable. One of the main controls to protect against computer virus

is to have an antivirus solution installed on all devices and make sure to keep it up-to-date.

For more recommendations on virus, visit our dedicated article.

Account hacking

An authorised individual gets access to an account and all the information it contains to use them for malicious purposes, such as stealing data. To make sure an account doesn’t get hacked, set up strong passwords by combining upper and lower cases, symbols and numbers. In addition, Multi-Factor Authentication should be implemented wherever possible.

For more recommendations on account hacking, visit our dedicated article.

CEO Fraud

Through the impersonation of a CEO, cybercriminals reach out to collaborators and try to convince them to execute a payment or provide confidential information. Establish clear procedures on wire transfers and clear guidelines on information sharing to make sure collaborators don’t respond to cybercriminals’ requests when executing a CEO Fraud attack.

For more recommendations on CEO fraud, visit our dedicated article.

Fake wire transfer

Through persuasion, threat or any other form of putting pressure, cybercriminals try to convince collaborators that they either need to execute an unplanned and urgent transfer or give away confidential information and/or internal procedures about how to execute a payment. As for CEO fraud, establish clear procedures on wire transfers and clear guidelines on information sharing to make sure collaborators don’t respond to cybercriminals’ requests.

For more recommendations on fake wire transfer, visit our dedicated article on LINK.

Fake technical support

Through impersonation of technical support, cybercriminals try to convince collaborators that their device need technical assistance for which they should pay or provide confidential information. Make sure to inform collaborators about this type of scam and to share some tips and tricks to stay protected, e.g.,

watching where they surf, downloading updates from official websites and keeping all devices up-to-date.

For more recommendations on fake technical support, visit our dedicated article.

Spam

By sending unsolicited messages to a large number of collaborators, cybercriminals try to execute a phishing, spread malware or steal confidential information. Stay vigilant to potential scam and report all scams you receive to suspect@safeonweb.be.

For more recommendations on spam, visit our dedicated article.

2. Cybersecurity best practices and advice

In addition to educating collaborators on the threats they are facing, organisations can also give them best practices and advice to adopt to prevent them from falling for a cyber-attack:

Passwords

Strong passwords are built by combining upper and lower cases, numbers and symbols. They should be completed when possible with Multi Factor Authentication, which requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach. Finally, Password Managers help manage several passwords by storing them safely.

For more recommendations on passwords, visit our dedicated article.

Social Media

Several cyber threats can be encountered on social media, such as phishing, account hacking or malware. Collaborators can protect their information by using Multi Factor Authentication and strong passwords.

For more recommendations on social media security, visit our dedicated article.

Professional and personal usage

It is important to separate professional and personal usage by differentiating chat services, passwords and backup services.

For more recommendations on differentiating professional and personal usage, visit our dedicated article.

Public Wi-Fi

Anyone can access a public Wi-Fi. Its use should be restricted to when it is necessary and the use of a Virtual Private Network, a solution that helps encrypt and hide internet traffic to whomever might be trying to “listen” to the data that is being transmitted, should be implemented.

Online websites

The legitimacy of a website can be determined by checking if the address is the real one, checking the reputation and assessing the payment method to see if it seems odd (e.g., through a parcel or transport organisation).

Homeworking

To ensure working from home is done in a safe way, the devices and data should be secured by restricting and protecting their access.

For more recommendations on securing homeworking, visit our dedicated article.

Mobile devices

Mobile devices also contain personal and/or professional information and should be secured accordingly by establishing a strong password or PIN code to access them, keeping them up-to-date and backing up all the important data.

For more recommendations on mobile device security, visit our dedicated article.

Backups

The most valuable information should be identified and backed up accordingly to ensure its availability in case of an incident.

For more recommendations on backups, visit our dedicated article.

Updates

Keeping all the resources updated ensure that they have all the security enhancements needed. Those updates should be downloaded only via official websites.

For more recommendations on updates, visit our dedicated article.

Antivirus

The right type of antivirus is picked based on what needs to be protected, the features it offers and how much expertise is needed to manage it. An antivirus needs to be updated whenever possible to ensure its efficiency.

For more recommendations on antivirus, visit our dedicated article.

1. Perform Security updates/patches for all your software and devices when the updates become available

Since it could only take one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to the entire environment. Installing updates as soon as they are available is thus crucial to ensure a strong cyber defence and to make sure that the system version being used is still supported by the vendor.

There are two different types of updates to take care of. On one hand, there are updates that aim at fixing security vulnerabilities to make sure a product cannot be compromised. On the other hand, there are updates that aim at enhancing a product from a functionality point of view. Both types are equally important and should be installed as soon as they are available.

To efficiently manage the update process, an organisation should define a series of rules to establish, amongst others, what should be updated, how frequently, who should monitor the availability of new updates and who should make sure they are installed.

2. Include third-party software in your updates

Third-party software, such as browsers, program extensions and middleware, should also be updated regularly. They represent common ways of exploiting users because of their interactivity.

3. Plan your updates during non-working hours

When collaborators are working on their device, they tend to ignore update notifications so they don’t interrupt their work or lose time waiting for the update to be completed. As updates sometimes take time, it is better to plan them during non-working hours or during less busy periods. Do not plan major updates on a Friday evening to allow potential support in case of problems.

4. Only use official websites to download updates

Cybercriminals display fake update notifications through advertising messages or pop-ups. It is important to download an update only from the official vendor to avoid installing a virus instead. In addition to paying attention to the legitimacy of the website, what is included in the update should also be reviewed to avoid ticking boxes for unneeded features such as an advertisement add-on.

5. Automate the update process

Wherever possible, if the system allows it in its configuration, automate the download and installation of new updates to make sure to always have the latest and more secure version released by the vendor. In addition, make sure the update works correctly by checking it manually.

Besides that, there are programs that can scan resources and look for updates needed, in order to give an overview of what should be installed.

6. Check for new updates and end of support

In order to avoid missing a crucial update, organisations need to keep on monitoring the availability of new updates for the devices and software they use on the vendors’ websites. In addition, it is also important to establish when a product is no longer supported by the vendor, as it then reaches an ‘end-of-life’ state. That implies that new updates are no longer realized, making the solution vulnerable. It is thus better to anticipate the end-of-life state of a product and migrate the necessary resources on time. Finally, collaborators can also be restricted to install unsupported products by establishing a whitelist of all authorized ones.

7. Test the updates

Depending of the importance of the update, the impacts and dependencies may differ. Whenever possible, the updates should be tested before its implementation. A test environment and a reference baseline are a good way to validate updates in an isolated environment similar to the production one. It can also help to test repair scenarios or failed installations

8. Backup your systems, data and servers

It is a good practice to backup data and systems before installing an update to make sure a working version is available in case something goes wrong. Also, it is best to make a full backup of servers before updating them. Having a roll back strategy available when doing updates on those common resources is indeed important to be able to go back to a working server as soon as possible. In addition, the procedure ensuring the roll back should be tested to reduce the negative impact an update could have.

Even if some organisations or systems may be more vulnerable or targeted by cybercriminals than others, all IT equipment can be potentially infected by a virus at any times.
An antivirus ensures that a computer is not vulnerable to viruses. It is the most important piece of software for protecting an organisation’s computer and data. Although no virus scanner offers 100% protection, installing one is crucial. Cybercriminals are constantly looking for weaknesses to exploit in order to bypass that layer of protection without being detectable. However, using an antivirus can at least protect the devices from the main known viruses. It is one of the most important steps an organisation can take to ensure the IT security of all its assets.

An antivirus software look for viruses everywhere on a device, e.g., memory(s) or hard disk(s), the content of messages (email), the loading of an Internet page, the reading of removable media (USB keys, DVD, etc.), etc. Once it detects an infected file, an alert is sent on the device. Simultaneously, the software places the infected file in containment to make sure the virus cannot spread and eventually, completely removes it.

Types of antivirus

There are two categories of antivirus, signature- and behaviour-based:

• Signature-based: every malware has a unique signature, a kind of fingerprint, that helps identify it. A signature-based antivirus uses that distinctive identification to detect a malware and block it.
• Behaviour-based: cybercriminals make slight changes to antivirus signatures to make them undetectable. To counter those changes, the behaviour-based antivirus analyses every line of code and anticipate all the actions that could be taken. If something malicious is detected, such as access to a critical system, it can block it.

1. Make sure the antivirus is activated and configured

Make sure that the antivirus is installed correctly and activated, and that it regularly updates its program and its signatures. The protection in real time to analyse everything that comes in and goes out should be well configured. In addition, the settings and functioning can be tested to ensure the antivirus answers the needs initially defined. Finally, a thorough scan of the hardware can be performed to ensure that no initially unknown viruses have taken hold between two updates.

2. Define the frequency of the scans

An antivirus can potentially slow down a device, since it is constantly running and scanning all actions being performed. This is why it is important to decide on the frequency of scans, depending on the power of the device and the speed of scanning. Most antivirus vendors gives the possibility to schedule the scans choosing a tailored frequency. It can thus be tailored to the organisation’s needs. In addition, two types of scan can be executed: a quick or full scan. The latest is a more in-depth scan that takes more time and resources. However, it doesn’t need to be performed every day. Doing it at least once a week can already ensure a good protection.

3. Keep your antivirus up to date

The efficiency of the antivirus partly relies on the updates a vendor makes to ensure that the protection can counter newly discovered or modified vulnerabilities. In order to take advantage of those enhancements, the antivirus software needs to be constantly kept up–to date on all the devices on which it is installed.

1. Monitor the alerts

As important as installing and checking an antivirus is, monitoring its alerts is even more. The antivirus can be very efficient in detecting anomalies, but if the alerts aren’t monitored and reacted to, it can’t be of much help. It is important to program all the necessary alerts from the protection for when something is wrong. Setting up a series of alerts to make sure the notifications pop up is an efficient way to handle any anomaly that could come up.

2. Watch out for signs that can indicate an infection

Even without an alert, some warning signs from a device can already indicate that it has been infected:

• The device has become noticeably slower, freezes or crashes often.
• You have been locked out of your device, account, or certain files.
• You get unusual errors.
• You are spammed with annoying pop-up messages.
• Your browser’s home page has changed, bookmarks have been added or new extensions have been installed without your permission.
• Your contacts are getting strange messages from you.
• Icons or programmes that you do not recognise appear.
• Your device switches itself off and then restarts.
• Your antivirus software repeatedly warns you that it has been disabled.
• Your access to system tools such as the Control Panel has been disabled.

3. Make sure collaborators know how to report an incident

In addition to the notification of the antivirus alert, it is important to teach your collaborators how they should react to an alert, the process to follow and who they should reach out to.

4. Take action when an alert comes up

First, whenever an alert pops up, it is strongly recommended to disconnect the device from the Internet and perform a scan to ensure that no trace of the virus remains on the equipment. Secondly, a suspicious file can be removed from quarantine only if it is certain that it is not infected. Finally, if a virus cannot be removed, a complete reinstallation of the device and a change of all used passwords should be considered.

When choosing an antivirus, there are multiple things to evaluate:

• Assess what you need to protect

Which devices and/or systems need protection? Are they all running on the same operating systems or do they have different ones?

• Make sure your antivirus covers the basics

File, network and application: everything entering a device should get scanned by the product. In addition, collaborators probably spend a great amount of their time connected to the internet and a network is the fastest way for a virus to spread. Thus make sure that the product chosen can protect from malicious websites and harmful content. Finally, make sure that the protection of all applications and operating systems is also covered by the product.

• Make sure your antivirus covers the extra’s you need

What other threats does it cover? Look especially for the most common ways to distribute a malware: phishing attempts, USB drives and communication tools.

• Assess how flexible the antivirus is

Find an antivirus that gives the possibility to schedule scans when needed. It is best to do those scans and updates at night or during weekends. It can cause quite the trouble for collaborators if scans and updates are always executed when they are working on their devices.

• Assess the expertise required to manage the antivirus

How much knowledge or expertise about a specific product does the IT Responsible need? Do they have that knowledge and expertise?

• Assess the power your resources can handle

Are you working on more affordable, slower devices? Then you might want to pick an antivirus that doesn’t take too much of your systems’ resources and power.

• Assess the budget

You cannot bypass getting a protection for your devices and systems. This is why it is important to gather the criteria you need your antivirus to have and see which one you can afford. On the other hand, it won’t be useful for an organisation to use all the budget available on a solution that can protect resources it doesn’t have.

Cybercriminals take advantage of social media to launch attacks as it only takes one account to compromise in order to be able to reach a great number of potential targets. Different types of attacks can be launched through social media, such as:

• Social engineering: through manipulation or pressure, cybercriminals convince their victims to take action in order to reach a malicious goal such as stealing confidential information or wiring money.
• Phishing: using emotions, daily situations (e.g., delivery of a package, a change of password required, …) and means of pressure, cybercriminals put a lot of efforts into convincing the victim to click on a specific link and then disclose confidential information or give money.
• Identity theft: cybercriminals create a whole new account with accurate information and pictures to make people think it belongs to an existing organisation or person. They then use it to trick people into giving away personal or corporate information or to click on a malicious link that will lead to leaking data, gaining access to resources or installing a malware.
• Malware: by promoting malicious links on social media, cybercriminals are able to install malware on the devices from which a person clicked on the said link. Through that malware, they can get access to other devices and networks, steal confidential information and cause damage on the resources they were able to reach.

1. Secure the access to your accounts

Social media accounts gather a lot of confidential information such as personal information, home addresses, phone numbers, etc., which are an attractive target for cybercriminals. Accounts thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper

and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

2. Review your confidentiality parameters and restrict the visibility on your personal information

Usually, default parameters are set to let anyone see personal information and posts on social media. That visibility can be restricted by configuring it within the account and making sure the owner controls what the public can or cannot see. Those configurations should be regularly checked as they can sometimes be changed without alerting the user. In addition, some accounts can also be set to ‘private’ to reduce the visibility of the information and posts shared.

3. Pay attention to what you post and what others post

Social media offer an important reach and it is not possible to always fully control the audience that has access to the information and posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes. In addition, work-related post should be written carefully as they could harm the reputation of the organisation, even when shared by a collaborator and not the organisation’s account itself.

Besides that, all information shared online by others should be read and re-shared carefully. Anyone can post whatever they want online, there is no control in place to verify the veracity of the message shared. Cybercriminals use this to share messages (e.g., fake news, promotions) that can have serious consequences. By sharing those yourself, you could be diffusing harmful messages to your network.

Finally, whatever you are sharing or reposting online, make sure to respect the law. Don’t share anything that might go against our established laws such as content related to cyberbullying, paedophilia, comments inciting racism or violence, infringement of image rights, etc.

4. Watch out for people impersonating an organisation or a collaborator

Malicious people use social media to carry out scams by creating fake accounts or by using a hacked one to impersonate an organisation or a collaborator. They reach out to people using those accounts in order to steal confidential information and/or money. Money, pictures, videos or any type of sensitive information should never be shared online without first making sure the person behind the account is really who they claim to be.

5. Control third-party applications

Some applications can request access to social media accounts to be able to login faster. Those requests should always be analysed carefully and access should be granted only to strictly necessary information. Also, even if using a social media account to login into an application can seem more handy, it should be used carefully as it gives access to a great deal of information available on the account.

Applications should only be installed from official vendors or websites to avoid downloading a virus with it. As soon as the application is not needed or used anymore, it should be uninstalled or the access initially granted should be revoked.

6. Avoid using public Wi-Fi and public computers

Public Wi-Fi or public computers are a handy solution as people can access professional resources, browse websites, or manage their social media almost everywhere. However, as the name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, a public Wi-Fi or computer can be used to monitor the activities of people connected to it and steal their information. Always prefer your organisation professional WI-FI network and professional devices to access professional resources.

If an account is sending messages or sharing posts without the owner’s knowledge, it was probably hacked. In order to regain control of the account, the following steps can be taken:

1. If the account is still accessible, immediately change the password of that account and all your others
2. If the account is not accessible anymore, use the recovery options to try and gain access and change all your passwords
3. Scan your device for viruses
4. If bank or credit card details were stolen or if any suspicious activity is identified on your bank account, immediately contact Card Stop at +32 78 170 170 and inform the relevant institution (e.g., bank, credit card provider, …). If you notice that money has been stolen from your bank account, be sure to file a complaint with the police.
5. If work-related data was stolen, immediately inform your employer

1. Invest in devices dedicated to professional use

Organisations should invest in devices specifically dedicated and only used for professional purposes to distribute to their collaborators. This will make sure a clear separation exists between professional and personal usage. In addition, the organisations can ensure that security risks are controlled by the IT Responsible and that all security requirements are put in place (e.g., managing all administrative rights to limit what a user can do the device, forcing the installation of required security updates when needed, etc.).

2. Use different passwords for your professional and personal accounts

With the many different accounts used on a daily basis, professionally and personally, it is important to set up different passwords for each one of them. If one account than gets hacked, cybercriminals won’t be able to use the same password to access all the others. In addition, if the compromised password is associated with a professional account, it also puts the organisation itself in danger as it opens the doors to steal data from and cause damage to its environment.

Passwords should be strong enough passwords combining uppercase, lowercase, numbers and symbols and Multi-Factor Authentication (MFA) should be implemented wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

3. Differentiate your professional and personal chat services

It is better to have separate communication accounts for professional and personal exchanges. This way, the risk of accidently leaking confidential corporate data to family and friends can be minimised. In the same way, a personal matter is less likely to be diffused within the work environment. In addition, personal communication services are less secured than professional ones. It is thus easier for cybercriminals to hack a personal account and if the two are mixed-up, they can more easily access confidential corporate data.

4. Differentiate your professional and personal backup services

Personal backup services usually have less security controls in place as people tend to mainly rely on the ones built-in by the provider. Organisations put more effort in securing their

backup services, due to the confidentiality of their data. Saving corporate data on personal backup accounts can be against many organisations’ acceptable use policy due to the confidentiality it holds. In addition, if your personal backup account gets hacked, you are putting the organisation at risk by making its information available.

5. Differentiate your professional and personal removable media

Only trusted removable media that is approved by the IT Responsible should be plugged in professional devices. In addition, separate removable media should be used for professional and personal devices. This way, if one gets compromised, the other still stays safe.

6. Differentiate the corporate and guest Wi-Fi

Organisations should implement a dedicated network, requiring credentials to connect to and separated from the internal corporate network. This dedicated network allows not only guests to connect to Internet when visiting the organisation, but also collaborators to carry out their limited private operations on personal devices when the organisation allows it. 7. Avoid using unknown and public Wi-Fi

Public Wi-Fi is a handy solution as people can access professional resources, shop online, browse websites, or manage their social media almost everywhere. However, as its name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, public Wi-Fi can be used to monitor the activities of people connected to it and steal their information by intercepting the data being transmitted. Public Wi-Fi should only be used when strictly needed and no other option is available. In addition, a Virtual Private Network (VPN) should be used when connecting to public Wi-Fi. A VPN is a solution that helps encrypt and hide internet traffic to whomever might be trying to intercept the data that is being transmitted.

8. Use internet access responsibly when at work

Usually, organisations allow their collaborators to use the corporate network for limited private purposes. No matter the security controls an organisation has in place, it is always possible to download a virus on or open the access to the corporate network inadvertently. In addition, organisations are allowed to monitor what is being accessed and done on the web when collaborators are using the corporate network. Therefore, private matters that are better kept away from work environment shouldn’t be accessed when using that network. Finally, organisations can hold you accountable for any illegal downloads or publications of hateful content you might engage in when using the corporate network.

9. Pay attention to what you post and what others post online

Social media offer an important reach, and it is not possible to always fully control the audience that has access to the information and the posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes. In addition, work-related posts should be written carefully as they could harm the organisation, even when shared by a collaborator and not the organisation’s account itself.

Besides that, all information shared online by others should be read and re-shared carefully. Anyone can post whatever they want online, there is no control in place to verify the veracity of the message shared. Cybercriminals use this to share messages (e.g., fake news, promotions) that can have serious consequences. By sharing those yourself, you could be diffusing harmful messages to your network.

10. Only use official websites to download applications

It is important to download an application only from the official vendor to avoid installing a virus instead. Many cybercriminals try to offer free versions of an application to convince you to download it when in reality, they will use it to access your devices and steal confidential information. A good way to check if a website is legit, is to check the number of downloads and the opinions of other users before installing a new application.

11. Update your devices and software as soon as possible

Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.

12. Use an antivirus on all your devices

There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices, personal and professional, with an antivirus software upfront.

1. Identify the resources and data that are critical to ensure operations

It is important to back up all critical resources and data. This will be different for every organisation as they don’t all provide the same services. An organization must first define which data and resources are critical to ensure the continuity of their operations. This can be determined by asking the following types of questions: "What data cannot be recovered if lost?", "What data is most frequently requested?”, “What data would have an financial impact if unavailable?”, “What data would damage the organization’s reputation if accessed by the wrong people?”, etc.

2. Determine where the critical resources and data are stored

Next to knowing what the most critical resources and data are, it is important to know where they are stored giving the many possibilities that exist nowadays. Each device and support storing critical resources and data should be identified, e.g., servers, laptops, mobile devices, hard drives, USB keys, etc.

3. Choose the right type of backup

There are three different types of backup that can be performed, each one defining which changes made to the data will be added to the last backup. It is also possible to combine multiple types of backup to tailor them to the organization’s needs.

• Full backups: with each iteration, all the data is backed up. In case of an incident, a full restore of everything is available. However, backing up all the data all the time takes a lot of time, making it harder to execute such backup, and implies many redundant copies of data, requiring more storage space.
• Differential backups: with each iteration, only files that have been created or modified since the last full backup are copied. A full restore of the data is faster as it only requires the last full backup and the most recent differential one. Also, it requires less storage space as less redundant copies are made.
• Incremental backups: with each iteration, only the files that have been created or modified since the last backup iteration are copied. Suck backups take less time to execute and require less storage space. However, a full restore of the data will take a considerable amount of time as it requires the full backup and all the previous incremental ones.

The following table indicates which data is backed up for each type.  

4. Back up the data at regular intervals

In general, all resources and data should be backed up at least weekly. However, depending on the criticality of the resources and data, more backup iterations can be set. When there is less time between two iterations, the risk of losing an important amount of data is minimised. Thus the more critical the data is, the more often a backup iteration should be executed.

5. Automate the backup process

The backup process should be automated wherever possible for more efficiency. This will allow to back up the data as regularly as predetermined without monopolizing the collaborators responsible to ensure the backup execution. Manual backups are also possible, however, a tight schedule should be determined and followed strictly.

6. Store backups online and offline to ensure their availability

Backups can be stored either online or offline. When stored offline, there is a distinction to be made between storing them locally or remotely. To ensure the backup availability, it is best to use a combination of an online and offline versions wherever possible. Also, different copies should be made on different media and one copy should be kept in a different location from the original one to protect it in case of a disaster.

A specific way to store backups can be the 3-2-1 method. This is a combination of a local offline backup, a second offline backup at another location and an online backup. In total this means that 3 copies of the data exist, stored in 2 offline storages and 1 online storage.  

The following tables present an overview of pros and cons of what each type of backup storage can bring.

Online backups (cloud):

Offline (external hard drive):

7. Secure the access to backups with strong passwords and Multi-Factor Authentication

Having all the necessary data and resources backed up is crucial for an organization. However, backups are also a potential target for cybercriminals, which makes them vulnerable. It is thus important to ensure their protection by implementing specific security controls to ensure they cannot be tampered, deleted or modified.

The access to the backups should be limited. Not everyone within the organisation needs to be able to read or modify them. Only people working directly on them should have access. This also includes the specific people involved in the incident resolution process as they will be the ones to recover the data and resources when needed. In addition to restricting the access, strong authentication should be set up by enforcing the implementation of a strong password and Multi-Factor Authentication. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

1. Maintain control

Mobile device should never be left without surveillance. Make sure others do not have access to your devices. Always keep your access PIN code and passwords secret, never share them on a note or with someone. Finally, when having sensitive calls where confidential information might be shared, make sure to use a private room or secure area where people won’t be able to eavesdrop.

2. Protect your device with a PIN code and strong passwords

Mobile devices are full of personal and/or professional sensitive information. They should be secured accordingly by establishing a strong password or PIN code to access them. Strong passwords are built by combining upper and lower cases, numbers and symbols. They should be completed with Multi Factor Authentication, which requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

3. Protect the device with encryption

Next to protecting sensitive information with a PIN code and a strong password, an extra protection layer can be added to a mobile device by using an encryption. Encryption is the process of making data unreadable to unauthorised users. Lately, almost every device offers the possibility to encrypt all the data it contains by enabling a specific parameter within its configuration.

4. Avoid using unknown and public Wi-Fi

Public Wi-Fi are a handy solution as people can access professional resources, shop online, browse websites, or manage their social media almost everywhere. However, as its name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, a public Wi-Fi can be used to monitor the activities of people connected

to it and steal their information by intercepting the data being transmitted. Public Wi-Fi should only be used when strictly needed and no other option is available. In addition, a Virtual Private Network should be used to connect to public Wi-Fi. A Virtual Private Network is a solution that helps encrypt and hide internet traffic to whomever might be trying to “listen” to the data that is being transmitted.

5. Update your devices and applications as soon as possible

Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.

6. Make backups regularly

Mobile devices usually have data that cannot be accessed anywhere else: contacts, messages, pictures, etc. It is thus important to regularly backup your mobile devices to make sure all the data it contains can always be recovered, even if the device is stolen or unavailable. This can be done mostly by connecting your device to your computer via cable or on the cloud when your phone is charging and connected to your WI-FI network. 7. Use an antivirus on all your devices

There are several ways a mobile device can be infected by a virus: opening an attachment when reading an email, clicking on a link or simply surfing through a malicious website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the device, it will take time, effort and financial means to remove it. Some cybercriminals put more efforts in finding ways to compromise mobile devices as they know that they usually don’t have security controls in place as for computers. This is why it is better to also protect your mobile devices, personal and professional, with an antivirus solution upfront.

8. Use Mobile Device Management

A Mobile Device Management solution help organisations control and implement security controls when it comes to mobile devices. It allows the organisation’s admins to onboard, enrol, manage, erase and upgrade the devices in a centralised manner. There are several advantages a Mobile Device Management solution can bring:

• Isolation: organisations are able to separate distinctly corporate data from personal applications.
• Email management: organisations can make sure that corporate email are only accessed through a managed device, making it less likely to experience data leaks.
• Operating System (OS) update: organisations are able to remotely update the devices.

9. Enable remote lock and remote data wipe

In addition to the possibility of getting lost or stolen, an organisation can also lose a mobile device if they allow it to remain available to collaborators after they leave the organisation.

The ability to remotely lock and wipe all corporate information from a device should thus be part of the organisation’s security strategy. This can be achieved through Mobile Device Management.

1. Only use official websites or platforms to download applications

It is important to download an application only from the official vendor to avoid installing a virus instead. Many cybercriminals try to offer free versions of an application to convince you to download it when in reality, they will use it to access your devices and steal confidential information. A good way to check if a website is legit, is to check the number of downloads and the opinions of other users before installing a new application.