Day in and day out we receive cases from businesses experiencing some form of a cyber attack. The vast majority of these attacks can be blamed on one recurring theme: outdated or insufficient security equipment and settings.
As we help our clients through these unfortunate and difficult events and get them back on their feet, we are always asked how the attack could have been avoided. In hopes of helping other businesses avoid or reduce their risk of cyber attack, here are some basic and relatively inexpensive tips for your business cybersecurity setup:
Just as you would lock your front door so you don’t get robbed, you also need to lock out malicious actors online. Many business leaders or team members are surprised to hear about the need for a physical piece of hardware to protect them.
“Doesn’t my computer’s built-in firewall protect me?” they ask.
The answer is yes, but not to the extent that a business needs.
A VPN-capable firewall will allow you to encrypt all communications whether you are in the office or in a coffee shop. It will prevent Remote Desktop Protocol brute-force attacks (which we find is the most common attack source for ransomware), it will log and prevent any intrusion attempts, and it can serve as a filter so employee cannot access potentially harmful websites while logged in as well.
To save on costs, you may be able to find a used firewall online. If you purchase a used firewall, be sure to install the latest firmware and reset it before adding your team members to the system. Be sure to change the default password, and make sure whatever firewall you purchase has at least two-factor authentication. For many firewalls, they will come with an app-style component for employees to install on their devices. This will lengthen the login process by about 15 seconds each time but can drastically reduce your vulnerability.
We’re going to take a wild guess that you’ve overheard at least one team member jokingly mention that all of their passwords are the same across several sites, or that they are not very complex. Without a doubt, humans are the largest vulnerability when it comes to cybersecurity, both with password management and security, and email phishing (more on that later).
Tools like YubiKeys exist to provide employees access without them needing to manage, remember, and update an ever-growing litany of passwords. This technology is gaining a lot of traction simply because of the number of successful brute-force attacks where attackers simply guess the right combination of letters, numbers and (hopefully) special characters.
We recommend purchasing a key for each team member. They will then plug the key into their device, hit the button, and with the proper configuration will obtain access to the tools, documents, and programs they need.
It is dangerous to think that none of your employees can be tricked with email phishing attempts. The most devastating attacks we see come from elaborate social engineering campaigns that bypass typical authentication without setting off any red flags.
A sophisticated attacker, such as the kind we encounter more and more every day, takes their time to learn style and tone and then begins sending emails disguised as people you correspond with regularly. In some cases, the attacker may hop in mid-conversation in a back-and-forth exchange to get you to click on certain hyperlinks or download attachments.
Tools like Yubikey can help mitigate this phishing vulnerability as well since they have additional safeguards to recognize malicious links and attachments like droppbox.net or b0x.net.
Settings and Configurations
Office 365 Secure Score
If your business utilizes Office 365 or Microsoft 365 Business, pay special attention to your Office 365 Secure Score. This tool analyzes your current settings and activity to curate a score which you can use to calibrate your configuration. Secure Score provides recommendations for you so that improving your score and thus the security of your network is fairly straightforward and painless.
G-Suite (Google for business) Recommendations
There are a variety of sources for tips on how to lock down your G Suite account. To their great credit, Google has things very well locked down by default. Forbes has a quick list of 4 tips that will help you go that extra step to ensuring that your data remains yours.
Two-factor authentication is a security setting available on several everyday tools and programs, yet is one many are reluctant to implement. However, we cannot stress the importance of this security setting enough.
Here is how it works: when a user successfully logs in with their username and password, a text message or notification is sent to another device assigned to the user, most likely their smartphone. The user will then be asked to enter the code sent to their device, thus granting them access per usual.
Multi-factor authentication effectively blocks access to malicious actors that may have acquired your email address and password details through malware, email phishing or other methods. If the malicious actors attempt to login using your credentials but cannot retrieve the code delivered via text message or app, they will not be able to gain access to your system.
To monitor this, you should set up an alert that will trigger anytime there is a login attempt from a malicious IP address where your username and password was entered but the hacker’s inability to retrieve the code sent to the user’s device prevented them from logging in.
Use a Password Vault
With the overwhelming number of passwords that you need to manage these days it is pretty common to fall into the trap of using the same password for multiple accounts. With a password vault you only need to know the password to unlock the vault. The software will auto-fill forms, website, application, and system logins for you with hugely complex and random passwords that are nearly impossible for an attacker to crack. A recent article at PC Magazine has a review of the ten most prevalent password managers.
We work with businesses who have fallen victim to a cyber attack on a regular basis; a common theme we see in nearly all of these incidents is that the victims’ operating systems and software were out-of-date and lacking in the latest security safeguards. Operating system vendors are constantly patching their systems to bolster their security settings as new threats are discovered and identified. If you are not frequently patching your programs, you are not protected by those latest security measures, which will leave you very vulnerable to a cyber attack.
Another low-cost security measure, malware scanners allow you to detect malware threats proactively. There are numerous malware scanners in the marketplace ranging in price and functionality. As with any security measure, ensuring your malware scanner’s system and definitions are up-to-date is crucial–otherwise, the scanner may not detect vulnerabilities properly.
Every single device in your business should be fully-encrypted, including mobile devices used for work, external hard drives, and NAS devices. As more and more employees start to work from home or away from the office, this is a low-cost way to ensure your business devices are secure if they are ever stolen.
Free training videos for your team
YouTube is an excellent resource for free training videos. Requiring your team to watch a 15-20 minute video on email phishing or social engineering could drastically reduce the chances of them falling for a malicious email, phone call, or other form of social engineering cyber attack.
Lock down your IP address
Whenever you are migrating your website host, lock down the IP address from which you administer the site. Then, enable two-factor authentication, which will on top of locking down your IP address effectively give you three-factor authentication.
If you are using any third-party tools such as HubSpot or Pardot, they should have two-factor authentication enabled and should be locked down by IP range as well. This will prevent malicious actors from other regions or countries from logging into important programs such as your CRM.
Back up your systems
If you put all your eggs in a basket, but the basket catches on fire, your eggs will likely not make it. For the purpose of the idiom, backing up your systems is the equivalent to putting your eggs in a fireproof case and then placing them in the basket. Routinely back up your systems and store them on a fully encrypted device on a separate network from your day-to-day network.
Be sure to have your backups disassociated with the login credentials for your network. Use separate and complex credentials for a backup client to a Network-Attached Storage device so attackers cannot encrypt your backups in addition to your workstations and servers.
A Formal Information Security Program
While more complex than many of the suggestions in this article, establishing a comprehensive information security program within your organization will keep you aware of your weaknesses in order to build the proper protections. While some information security programs can be handled by internal team members and a CISO, engaging a third-party vendor to determine your risk profile may uncover vulnerable configurations more effectively than those who are very closely intertwined with the systems.
Continue to evolve
One of the largest pieces of advice we can give to businesses, large and small, is to always keep an eye on new cybersecurity settings and potential threats. Some helpful sources to monitor are the United States Computer Emergency Readiness Team, Symantec’s annual Internet Security Threat Report, and the manufacturers of the hardware and software you use in your business. You can also keep track of the latest cybersecurity news through outlets like Wired, Motherboard and Info Security Magazine.
If you suspect an attack, don’t wait to react.
With these new security settings in place, you will have a better handle on what is happening within your business network and will be able to more effectively identify when a threat arises or when you’ve experienced an attack.
If you suspect that malicious activity has occurred, let us know immediately. We can help you determine your best course of action to mitigate the damage of the cyber attack. From there, we can work with your insurance provider or counsel to identify if, how, and when the cyber attack happened, as well as which and how much data was compromised.