SME
Home > 
Best Practices > 
Information For > 
SME
< back
Related topic(s)
Clear All
Result: Item(s)
Internet Content Filtering
Some websites contain indecent or obscene content and are clearly not suitable for children and young persons. There are software tools available that can help filter out websites that are not suitable for children, monitor your children's online activities, and limit the amount of time your child spends online.
Examples on Determining the Assurance Level
Some examples on how to assess the impacts of potential consequences of unauthorised authentication for determining the overall assurance level of respective service / transaction scenarios.
What is e-Authentication Assurance Level
The Assurance Level is a term to describe the degree of confidence in the enrolment and authentication processes.
Advice and Support for SME
It may not be possible to understand every piece of security knowledge and skills by yourself. Learn how to make use of other sources of assistance. For example, discuss with your friends, consult your business partners, or search the Internet.
e-Authentication Methods
There are three basic authentication factors (i.e. “what the user knows”, “what the user has”, and “what the user is or does”) commonly referred to in an authentication system.
e-Authentication for Business
To prevent unauthorised users from gaining access to protected resources, secure authentication systems are required to ensure that users are who they claim to be.
e-Authentication Models
There are two basic models for establishing an e-authentication system.
Control Access to Critical Information
You shall always grant access rights to your information on a need-to-know basis. Otherwise you face the security risks.
Securing Web Application
Web applications can provide convenience and efficiency, there are also a number of new security threats, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly.
Developing Secure Mobile App
Growth in smartphones and tablets has led to dramatic shift in the way general public and corporate users interact with business.
Guidelines for Using Software
A wide range of software can provide tools for ensuring information security.
Protecting Your Website
If you have an e-commerce website, you face the following risks
VPN Security
Virutal Private Network (VPN) security is an increasing demand nowadays to connect to internal networks from distant locations. Employees often need to connect to internal private networks over the Internet (which is by nature insecure) from home, hotels, airports or from other external networks.
Business Continuity Plan
This involves the development of a Business Continuity Plan (BCP) designed to ensure the recovery of critical business activities from natural or man-made failures or disasters to an acceptable level within a predefined time frame, thereby minimising the impact of losses to the organisation. Implementing a BCP is essential for every business.
Observing UEMO
To contain the problem of unsolicited electronic messages, the Unsolicited Electronic Messages Ordinance ('UEMO') and the Unsolicited Electronic Messages Regulation ('UEMR') have been enacted in 2007. The UEMO regulates the sending of 'commercial electronic messages' with a 'Hong Kong link'.
Preventing Data Theft
At any time of day or night, a huge amount of data is being stored, retrieved and transferred in the average company or organisation. As a responsible user, you must know how to protect your data and prevent data theft from mobile devices.
Protection against Phishing Attacks for SME
SME protect against Phishing attacks, preventive , detective and responsive measures.
Tips for SME on Handling Spam Emails
SMEs can implement a variety of methods to reduce the amount of incoming spam, such as protecting company email addresses, using filtering software and adopting well-defined security measures for employee workstations and email servers.
Training and Education
Security training is crucial to ensuring that all related parties understand the security risks, and accept and adopt good security practices. No protection procedure is effective without proper execution by well-trained staff. You must ensure that your staff possess the necessary skill sets.
Plan for Information Security
Information is a valuable asset to your business. The use of proper preventive measures and safeguards reduces the risk of successful security attacks, which might otherwise cost you a large fortune.
Making Regular Backups
When you modify or remove important data on your computer, make sure that the data is backup.
Backup and Recovery
A backup is a representative copy of data at a specific time. The phrase 'backup and recovery' usually refers to the transfer of copied files from one location to another, along with the various operations performed on those files.
Assessing Security Risks
The security management cycle starts with an assessment of the security risks. Security Risk Assessment is done to identify what security measures are required. It is the initial step in evaluating and identifying the risks and consequences associated with vulnerabilities, and provides a basis for management to establish a cost-effective security program.
Implementing & Maintaining a Secure Framework
Following the results obtained from your security risk assessment, the security management cycle enters a phase of implementation and maintenance, where appropriate security protection measures and safeguards are implemented in a way that builds a secure protection framework. This includes developing security policies and guidelines, assigning security responsibilities and implementing technical and administrative security measures. All these steps are crucial in contributing to the safeguards of your business assets.
Protecting Your Computer Assets
Your computer facilities are an important asset of your company; they also contain valuable information for you. Take the step to protect these assets.
Selecting Safeguards
After reviewing the results of security risk assessment, safeguards will be identified and evaluated for their effectiveness in reducing the likelihood and impact of identified threats and vulnerabilities to an acceptable level.
Securing Company Network
The office network provides the core services to the company. Everyone utilises this shared medium to do productive work, including file sharing, printing, emailing and web browsing.
Defending against DDoS Attack
DDoS attack attempts to consume both network bandwidth and server resources of the targeted organisation. Large scale DDoS attack is often performed by botnets which can co-opt numerous infected computers, which usually spreading across different points around the world, to unwittingly participate in the attack.
Security of DNS
DNS has no built-in security feature and DNS data could be tampered. If the DNS response is tampered, a user might be redirected to a malicious website. To protect from falling victim to DNS threats, measures at different levels could be adopted.
Securing Company Data
The popular tools and technologies of modern daily life, like mobile phones, webmail, instant messaging services, removable storage media, and wireless access to the Internet, have given everyone the ability to easily carry and handle large amounts of data.
Open Source Security
The availability of source code provides both attackers and defenders opportunities to study code in detail and identify software vulnerabilities.
Securing Outsourcing IT Task
IT outsourcing refers to the contracting out of IT services or functions, which have previously been carried out by internal staff.
IT Outsourcing Security
When any IT operation of an organisation is contracted out, the external service provider (or the outsourcing vendor) may effectively become an “insider”, handling sensitive and important information for the company.
Strengthening Physical Security
Physical protection of your computer equipment is also important. Like any other valuable asset you possess, consider using the following tools or methods to protect your computer physically
Security Incident Handling for Companies
An Information Security Incident is an adverse event in an information system and/or a network that poses a threat to computer or network security in respect of availability, integrity and confidentiality.
Handling Malware Outbreak
Given that attackers are now moving away from attacks that are merely a nuisance or destructive towards activity that is motivated by financial gain, malicious code attacks have become more sophisticated and a significant concern to organisations.
Deploying of Corporate Wireless Network
To help organisations understand at what point in their wireless network deployments a recommended security best practice might be relevant, we outline here a five-phase lifecycle model for network deployment and point out security issues that need special attention.
Avoiding Phishing Websites
Try to avoid visiting phishing websites that imitate sites of well-known organisations. These are purposely setup to collect sensitive information from visitors, such personal information, usernames and passwords, in a fraudulent manner. This type of activity is notorious, and is known as phishing.
Identity Management
Identity management in an enterprise is a combination of processes and technologies to manage and secure access to the information and resources of an organisation.
Securing Access Using e-Authentication
Electronic authentication (e-Authentication) is the process of establishing confidence in user identities presented electronically to an information system. This may involve verifying with “what the user knows”, “what the user has”, and/or “what the user is or does”. The greater the number of factors being verified, the higher the confidence can be established.
Encrypting Your Data
Encryption is a process for scrambling and transforming data from an easily readable and understandable format (such as Plain Text) into an unintelligible format that seems to be useless and not readily understandable (known as Cipher Text).
Handling Emails
Today, email is a common way of communicating with other people. It is very convenient, but it also poses threats to your computer system.
Protecting against Phishing Attacks
Do not follow URL links from un-trusted sources or emails such as spam emails to avoid being re-directed to malicious websites by malicious links looking seemingly legitimate.
Protecting against Spam Emails
Spam has become a major problem for almost every email user. We all need to spend time cleaning away the massive amount of unwanted and unsolicited email messages everyday.
Using Webmail Wisely
Some tips to end-users on using webmail wisely.
Avoiding Phone Fraud
Criminals also use the phone, and especially Internet phone systems, to trick people.
Protecting Your Notebook
You have to protect your notebook computer from stealing.
Using Instant Messaging Safely
The following tips are designed for end-users using Instant Messaging as regular communication tool.
Securing Your New PC
Don't forget to implement necessary security measures when you set up your new PC at home. Just taking a new computer out of the box and connecting it to the Internet is not safe. You are exposing your PC to a number of security risks, such as virus and malicious codes infection, spam emails, denial of service attacks, disclosure of personal or sensitive information and so on.
Installing and Enabling Firewall
A firewall is a tool that can either be hardware or software. Its purpose is to protect computers against threats from intruders breaking into your computer or network via the Internet.
Patching Operating System
From time to time, software bugs are discovered in applications running on your PC. Software vendors will then release one or more 'patches' to fix the weaknesses. At the same time, hackers can take advantage of these weaknesses to attack the unpatched PCs.
Protecting against Malware
The best practices can protect your computer(s) more effectively against malware attacks
Using Software with Security Updates
All software products, including operating systems and software applications, have a lifecycle. Any software products could reach their end of support date and become outdated. End of support refers to the date when the software vendor no longer provides security updates, patches or customer support, etc. Any new vulnerability discovered in the software product after its end of support will not be addressed by new security updates.
Disposal of Computing Devices
This section provides information on data deletion, and the proper way of disposing computers or storage media in order to prevent unwanted disclosure of information.
Security of Remote Working
Below are some tips for all parties including organisations and individuals to maintain a safe and secure remote working or learning environment.
Guide on Secure Video Conferencing
The followings are some security measures / good practices to reduce the risks and avoid privacy breaches when hosting VC meetings or using VC solutions.
What is Information Security
The CIA triad of confidentiality, integrity, and availability is at the heart of information security.
Why Information Security Concern My Company
Evaluate the following statements for your own situation to determine if your company information is safe.
Information Security in Electronic Services
Electronic Services (e-Service) are the attainment and delivery of services through electronic media. E-commerce is also put under this category.
Botnet
Botnets are serious security threats to the Internet and they account for a majority of email spam, identity theft, phishing and distributed denial-of-service (DDoS) attacks.
Brute Force Attack
Brute force attack is the crack of credentials using all possible combinations by trial-and-error method until the password is guessed correctly.
Core Security Principles
Core Security Principles are some generally accepted principles that address information security from a very high-level viewpoint. These principles are fundamental in nature, and rarely change.
Cyber Threats on DNS Servers
DNS-based attacks are becoming highly sophisticated and volumetric. Attackers are increasingly adopting multifaceted techniques to exploit different DNS components.
Data Breach
Data breach is a security incident in which data are accessed, altered, erased, stolen or leaked from a system without the consent of the system’s owner.
Deepfake
In recent years, deepfakes have attracted public attention for their malicious uses in the creation of fake videos, forged images and financial fraud, resulting in the spread of misinformation or disinformation which can potentially erode the reputation of businesses and trust among people. Nowadays, tools that create deepfakes are becoming more readily available. Plausible deepfakes have elicited public responses to detect and limit their use.
DoS / DDoS Attacks
Denial of service (DoS) and distributed denial of service (DDoS) attacks are among the most common cyber threats on the Internet.
Identity Theft
Identity theft is a criminal act of getting hold of personal data of others without their knowledge or permission with an intent to defraud. The personal data is used by identity thieves to impersonate the data subjects for fraudulent purposes.
Insider Threat
An insider threat is a security risk that originates from within an organisation. It typically involves current or former employees, and outsourced business associates who have access to sensitive information or privileged accounts.
Malware
Malicious code refers to computer viruses, worms, spyware, Trojan Horses and other undesirable software. Attack made by using such software is to cause disruption either by deleting files, sending emails, or rendering the host system inoperable.
Phishing
Phishing emails often look 'official', some recipients may respond to them and click into malicious websites resulting in financial losses, identity theft, and other fraudulent activity.
Ransomware
Ransomware is a malicious software that cyber criminals used to lock the files stored on the infected computer devices. These locked files are like hostage and the victims are required to follow the instructions of this malicious software and pay a ransom to unlock them.
Supply Chain Attack
Supply chain attacks are becoming increasingly popular since attackers can access systems of multiple organisations through trusted third-party vendors.