This week’s instalment of my (yet to be fully defined) series of blogs on Windows 10 focuses on the reasons why you should upgrade to Windows 10 from a security standpoint.
We are living in interesting times from a security perspective. More and more of our valuable data is digital and as a result, the potential rewards for a successful cyber attack are higher than ever. It’s probably no surprise that there are a scarily high number of new cyber threats hitting the global marketplace on a daily basis.
That, coupled with changes in legislation (and fines) facing organisations that aren’t following best practice in providing a comprehensive security wrapper that is fit for purpose, means this is an area where every opportunity to add to your security portfolio should be followed.
There is no such thing as a 100% secure system, but this is an arms race. You don’t have to be able to swim faster than the shark; you just need to be able to swim faster than the person next to you to not get eaten. Here are 10 security reasons to upgrade to Windows 10, and the features that will help to make sure your enterprise can swim at full speed.
1. Windows Hello - Windows Hello is a superb biometric security system that helps to tackle one major area of weakness in all cyber security scenarios - that human beings aren’t very good at managing multiple complex passwords. If you have an enabled device, Windows 10 can provide log in authentication to the device, and a range of other services, by taking a 3D scan of your face as the first factor or reading a fingerprint. It should be noted that this isn’t just a nifty way of replacing the password to log into the device; Windows Hello goes far deeper than that. This technology debuted on Windows 10 two years ago, although the same principles have been employed by Apple more recently for their Face ID on the iPhone X. Windows Hello provides a number of benefits. Users don’t have to enter a password to log in, so they don’t have to worry about anyone looking over their shoulder while they access their device. The process is also very fast -normally faster than entering a complex password- so it supports the fast, maximum productivity ethos of Windows 10. It’s a great way of enabling the fast and secure switching of user accounts on shared machines.
2. Windows Defender Firewall - This is a software-based security feature which reduces the attack surface of a device to minimise the potential of someone hacking into your device. This can be particularly useful if you are a mobile employee and happen to be working on a public WiFi hotspot, although it’s also an additional layer of defence when you are operating within the walled security garden of your corporate network. The firewall blocks all unauthorised incoming connection requests and makes sure all communications from the device are authenticated from end to end.
3. Windows Defender Antivirus - To be effective, Antivirus programs require a lot of privileged access to the whole system, which can cause more problems than they solve if they are compromised. Only a few months ago, a globally recognised Antivirus brand was under the spotlight as a potential threat actor, so this is not without precedent. Windows Defender Antivirus has three great benefits: it is baked into the base operating system, it leverages all of Microsoft’s expertise in protecting the Windows 10 platform and, best of all, there are no additional license costs. One less bill to pay, one less contract to manage. Microsoft have really upped their game in this area, and it is fair to say that the level of protection provided by Defender Antivirus is equivalent to the best 3rd party products on the market, so it’s a no compromise choice.
4. Windows Update – Before talking about security updates, it’s always worth highlighting how ubiquitous Microsoft is in the global technology ecosystem. The vast majority of personal and corporate devices or infrastructure on the global stage are in some way connected to Microsoft, either by Operating System or by applications. As a result, Microsoft have a greater reach across the entire digital expanse than any other vendor. This benefits their users when it comes to updates. As they see so many digital transactions, they are uniquely positioned to identify new threats ahead of the crowd and be the first vendor to take action to tackle new vulnerabilities that are being targeted by cyber criminals. Market research suggests there are approximately 300,000 new threats in the form of malicious code released every day. Microsoft have a programmatic updates schedule for Windows 10 where the main batch of security updates and patches are issued on the 2nd (and 4th) Tuesday of each month, unofficially known as “Patch Tuesday”. Enterprises can manage how you enforce updates for your user community, so you can make sure your users aren’t just perpetually kicking the can down the road and leaving devices with vulnerabilities. In the event of a critical new threat, Microsoft will also issue immediate urgent patches as and when required.
5. Windows Defender Advanced Threat Protection - The ecosystem that helps to drive Windows Update also has a real time benefit for users in the form of Windows Defender Advanced Threat Protection. Like its counterpart in Office 365, ATP uses the cloud-based security analytics of Microsoft to identify zero day threats by their composition and potential activity. If something looks like a possible threat, the system will test it to see how it behaves before allowing it through to the user device. This process enables Microsoft to quickly identify new threats and update the security graph to automatically quarantine or disable it while a permanent fix is created.
The five features above are designed to prevent your Windows 10 device from being breached, but the protection doesn’t end there. In the event that a threat does make it through the security perimeter, here are five further features that will help to protect your users and your Enterprise…
6. Secure Boot - Windows 10 checks at each reboot to ensure that the base operating system is complete and uncompromised, to ensure that no hidden threats are able to run undetected. If anything has breached the security perimeter, then the handover of control of the device to the Windows 10 operating system is denied. Windows Secure Boot will look for a previous, trusted version of the boot process, or begin rebuilding a new version that removes the threat before allowing Windows 10 to run.
7. Windows Device Guard - In the event that a malicious file or link manages to make it through all of the perimeter security, Windows 10 Device Guard is there to provide a layer of control about what applications can execute on the device. It’s also worth noting that the Edge browser, which sits within Windows 10 as standard, is also sandboxed to prevent any malicious links causing damage to your device and its files.
8. Windows Encryption - As long as you have a device with a suitable Trusted Platform Module (TPM), and you have Windows 10 Pro or Enterprise editions, Bitlocker encryption is provided as part of the basic OS under the banner of Windows Encryption. From a true best practice perspective, we would normally recommend that no user files are stored locally on a machine. However, in practice this is not always possible. Windows Encryption is fast and easy to use. So, if you leave your device on a train or someone attempts a local attack, your precious data cannot be accessed.
9. Windows Information Protection - Have you ever sent a file to the wrong person by mistake? Or had to share some highly sensitive information with someone outside the organisation for a short period of time, but felt uncomfortable because you know you then can’t control what they do with it? Windows Information Protection tackles both of these challenges by encrypting all files that you share from your device and enabling you to rescind access whenever you need to. Even if someone has stored a local copy of the file on their machine, Windows Information Protection hard encrypts the data, so you can remove permissions and seal the file on demand. If the user tries to access the file, even if they are offline, they can’t open it – the encrypted file demands an access status check at every attempt to view the file.
10. Windows Defender Credential Guard - Credential Guard provides a layer of protection around the authentication information you provide when logging into the device or other key services and keeps them locked away in a secure area of the device memory. This stops some common forms of attack, such as “pass the hash”, from working on a protected device, so that even if the device is compromised it doesn’t allow the threat actor to get access to the other systems and services you have access to.
In trying to keep this list to ten features and focusing on the ones that we think are key to Enterprise users, I have had to ignore a few other valuable features. So, honourable mentions go to Windows Find My Device, Windows Defender Security Centre and the snappily named but excellent Windows Device Health Attestation Service.
As we highlighted in the last Windows 10 blog, Windows 10 is designed to be an evergreen platform and all of Microsoft’s extensive development resources are focussed squarely on keeping Windows 10 the most secure device operating system in the marketplace. All of the tools mentioned above are constantly reviewed, developed and updated as part of the overall Windows 10 service, helping to keep your Enterprise as secure as it can be at any given time.
In next week’s blog, we will take a look at how you can tackle some of the enterprise challenges of upgrading to Windows 10. Hopefully, to keep the structure of the current blogs going, I can come up with at least 10 of them…
If you want to make the leap into Windows 10, Core can help you. We have helped a wide range of customers in the private and public sector take their first steps into Windows 10 and supported the full adoption across their Enterprises. We offer ongoing services and support to help customers manage their devices and transition through the updates and feature releases. Read about how Core’s Desktop as a Service (DaaS) can help you to get your organisation on to the latest version of Windows 10.