Small businesses are increasingly targetted by cybercriminals. Without security professionals watching their backs, they’re perhaps an easy option. What should you do to keep safe during lockdown given that adversaries are more active than ever?
Security demands that you consider your attack surface and minimise the risks appropriate to your business. What’s more, this is now a legal requirement since the new Data Protection Act (DPA 2018) kicked in, which applies the GDPR to UK law. Thankfully there are a few key ways you can strengthen your security posture and some great tools to make this happen.
Evolving threats emerge all the time with various objectives in mind, be they financial, political or just to cause trouble. The impact on businesses can be financial, operational and/or reputational. Attacks are sometimes carefully set up by real people over a course of months, so it can pay to be at least a little aware of their game.
The following list highlights a few common kinds of threats to be aware of:
- Social engineering: Learning about your organisation and creating trust with your team so that they can con them into taking actions such as paying out.
- Vulnerabilities: Security flaws are often spotted in software and they’re usually very quickly addressed by software updates (Patches). When new vulnerabilities are found and are a current threat, these are known as “Zero-day vulnerabilities“.
- Malware: Software designed for malicious purposes such as ransomware, spyware, botnets, trojans, viruses and worms, among others. These can be used to cause disruption to your own computer(s) or to help disrupt much bigger systems, such as large-scale attacks on big websites and services.
- Phishing: Emails sent impersonating brands you trust in order to steal your login credentials, card details or other sensitive information.
- Theft and physical breaches: People gaining access to physical systems or information.
- Website and web application attacks: Aimed at taking over or taking down your website or web applications (for example, DDoS or SQL injections).
To keep safe, here are some easy wins to address to the above concerns. I’ve put these in order of priority, where the first items are those I’d recommend addressing first in a typical business:
- Backup: Make sure you have a backup that won’t be taken out by the same threats that could take out your live systems. A solid Business Continuity and Disaster Recovery (BCDR) solution is a very good idea too.
- Strong Passwords: Many people still use guessable passwords, or the same passwords for multiple sites and systems. Use a password manager.
- Multi-factor Authentication (MFA) – also known as Two-Step Verification (2SV) / Two-Factor Authentication (2FA)): Usernames and passwords are frequently compromised, so make sure that’s not all you need. MFA is often achieved simply by receiving a code to your phone in order to log in. This prevents hackers being able to log in with your credentials if they have been acquired (many are available for sale on the dark web).
- Cyber Awareness Training: Equip your team to understand what threats are out there and how to protect yourselves. This needs to be concise and easy to grasp so that you can focus on business while staying aware.
- Patch Management: Keep your systems up-to-date with the latest software, especially important security updates that address high-risk vulnerabilities.
- Anti-malware Protection: Use a modern comprehensive solution that protects against various kinds of threats:
- Zero-day threats: Many of the best products out there are able to receive updates much more frequently to protect against the latest threats. They also watch the way things run on your systems to ensure there’s nothing fishy going on.
- Traditional signature-based antivirus: This is still important, emphasised by the recent increase in these kinds of attacks.
- Ransomware protection: protects against encryption of files by unauthorised means, avoid large pay-outs and disruption.
- Process / behavioural monitoring: Many modern products apply machine learning algorithms to spot suspicious behaviour, even for processes that are otherwise recognised as being expected. This is an important line of defence against malicious code execution.
- Encryption: This ensures that people can not snoop on your Internet traffic or get anything off of your devices. They would need a password or recovery method to decrypt them first.
- Web Content Filtering: In addition to restricting time spent non-work sites, filtering services can also block malicious or high-risk sites. This provides further protection against users accessing sites opened from Phishing emails so that users don’t give away their login details or other sensitive information.
- Firewall: Use a modern firewall that’s geared up for protecting a business (not just a cheap consumer one). Some also integrate with the protection on your computers to provide synchronised security.
- Email Protection: Beyond the built-in protection of platforms like Microsoft 365 and Google G Suite, you can add a further layer of advanced protection to minimise the chances of malicious emails reaching your team, leading to them being caught out by more advanced scams. This includes protection against Business Email Compromise (BEC) scams where your team or contacts may see emails that look as though they’re sent by you (a threat with more and more victims at this time due to remote working under lockdown).
- DNS Protection: This protects against a number of vulnerabilities regardless of where you are working.
If you were to implement all of the above with reputable products, you’d be in a very strong position. If you can only implement some, I would recommend making sure you at least cover the first three.
Founder & IT Consultant, Invona IT Services
With over 20 years experience working in IT, Daniel specialises in providing IT services to businesses. He left his role as an IT consultant in London and set up Invona back in 2013 after a number of organisations sought to engage his expertise. Leading up to that time, whilst working with many organisations, he identified common problems described with IT services, which Invona aims to address by providing a fresh experience of IT services built on very strong relationships with a smaller number of organisations.