Ten top tips for better SME cyber-security
Online working and cloud technology is now routine for most SMEs. But there is always the lingering fear of cyber threats hovering out there in the ether. Aaron Singer of Pulsar Computing explains straightforward cyber safety steps that can help you to protect yourself.
Make security a habit
While the internet is now intrinsic to business, most of us are only too well aware that digital commerce comes with the unpleasant risk of both mildly annoying and potentially much more serious security breaches.
Cyber-security is a highly-technical subject. Even so, there are reasonable steps that small-and-medium-sized enterprises can take to safeguard themselves and the confidentiality of the data they hold.
Below are ten priority tips, starting with education.
1. Education
If you don't know what you are looking for, how can you avoid it?
Most hacks start with a phishing email that is often crafted very specifically for an individual, or a series of similar looking emails fired at as many people as possible. If you and you staff don't know what to suspect, or lack a simple reporting model, you risk being caught out. The enemy has gained entry to the castle!
A simple check list of what to look, how to confirm an email's authenticity, and what to do if you spot a suspicious file, is a very positive start. Remember, phishing is just one example of how you could be attacked. But training and education can turn your company's weakest defences into the strongest.
2. Password policy
For passwords to be effective they need to be remembered easily. Password managers can help to control the strength of, and access to, certain passwords.
Many businesses allow the sharing of logins in a secure environment; permissions can be set for varying access levels. For example, an accounts team may log into services a marketing team will never need to use. The two biggest problems are, one, reusing the same password on multiple sites, and two, using easy-to-guess passwords.
Everyone should be taught how to construct unique passwords from familiar phrases or statements, make small adjustments to suit the website, and reuse the base phrase with different modifiers.
3. Social media policy
Research suggests that 40% of Facebook accounts, and 20% on Twitter, claiming to represent Fortune 100 brands are fake; "social spam" has grown by 658% since mid-2013. Large brands experience at least one compromise on their social media channels every day.
The solution is again good user education. It is important to understanding that links or media offered through Facebook are not harmless. Malware can be unleashed throughout a company's network by one staff member "accidentally" watching, say, a contaminated video. Don't do it!
Social media is an excellent tool when used correctly but account security is paramount. Regular password changes must be made in parallel with regulated and monitored admin access. Staff need to know what they can and cannot do on Facebook, realise how attacks happen and be aware of what to look for.
4. OS updates
Keep systems up-to-date, including all software used on a daily basis. Ensuring that the OS and antivirus are current is incredibly important. Make sure updates are installed on all workstations without delay.
Uninstall Adobe Flash Player or Java if workstations or staff members don't need them. Flash is consistently shown to be vulnerable to zero-day exploits, even after brand new updates.
5. VPN, public wi-fi
For mobile employees, using public wi-fi at service stations, coffee shops, or hotels, might be unavoidable. But they are potentially open to attack.
For example, "DarkHotel" used false update packages to install malware on high-value targets staying at luxury hotels. Updates for services such as Google Toolbar, Adobe Flash and Windows Messenger proved very popular. But allowing updates to download exposed the system to malware. Usernames and passwords for common services were targeted specifically.
The best way to avoid these and other "man-in-the-middle" risks is to use a virtual private network (VPN).
6. Multi-factor authentication
Two Factor Authentication is a method of protecting private login credentials. Usernames and passwords are lost or stolen very easily; you may not even know yours have been compromised.
However, by taking, say, a username and password and then adding another securing feature, such a 'one-time passcode' (OTP), your login can be given extra protection from guesses or brute force attacks
Brute force attacks are when a repeated attempt is made to guess a password. This is usually by a computer rather than an individual, with very powerful computers working through millions, if not billions, of possible passwords per second.
Passcodes can be sent by SMS text, email, generated on a smartphone or a small device called a token, whenever login is attempted. Codes have a limited lifespan before expiring, are unique and can only be used once. A new code is generated every time you try to login. Even if usernames and passwords are compromised, the login will fail without the OTP.
7. BYOD policy
Bring Your Own Device, or BYOD, calls for a clear, understandable policy outlining security requirements and best practice. All staff should read, understand and sign this. Education, training, and knowing why and how threats can expose a business, is a much better way to protect data. Antivirus must be installed, with regular scans.
It is important to ensure that updates are installed without delay, particularly for large-scale vulnerabilities like Meltdown and Spectre. All apps must be reviewed periodically, with some limitations on free apps and the ability to install them.
8. Proper permissions
Making sure your employees have the permissions they need - and only the permissions they need -goes a long way in mitigating potentially successful phishing attempts, or other intrusions into your system. This includes the dreaded 'insider threat'.
For example, does your marketing department need access to the technical departments systems? In fact, does your social media guru need access to your customer information? Probably not.
The more aggressive you can be the better, without hampering your staff's day-to-day work. But knowing who has access to what, and occasionally reviewing permission, is essential.
9. Updating old systems
An OS reaching End of Life (EoL) can have a massive impact in terms of replacement/upgrade costs and also create a massive vulnerability if not replaced/upgraded.
The negative PR backlash can be extensive and damage your brand. Doing everything possible to keep yourself safe is in your best interest. For example, running out-of-date Windows XP exposes you to many threats.
You can install internet security. But be very careful what emails you open and what web pages you click through to. It's like putting the most expensive locks on a 3-ply shed in the hope of keeping the contents safe!
Updating your operating systems is not all about keeping Microsoft afloat. Rather, it's one of the multiple layers required in modern day computer security. Think of it as the foundations of your house, without which the walls and roof will come tumbling down.
10. Be aware of GDPR
As Premier's January 2018 Newsletter pointed out, from May the General Data Protection Regulation (GDPR) will radically alter the way in which you can hold personal information about other organisations and people.
Encryption can play a big part in protecting data, including on USBs, laptops, DVDs left on trains, lost in the post, or even someone reading information they have no right to see in your very building.
Conclusion
Security is always a multi-layered discipline that evolves over time. I hope the tips I have given above will help you to build a solid foundation that goes a long way to keeping all but the most determined cyber criminals at bay.
Aaron Singer - Service Delivery Manager
Pulsar Computing
