Versions of Windows prior to Windows Vista granted users admin rights by default, which allowed malware writers to request the elevated privileges they needed without much barrier. In Vista, Windows Server 2008 and Windows 7 this was tightened up using something called User Account Control (UAC), a much-criticised system that threw up requests for elevation to the user. Many simply clicked yes and for good reason - legacy apps were designed to have admin rights to carry out certain actions so users needed this layer of control from time to time to stop applications failing to work.
In a much-needed reform, Windows 8 and 10 removed these admin rights and users requiring elevation by logging in with an account created for that purpose - no account, no elevation. On standalone machines this account must be enabled although business machines should not be configured to offer this control.
Monitor cloud storage
Not everyone sees shadow IT and the cloud as an unmitigated risk but the potential for trouble is obvious. Generally, cloud services are a major boon for SMEs but small organisations should be careful about using them naively. When it comes to storing an organisation's files in the cloud, these will normally be encrypted by the provider, e.g. Dropbox, to a high standard. However, the provider holds on to the key and can, in certain circumstances, access them which is why third-party encryption systems such as Boxcryptor (which works with Google Drive, Dropbox, OneDrive and SugarSync) have sprung up to allow users to retain control over their own keys.
Most important of all, cloud storage is not the same as backup and should not, for example, be viewed as a way of defeating ransomware attacks that lock up a victim's data. If ransomware encrypts data on a local PC and its attached storage drive, these files will also be copied in that state to the cloud service. Cloud storage offers 30 days of file versions but reinstating these can be incredibly time consuming and will cause problems for sharing.
Dispose of old hardware securely
Old storage and smartphones should be run through a reliable wiping process before being sold second hand or disposed of. Sister title Techworld published a more detailed guide on how to do this in October but the key takeaway is not to trust the easy methods.