October’s National Cybersecurity Awareness Month has drawn to a close. To honor this years theme, “Do Your Part, Be Cyber Smart” we provided quick daily bits of helpful information for executives to digest so they are better equipped to protect their business environments. We’ve collected all the daily tips here in one place for you to enjoy!
#1: Multi-Factor Authentication
E-mail is the #1 entry point for cyber attacks. MFA offers a free and effective solution every business should implement to strengthen their cyber security.
MFA is usually implemented via your mobile device which receives a confirmation code via text or authentication app. This code then needs to be entered when prompted to by the account being logged into. By adding a second layer of login confirmation, a stolen password alone will no longer allow thieves to access your account.
MFA is also recommended for any cloud based log ins that you may utilize. Most banking institutions have integrated multi-factor authentication as well as cloud ERP and CRM platforms among others.
The implementation of MFA can be for an individual basis or company wide. To ensure maximum protection, we recommend making this mandatory for all staff and all software considered a security risk.
Tip #2: Public WiFi Vs. Private Hot Spot
Because public WiFi is inherently risky, your personal hot spot is a far safer alternative. However, in cases where you simply have to connect to an unsecured public access point, practice good Internet hygiene. Avoid sensitive activities that require passwords or credit cards (e.g., banking, online shopping.)
Before connecting to any public wireless network such as those offered in coffee shops, airports or hotels, confirm the following information with an employee of the facility:
- The network is legitimate
- The exact spelling of the WiFi network (SSID)
- The correct login info
Tip #3: Avoid Using Debit Cards For Online Purchases
Online shopping has become a part of our everyday lives with massive growth seen during the 2020 pandemic. From business supply purchases to groceries, many of us make multiple online purchases a day.
Using credit cards instead of debit cards while online shopping provides you with an extra layer of security. Each type of payment card is governed by a different set of laws. Credit cards are governed by the Fair Credit Billing Act (FCBA) while debit cards are governed my the Electronic Funds Transfer Act (EFTA.) In general, credit cards offer more fraud protection than debit cards. The key difference in a fraudulent transaction, credit card companies will fight to get ‘their money back’ and with the use of a debit card, YOU must fight to get ‘your money back’. Check with your credit card company and banking institution to learn about any additional fraud protection coverage they may offer. Additionally, digital payment apps, such as PayPal, offer a layered approach to using your cards.
Tip #4: How to Avoid Unsecured Websites
There are some quick things to look for when determining whether a site you are browsing is safe or not. SSL certification is the security standard for websites, it ensures that traffic between your browser and a website is encrypted.
To ensure the sites you are visiting are SSL certified:
- Look for the Lock: The icon of a closed lock in the address field of your web browser ensures the site you are visiting is currently SSL certified.
- https:// for the Win: A web address (URL) should begin with “https://” (instead of http://), especially when online shopping or banking. Remember, the “S” is for secure!
Encryption is key to your data security as any information communicated to a website passes back and forth through the world-wide web before reaching your intended destination. During this journey, bad actors can access your credit card numbers, usernames, passwords, and other sensitive information if not encrypted with an SSL certificate. When SSL is used, the information is encrypted/scrambled so that it cannot be accessible by anyone other than the destination you are sending the information to.
Tip #5: Password Creation: Best Practices
From mobile devices and email, to bank accounts and business software, a password is the initial security measure for your data. Anything worth protecting deserves a password that is difficult to crack. Best practices for password creation change as new information becomes available. The National Institute of Standards and Technology (NIST) offers updated password guidelines in accordance with new research.
Follow these steps when creating passwords:
- Let a password manager do the heavy lifting: These applications are a great option to securely contain all your complex login information. By remembering one master password, you have access to create as many complex passwords as you need.
- Keep your passwords to yourself: Sharing passwords or placing them in obvious places, such as taped to the bottom of your keyboard, slowly chips away at your security by opening more and more possibilities for theft or misuse.
- Avoid common or easily guessed passwords: “Password123” or “123456789”, etc.
- Incorporate special characters into your passwords: @,#,$,%, etc.
- Long passwords are your friend: The longer the better! Consider creating a long passphrase instead, such as the title of your favorite book or a movie quote. Remember to mix in capitalization and punctuation.
Tip #6: Have a Backup Plan for Your E-mail
Many business owners assume their cloud accounts are automatically backed up and guaranteed against data loss, surprisingly, this is not always the case. While Microsoft, for instance, guarantees that their platform is accessible and functional, they provide no such guarantee of data retention.
We all understand how important e-mail is for maintaining personal, internal and client communications. Depending on your industry, maintaining a historical archive of e-mail communication is legally required for 5-10 years in case of future litigation. Preventing catastrophic loss of data with an automated e-mail backup solution is an inexpensive way to protect your business.
Tip #7: Remove Staff Admin Access from Workstations
Generally, computers allow admin access to users by default. This creates a series of security holes for a business environment. While removing admin access does not completely protect a computer from security threats, it does add a critical layer of protection for your business.
Consider these benefits of removing Admin Access for users:
- Enforce Software Protection: Prevents staff from accidentally or intentionally uninstalling or stopping security software from running. This ensures your antivirus, firewall, remote monitoring tools or other security applications stay active.
- Limit Software Installations: Removes the ability of staff to install 3rd party applications. This will greatly reduce the exposure to viruses, malware, or other breaches. Even when safe, a poorly written 3rd party software can often slow a computer down or cause issues that require IT support to intervene.
- Network/Infrastructure Protections: One computer on your network with admin privileges exposes all the other workstations. Preventing bad actors from accessing your network, data, and other workstations is reason enough to shutdown admin access.
Tip #8: Securing Your WiFi
Maintaining control of Wi-Fi access while creating layers of protection between devices is key to network security. With the push towards remote work, these security measures should be followed at home as well.
Steps to help secure your Wi-Fi:
- Change the default router password, ideally during the initial setup.
- Ensure password protection is using the WPA2 protocol>
- Change the Wi-Fi password regularly.
- Create separate Wi-Fi networks for added security.
- Staff SSID/Network: For business-specific devices.
- IoT SSID/Network: For unsecured Internet of Things devices.
- Guest SSID/Network: For visitors and mobile devices.
For strict security measures:
- Turn off SSID broadcasting to hide your network. Users must manually enter the name (SSID) along with the password when first connecting.
- Each internet-capable device has a network adapter with a unique MAC Address. Set your router to allow only devices with specific MAC addresses to access the network.
Tip #9: E-mail Phishing Awareness
Check for these signs of a phishing email:
- Intimidation and threats.
- Unrealistic or urgent demands.
- Poor spelling and grammar.
- Slight variants to a known address (such as gooogle.com)
- Links to websites requesting login information.
- Requests for sensitive information.
- Unexpected attachments, especially those labeled as invoices, tracking info, etc.
Stay vigilant and take these proactive steps when suspicious of email content:
- Check the spelling of the sender address for obvious fraud.
- Never open unexpected attachments.
- Never follow a link from an e-mail. Use a search engine to locate the official site directly.
- When in doubt, call the sender to verify the legitimacy of the email.
- Set up spam filtration.
Tip #10: Internet of Things (IoT) Device Security
The Internet of Things (IoT) revolution is in full swing. Business and home networks frequently include smart TVs, thermostats, refrigerators, door bells and video monitors. These IoT devices are not nearly as focused on security as they need to be when living on the same network as your home computer, mobile device and, with the trend towards remote work, access to your business computer.
To shore up security holes in your environment, enterprise routers and most home routers will allow you to create multiple networks with unique names/SSIDs to keep your valuable information from exposure to unsecured devices. Place your IoT devices on one SSID, your home PCs on a second, and if able, your business devices on a third.
Tip #11: Protect Your Devices
Always keep your computers secured by logging out when away from your workspace. Each of your devices should have a log in credential. This provides an extra layer of protection to prevent bad actors from accessing your data. Perform a full shutdown when leaving your workspace for the day. Remote tools can wake a sleeping computer and access them while you are away. Starting with a freshly booted computer will also provide a better user experience throughout your workday.
To prevent theft and unauthorized access or loss of sensitive information, never leave your devices, or equipment including USB and external storage devices unattended, especially in a public place.
Tip #12: DNS Protection
Using DNS protection helps ensure that, as you explore the internet, you arrive at the actual websites you intend.
The Domain Name System (DNS) is what translates the numeric IP address of a website into a legible word-based address that we humans use to navigate the internet. Unfortunately, because DNS was not designed with security in mind, it can be manipulated to compromise devices leading to sensitive data exposure.
Bad actors can utilize a variety of hacking methods such as DDoS, man-in-the-middle and cache poisoning to redirect your web browser to compromised sites. This can lead to installation of malware and keyloggers onto your device among other security concerns.
Tip #13: Implement a Patching and Update Process
Update software and firmware regularly to improve functionality and close newly discovered security holes. Implementing a well-designed patch management system minimizes potential impacts to the workflow of your business.
Review these patch management steps with your IT team:
- Inventory your equipment and track which are currently patched and which are pending.
- Identify and prioritize patches that resolve major vulnerabilities.
- Set a monthly schedule for patching to plan for any potential outages during updates.
- Create a change management process to plan for patching issues that could affect business.
- Ensure critical systems are backed up.
- Have a roll-back strategy which places infrastructure back into a pre-update state.
- Patch a test machine first before rolling out any company wide updates.
- After testing patches, roll the updates out to larger groups of machines.
Tip #14: The Benefits of a Fail-Over Internet Circuit
The internet has become the backbone of modern business with the push towards cloud technology and VoIP taking communication where analog phones could only dream. In the old days, when your internet access was down, customers could still call to get through on your analog phone system. Now however, if your VoIP shares the same internet service provider as your business, one outage can take your entire system offline.
If your business depends on constant communication with customers and staff, consider implementing a fail over internet circuit which takes over when your primary circuit goes down. The fail-over circuit should be purchased from a different internet service provider than your primary circuit. This ensures that if an outage occurs with one provider, the other provider is most likely unaffected.
Plan ahead, avoiding one serious outage can often cover the cost of the extra circuit by eliminating the associated downtime while ensuring your customers have a seamless experience.
Tip #15: Business Continuity and Disaster Recovery
IT technicians have been beating the “back up your data!” drum for decades, but not all backup solutions were created equal. External hard drives and NAS setups won’t cut it during a severe security breach. Consider unknowingly backing up malware infected data. Recovering data that is also infected is crippling for a business. Without a clean older version of a backup, it could potentially lead to total data loss. As a response to these concerns, Business Continuity and Disaster Recovery (BCDR) planning was developed.
Uptime for any business is critical. A well-executed BCDR plan backs up your environment as well as your data. When only backing up files, it can take days for larger businesses to recover data into a usable state. BCDR solutions can provide working replicas of your environment and data within minutes while also maintaining multiple versions of historical backup states to mitigate the effects of corrupted, infected or encrypted data. Avoid the cost and stress of downtime protect your business with a BCDR plan.
Tip #16: Change Default Passwords of All Devices
One of the first things cyber-criminals will check when trying to access your data is whether you have left a default username and password in place within your network infrastructure. It’s an open door to your data. These default logins are readily available on manufacturer’s websites and user manuals for any hacker to find and use.
Consult with your IT team to ensure that your entire infrastructure is configured with complex non-default passwords. This is also true for home networking devices such as routers and modems which are frequently installed by the homeowner as opposed to a professional technician. With business owners and staff working remote more frequently, it is critical to ensure your home network is secured as well.
Tip #17: Limit Social Media Over-Sharing
According to an article by Tech Jury in June, 18, 2020, “Digital consumers spend nearly 2.5 hours on social networks and social messaging every day.”
Along with the benefits of a business social media presence comes the risk of drawing attention from bad actors. These accounts hold a treasure trove of information for cybercriminals to harvest. Stored payment information, answers to account security questions, and most importantly our activities and habits are all available and ripe for the picking.
Tips for a safe and secure social media experience:
- Limit the sharing of personal information such as addresses and locations that you frequent.
- Disable geo-tagging that publishes your location, especially when travelling.
- Connect only with people you trust or who have been vetted.
- Protect devices that access social media:
- Keep software and firmware updated.
- Use security software to fend off malware, viruses and phishing attacks.
Tip #18: Choosing Antivirus Software
Cybercrime is a growth industry, the number of attacks and costs of recovery trend upward each year. Because of these realities, implementing antivirus (AV) protection is as important as it has ever been.
AV tools fall into three primary tiers; free versions, paid consumer versions, and enterprise grade versions. Free and consumer grade AV tend to be bloated with unwanted “extras” that slow your computer down significantly. They also include frequent popup messages urging you to pay for add-on features that can be confusing for staff. Windows already offers the built-in AV “Defender” which generally works as well as any baseline consumer version on the market (and no, Macs are not immune to viruses.)
Businesses require, secure, effective, and efficient tools. Enterprise AV solutions offer a nimble, streamlined experience. The advanced security measures such as cloud-based, AI enabled behavior analysis, and professionally monitored AV support eliminate the need for end users to manually handle virus alerts.
Tip #19: Access Control Policies
Beyond traditional notions of hacking, the majority of cybersecurity breaches stem from social engineering. Whether in the form of an email tricking users into providing sensitive information or simply accessing an area that was left unlocked, these methods are remarkably unsophisticated yet effective ways that criminals access your infrastructure.
Maintain access control policies to secure your data and infrastructure:
- Ensure server rooms and network racks have locking doors.
- Have a trusted employee maintain access to the keys.
- Provide staff with locking drawers or locks on their office doors to keep sensitive data from being easily accessed.
- Staff should shutdown computers nightly to prevent remote accessed while away from the office. Only leave a computer powered on for after-hours maintenance when arranged with IT.
- Do not share user accounts or passwords. Provide individual user accounts to maintain accountability when able.
Tip #20: Have a Cyber Breach Action Plan
Planning for a security breach is like planning for a natural disaster. They may never come, but when they do, having a plan in place can have a tremendous effect on how well you and your business will weather the storm.
Work with your IT team to ensure there is a plan of action for each type of security breach. The examples below happen to businesses every day. Without proper planning, some of them can be ruinous, and each requires its own approach to be dealt with properly.
Think about what steps your team will need to take for the following scenarios:
- An e-mail account is breached and currently sending spam to clients.
- An e-mail account is breached and client data has been compromised.
- Your internal network is breached and data has been compromised.
- Your workstations have been infected with ransomware, locking up all your data.
- Your website has been brought down from a distributed denial of service attack
- A bad actor has penetrated your cloud ERP platform that is being hosted by a 3rd party.
Tip #21: Managing End-of-Life Dates for Infrastructure
All good things must come to an end. For better or for worse, evolving product lines usually require that support for old software and hardware is eventually phased out. The cost of supporting past products endlessly is cost prohibitive and sometimes impossible for manufacturers and software developers. With the end of support comes the end of security patches. Any new security holes discovered are left un-closed and fixes are no longer created for bugs or errors.
Every business owner will come to a point where they must bite the bullet and pay to upgrade aging infrastructure. Fortunately, most companies in the technology space will publish “End of Life” notices online. Ensure your IT team is keeping track of these dates to ensure proper budget forecasting. Prepare to replace equipment before it reaches its end of life date. Unsupported legacy equipment can be rendered non-functional when connected devices go through driver, software or operating system updates. This type of surprise can be crippling so plan accordingly.
Tip #22: Securing Remote Connections with VPN
While remote connectivity to the office has become the norm, connecting safely is still an afterthought for many businesses. Using tools like Remote Desktop requires open ports in your firewall which create security holes exposing your network to a variety of attacks.
A secure solution for remote work is created by implementing a Virtual Private Network (VPN) for remote staff. A VPN provides private encrypted tunnels, from anywhere staff may be working, directly to your office network. Ports are closed to the cyber-criminals and all data transmitted back and forth is rendered unreadable by the encryption during its journey. It’s relatively painless to configure, easy to use, and inexpensive well!
Once connected to the network, staff can access the onsite tools as if they were using a computer in the office. They can access files as their normal permissions allow. Transfer files back and forth between their computer and the server and print documents to the office printers.
Tip #23: E-mail Encryption for Securing Sensitive Data
Over 90% of malware was delivered by email in 2019. Year after year, email holds the top spot as the number one entry point for cybersecurity breaches. This is significant not only because they carry important information, they offer direct communication between you and your client. A breach impacting your client’s data can damage the hard-earned trust you’ve built with the business.
Extremely sensitive data is frequently being shared with staff, 3rd party vendors, or clients by email. Encryption should be utilized for anything deemed as too sensitive to be seen outside of the parties involved. Whether for mobile apps, browser-based webmail, or Outlook, the encryption solution needs to meet your staff wherever and however they work. Encryption options are an inexpensive, easy to implement tool that every business needs to consider. Honor the sanctity of your client’s personal information by protecting it while in your hands.
Tip #24: Taking Control of Geo-Tracking
Smartphones are part of our everyday lives and go with us wherever we go. Many of the applications we have grown accustomed to are busy keeping track of our every move. Geo-tracking monitors and tracks our locations via GPS data sourced from these devices and other GPS-enabled devices.
The obvious concerns with any type of tracking is the potential loss of privacy and the ability to determine whether app developers are protecting or selling our data. The benefits offered are impactful, from time-saving apps that log business mileage and GPS-based mapping apps that guide us on our daily drives to the recovery of lost or stolen devices via tracking apps.
Your iPhone and Android devices allow you to turn off a significant portion of these tracking tools. Most individuals have already made a quiet decision to allow geo-tracking, but the bottom line is that you do ultimately have control over these features.
Tip #25: Schedule a Network Security Assessment
As your business grows and new staff is hired, computers and mobile devices are added to the network as well as the additional infrastructure to support them. A network security assessment shines a light on the blind spots that may be building up over time.
Tracking down and fixing weak points in the network is critical to protecting your environment or blind spots quickly become security holes. Once security issues are resolved, bottlenecks are eliminated to fix any network speed issues impacting productivity. Finally, budgeting becomes more streamlined as the assessment report highlights aging or failing equipment due for replacement.
Take These Steps Toward a Successful Technology Road-map:
- Determine what is connected to your network.
- Secure Your network.
- Track down bottle necks in your network.
- Resolve performance issues.
- Minimize downtime associated with the failure of aging equipment.
- Utilize aging reports for effective budgeting with insight into the state of your equipment.
- Develop a strategic road-map to guide IT decisions.
Tip #26: Enterprise Firewalls for Businesses Networks
The role of a firewall is to block undesirable traffic from entering or exiting your network. Every website visited, search engine queried, file transferred, e-mail sent or received, and video streamed is checked for threats by your firewall. This checkpoint is designed to ensure that all traffic follows the rules and meets the desired security criteria in order to continue to its destination. If the data does not comply, it is stopped at the gate and denied entry or exit.
Enterprise firewalls offer granular configuration to detect and block more, advanced attacks and intrusions. The firewalls that come with a home router are simply not able to offer the same level of protection.
Enterprise firewall functionality includes:
- Content filtering
- Application-specific attack detection
- SSL inspection
- Reputation-based filtering for Malware
- Geo-location specific traffic blocking
- Monitoring and alerts for application behavior
- Active directory integration
Tip #27: Have a Mobile Device Management Plan
The current remote work environment has brought about an explosion of cloud collaboration tools leading to 24-hour engagement between staff, business data and technology infrastructure. This has blurred the lines between employer-provided computers and personal mobile devices.
Smart phones and tablets are now commonly used to access corporate data with cybercriminals specifically targeting them for this reason. Personal devices typically go unsecured, with sensitive information left vulnerable and increased exposure to cyberattacks.
Make cybersecurity a priority for your business and implement a mobile device management (MDM) plan. Define clear internal policies with a seamless process to securely manage data shared between mobile devices and the company network.
A well-planned MDM offers clear benefits:
- Security Updates and Patching
- Blacklisting of apps
- Security tools for managing threats
- Remote support tools
- Email access management
- Track or wipe lost and stolen devices
Tip #28: Dark Web Scans Can Pre-empt a Data Breach
When Adobe was attacked in 2013, over 150 million user’s account info was stolen. In this all too common scenario of a large-scale breach, victims may have no idea their accounts have been compromised until weeks or months later when a cybercriminal finally takes advantage of the stolen credentials.
This delay provides businesses with a window of opportunity to minimize security threats by implementing a dark web scanner to monitor all known black-market sites. You will receive reports highlighting when personal or business email accounts are compromised so you can change passwords before an attack begins!
The pain of a breach compounds when people use the same login info across several websites. Bad actors will try stolen usernames and passwords on a variety other popular sites until they find a match and gain access. Use different usernames and passwords for every login and stay one step ahead of cybercriminals with proactive breach monitoring.
Tip #29: Staff Training is Key to Business Cybersecurity
Businesses are complex and dynamic systems. The staff within an organization and the customers being served are at the core, followed closely by the supporting infrastructure. When developing security strategies, infrastructure tends to receive all the attention, but it’s the people that are usually the primary target. Phishing and social engineering are among the most common and effective methods of attack. For them to be successful, each method depends on a human being letting their guard down.
Securing infrastructure is critical, but your staff also needs training on how to spot and avoid cyberattacks. For industries such as finance, businesses can benefit from educating clients as well. Inform your clients what types of communication to expect from you and how to detect fraudulent email, such as requests to wire money during a transaction. Ask your IT team to provide regular training for staff and to develop a security protocol for your clients. You’ll never regret protecting your people.
Tip #30: Protecting your Business with Cyber Insurance
By the end of 2019, cyberattacks had taken over the number one spot, from business interruption and natural disasters, as the largest threat facing SMBs. This is a monumental shift in long term planning as business owners manage which risks to avoid, accept, control, or transfer. Cyber insurance mitigates risk by offsetting recovery costs related to a cyberattack or security breach.
Costs that cyber insurance may cover:
- Infrastructure repair
- Reputation management via marketing and public relations
- Business interruptions and loss of income during suspension of operations
- Ransomware related extortion
- Credit monitoring for customers
- Notifying employees and the public
Failure to maintain required security measures, can result in denial of coverage. Use a trusted IT partner or outside security firm in assessing compliance and determining that all necessary safeguards are in place. With the right cyber insurance policy, you can avoid the costs and brand damage resulting from a security breach.
Tip #31: Partner with a Trusted Technology Partner
Business technology is more than just the computers and hardware we rely on daily. It is the knowledge, focus, and drive that pushes us towards more secure, effective, and efficient forms of communication, automation and information management. It is created, nurtured, and utilized by people, and its evolution is constant if not exponential.
Whether you are looking to protect your data and environment, streamline collaboration and communication, or implement tools that accelerate growth, it requires a dedicated technology team. As with anything in life, you need to surround yourself with the right people to help achieve the goals you are working towards.
Partner with a trusted IT provider to set your business up with the strategic support and security necessary to compete at the highest level.
To learn more about how Amicus MSP can help your business, click here. or call us at (800) 804-1477.