How to protect your home and small business PC

How to protect your home and small business PC

This is the ideal moment to begin considering PC security on your network. A few minutes a week, with the aid of our comprehensive guide, will keep you well-protected.

You are alone in digital security for your small business and at home. Dedicated IT workers are usually employed by large companies, whose job is to keep corporate networks secure and stop hackers from stealing information or infecting computers with ransomware. 

The worst time to start thinking about security for the PCs on your network is after you've experienced a catastrophic incident. The best time is right now, so we've assembled this guide.

Following the steps I lay out here should help you understand which security issues are most important and, based on that knowledge, could you set a security baseline? This isn't a set-it-and-forget-it task, unfortunately. Online attackers are determined, and the threat landscape is constantly evolving. Maintaining effective security requires continued vigilance and ongoing effort.

Is that too much to ask? Efficient security maintenance shouldn't need a lot of time. Take a few minutes every week to check Windows Security to make sure there are no red or yellow flags, and every month following Patch Tuesday, conduct a more thorough assessment.

In this guide, I cover more than just the Windows device itself, because many of the threats come from outside. You must monitor network traffic, email accounts, authentication methods, and inexperienced users closely to maintain security.

The demands of PC owners who manage Windows PCs in a home or small business setting without full-time IT support are the main emphasis of this article. You must synchronize your security setup with company standards for installations that need you to connect to a business network. Device management policies may sometimes make it impossible for you to change certain settings.

Additionally, I've included instructions to assist you in comprehending the variations between Windows 10 and Windows 11, as well as the many editions of both operating systems that are available (Home, Pro, Enterprise, Education). We are aware that many Windows 10 computers currently in use today don't have the necessary hardware to upgrade to Windows 11.

However, spend some time doing a danger assessment before you make any changes to any Windows settings. Pay close attention to your legal and regulatory obligations in the case of a security breach or other incident involving data. Compliance standards may affect even small firms, so if that is you, you may want to think about working with a professional who understands your sector and can make sure your systems comply with all relevant regulations.

Where can I get an overview of Windows security?

Microsoft debuted the Windows Security app in Windows 10, a single spot for security settings and status updates. This app's Windows 11 version adds several capabilities tailored to more recent technology while maintaining the same fundamental layout. Regardless of the operating system being used, you should regularly monitor your security with this program.

You may check (and modify) device security, firewall and network protection, antivirus and antimalware software, and other critical security settings from this starting point. Green checkmarks signify that there are no problems that require quick fixing. Icons in yellow and red highlight security vulnerabilities that require attention.

The natural tendency when using an app like this is to click on every category and enable any feature that catches your eye. Especially in the App & Browser Control > Exploit Protection area, resist the inclination. Modifications you make here may not have the desired effect on routine tasks, particularly when using older programs. For the majority of systems, the default settings should be sufficient. If you decide to make changes here, take your time and don't make any more until you're sure.

What's the best way to keep Windows up to date?

A Windows PC's most crucial security configuration is to make sure updates are installed on a regular, predictable schedule. Of course, that's the case with all modern computers, but managing updates is different with Windows 10 because Microsoft introduced the "Windows as a service" approach.

However, it's crucial to comprehend the many kinds of Windows updates and how they operate before you start.

Every month on the second Tuesday, Windows Update delivers high-quality updates. They don't include any new features; instead, they fix security and dependability problems. (Patches for Intel CPU microcode defects are also included in these upgrades.) Microsoft may decide to deliver an out-of-band upgrade that is independent of the regular monthly timetable in the event of serious security flaws. 

 After doing a clean Windows installation, you no longer need to download dozens or even hundreds of updates because all quality updates are cumulative. Alternatively, you may apply the most recent cumulative update to ensure you are fully updated.

The modern term for what was once known as version upgrades is feature updates. They need a multi-gigabyte download and a complete setup, and they have new functionality. Windows 10 no longer receives feature updates as it approaches its end-of-support expiration. Microsoft's current policy for Windows 11 is to issue one feature upgrade in the second half of the year. Feature updates are installed manually only once the current version has reached the end of its support lifespan. They are distributed via Windows Update.

Contemporary Windows devices automatically download and install high-quality updates from Microsoft's update servers as soon as they become available. Individual users can suspend all updates for up to five weeks, one week at a time, unless an administrator prohibits them from doing so.

There are trade-offs when deciding when to apply updates, just like with any security choice. The greatest defense is to install updates as soon as they are made available; delaying updates allows you to reduce any unplanned downtime that may occur.

On devices running Windows Pro, Enterprise, and Education editions, administrators can defer installation of quality updates by up to 30 days after their release. You can also delay feature updates on these editions by as much as 365 days. On devices running Windows Home edition, there's no supported way to specify exactly when these updates are installed.

One low-risk method of preventing the potential of installing a defective update that might lead to compatibility or stability issues is to postpone quality updates by seven to fifteen days. Using the Local Group Policy Editor (Gpedit. msc), you may modify the Windows Update for Business settings on individual PCs. The necessary settings can be found under Local Computer Policy > Administrative Templates > Windows Components > Windows Update.

Administrators in bigger businesses can use mobile device management (MDM) software or Group Policy to deploy Windows Update settings. Using a management solution like Windows Server Update Services or System Center Configuration Manager, you can also manage updates centrally.

Lastly, you shouldn't limit your software update approach to Windows alone. Verify that Windows program updates, such as those for Adobe and Microsoft Office, are installed automatically.

How do I configure user accounts for maximum security?

When Microsoft decided to demand a Microsoft account to set up a PC running Windows 11 Home Edition for the first time, it caused criticism. The following policy update that expands that need to Windows 11 Pro PCs configured for personal use has also caused some online anger, from what I've observed. Naturally, there exist methods to get around this limitation.

Accessing your Office programs, OneDrive storage, and online games is simple if you already have a personal Microsoft account linked to services like Microsoft 365 Home or Family or an Xbox Live account.

But that design choice has a strong security benefit even if you don't use any Microsoft services. On Windows 10 or Windows 11, logging in with a Microsoft account encrypts the system disk automatically. The recovery key is stored in a safe place and can only be accessed by logging in with that Microsoft account. This reduces the possibility that a lost password would result in irreversible data loss.

Feel free to utilize the setup procedure to instantly establish a new Microsoft account if you don't use any of the company's services, and use that account only to log into Windows. You also receive 5 GB of free OneDrive storage, multi-factor authentication, and complete system disk encryption, should you want to utilize them. Simply consider it to be a local account with the username @outlook.com appended.

If you're certain about utilizing a local account, you may install Windows first with a temporary Microsoft account before switching to a local account. Just be advised that doing so will require you to locate another choice, and you won't be able to any recovery mechanism if you forget your sign-in credentials.

Set up multi-factor authentication for your Microsoft account.

Create standard accounts both for yourself and other users. Administrator rights are by default assigned to your primary account. Give normal accounts to family members or other users of the same computer, so they can't alter system preferences or install unreliable software without your permission. You may also create a normal account for yourself for daily usage, but it's just an unnecessary security measure that will make you enter a password rather than selecting OK to open the User Account Control dialog box.

Install a password manager and make sure all your online accounts have strong, unique login credentials.

Set up multi-factor authentication for online account

When configuring children's access to household computers, use normal accounts and take into consideration the family safety measures included in Windows 10 and Windows 11. These choices assist in preventing young people from wandering into questionable areas of the internet by allowing you to designate approved hours for them to be online. The Windows Security app has all the connections you require. 

How do I keep Windows 11 hardware secure?

1. Check the status of your TPM. 
2. Ensure that Secure Boot is enabled.
3. Turn on Windows Hello, using biometric authentication if it's available.

Microsoft's Windows 11 device compatibility guidelines raised the ante on PC security, although not without criticism. Maximum backward compatibility used to be the guiding philosophy for every new version of Windows, allowing even PCs that were 10 years old to install the latest operating system.

Windows 11 altered all of that. The official hardware specs were, for the first time ever, (a) significantly enhanced over the previous edition and (b) extended to upgraders as well as new hardware from PC manufacturers.

The most significant modification is the need for a Trusted Platform Module (TPM) 2.0 and the activation of Secure Boot, a feature that verifies that a device boots with an unmodified operating system using cryptographic signatures. On a computer with an earlier TPM version and an unsupported CPU, you may update for free from Windows 10 to Windows 11 by making a few registry adjustments. 

You may verify both of these settings from the Windows Security app's Device Security tab. You're set if you see entries for Secure Boot and Security Processor. To re-enable the setting, you'll need to access the firmware settings on the device if one or both of those items are missing. It's advisable to leave Secure Boot enabled, even though there are complex setups where you might need to disable it for troubleshooting.
Lastly, if your device has an infrared camera that can recognize faces or a fingerprint reader, set up a Windows Hello PIN and activate biometric authentication.

What's the best way to protect data files?

1. Turn on BitLocker encryption for all data drives.
2. Back up your encryption keys.
3. Back up data files to the cloud.
4. Back up critical data files to local storage.

A stolen laptop requires a costly and difficult replacement. It's a nightmare to deal with lost or stolen data. Although physical security has its own set of difficulties, maintaining the security of your data primarily involves two objectives:

Encrypt your data files. If your computer or storage device is stolen, the thief can't access your files which are protected with robust encryption and a strong password.

Back up your data files. With a good backup plan, you can restore files that are lost or damaged (even if the cause is hardware failure) and get back to work with a minimum of downtime.

These safety measures are particularly crucial for files that hold private or sensitive financial data belonging to clients or consumers. The impact is even more severe if you are subject to data breach legislation or operate in a regulated business.

Enabling BitLocker Device Encryption on all secondary devices, including USB flash drives, and the system drive is the single most essential configuration adjustment you can make. (Microsoft refers to the encryption technologies included in Windows enterprise versions as BitLocker. The BitLocker features in Windows 10 and Windows 11 are the same.)

With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. BitLocker uses the Trusted Platform Module (TPM) chip to store the encryption keys. The steps to turn on encryption features are different depending on which edition of Windows is installed:

Windows 10/11 Home: Strong device encryption is supported by this edition, but only if you are logged in with a Microsoft account. It prevents the administration of a BitLocker device.

Windows 10/11 Pro, Enterprise, or Education: BitLocker administration capabilities are fully accessible with these corporate versions. You must set up BitLocker using an Entra ID (previously known as Azure Active Directory) account or an Active Directory account on a Windows domain if you want complete administration capabilities. You can set up BitLocker using a local account or a Microsoft account on an unmanaged device running Windows Business Edition; but, to activate encryption on accessible disks, you'll need to utilize the BitLocker Management tools.

You must store a backup of the BitLocker-encrypted drive's recovery key. You'll need that 48-digit number to retrieve the data if you ever need to reinstall Windows or run into account issues.

By default, the BitLocker recovery key is kept in OneDrive when logging in with a Microsoft account. By logging in at onedrive.com/recoverykey, you may access it. For peace of mind, I suggest printing a copy of that key and keeping it in a secure location.

The recovery key is kept on a managed PC that is connected to a domain or Entra ID account, accessible only to the domain or Entra ID administrator. The Manage BitLocker program may be used on a personal device to print or save a copy of that recovery key.

Remember to encrypt your travel-sized storage devices. Portable hard drives, MicroSD cards used as expansion storage, and USB flash drives are all easily misplaced. However, BitLocker To Go can shield sensitive data from prying eyes by encrypting the contents of the disk and requiring a password to access it. See "Protect removable storage devices with BitLocker encryption" for further information.

Lastly, ensure that important data files are locally stored (on an encrypted device, of course) and cloud-backed up. This is a great defense against ransomware attacks and can come in very handy in the event of a disk catastrophe.

If you're worried about storing private information online, use third-party software like Boxcryptor to encrypt the data. Dropbox has a feature called Dropbox Vault that is comparable to OneDrive's Personal Vault, which needs additional authentication to access data saved there.