We paid a cybersecurity consultant to tell us what small businesses should be doing for IT security.
Our security consultant works for one of the Big Four firms, holds Comptia Pentest+ certification as well as the ISC2 System Security Certified Practitioner (SSCP) certification, and specializes in Security assessment, Maturity Assessment, and Penetration Testing.
If the certifications above are word soup to you, our expert works at one of the biggest security firms to protect their customers ‘ IT assets and help their customers find practical solutions to protect their business.
IT Tips for Small to Medium Sized Businesses
Small and medium sized businesses are often the victims of cyber attacks, mainly due to their smaller budget allocated to cybersecurity. According to the Hiscoz Small Business Cybersecurity Report of 2018, 47% of small businesses experienced an attack in the past 12 months. The same report also showed that only 52% of businesses have a cybersecurity strategy, highlighting the fact that cybersecurity is often overlooked. This is often due to the fact that cybersecurity threats aren’t always obvious, especially to someone untrained in the area.
Threats Faced by Small to Medium Businesses
With the number of data breaches on the rise and malware becoming more sophisticated, it is time for small businesses to reconsider their cybersecurity posture before they become the next headline of a major attack. Here are some of the most common threats faced by small to medium-sized businesses when it comes to cybersecurity:
Phishing is the act of sending out a fake email, which looks legitimate, to employees with the goal of obtaining sensitive information or gaining access to their system. Often in this case, employees will receive an email that looks like it is coming from the IT department of their organisation. The email will typically ask them to sign-in to their account of download a file.
If employees sign-in to their account, the hackers have their username and passwords. If they download the file, hackers will install malware on their systems which allows them to get on the corporate network and infect other systems with the goal of stealing information which they will later sell or encrypting all the data to later ask for a monetary ransom.
Ransomware is a specific type of malware which encrypts all your data when it gets onto your servers. All your data will be encrypted and there will be a timer stating that you have this amount of time to pay the ransom before your files are deleted or sold online. Typically it is transmitted through a link, a file sent in an email or a file downloaded from the internet.
Hackers will look for a monetary ransom, commonly paid in cryptocurrency, for them to decrypt and release your files. Often times, when the ransom is paid you never get your files back and paying hackers like these only encourages the spread of more ransomware. Ransomware is becoming increasingly common and with new strains being developed on a daily basis, it is becoming harder to prevent getting onto your infrastructure.
Weak passwords are an invitation for a data breach to occur. Attackers can perform what’s known as a Brute Force attack to guess users passwords. It is a very easy attack to setup, and involves the attacker using an employee’s username and a list of passwords to attempt to login to the employees account. The list of passwords can contain millions of the most popular password combinations and can conduct hundreds of login attempts per minute.
It is also possible to create a custom wordlist for the password. If the attacker knows some information about the employee, such as their name, address, date of birth, they can input this information and the software will generate different combinations which can be used to attempt to guess their password. If your employee’s password is something easy like Password, 123456 or includes variations of their name then you can be sure that this attack will guess their password.
Simple Ways to Increase Your IT Security
There are a number of processes every small to medium business should look to implement to increase their security posture and reduce the risk of a major data breach. Below is a list of the top tips I feel every small business should implement when it comes to cyber security.
Develop a Backup Strategy for your data
As a small or medium sized business, losing your data can have serious consequences. A backup strategy can save you time, money and your reputation. It is a brilliant defence against a ransomware attack, described above, as you should have a backup of all your files. Even if the attackers do manage to encrypt everything on your servers, you have a backup of all the files ready to go. This allows you to resume service very quickly by simply wiping the server of the ransomware, fixing the security vulnerability that allowed the ransomware onto the system and re-uploading your backup files. While a backup plan may be costly upfront, it will save you a huge amount of money in the event of an attack such as this, not to mention time, resources and your reputation.
When establishing a backup strategy there are a number of things you should consider such as:
- What data do I need to back up?
- At the minimum you should have your most critical data backed up. Depending on your needs and budget there are three main types of backup – full, incremental and differential. A full backup will back up everything. An incremental backup will begin with a full backup and then will only backup data that has been changed or created since the previous backup was conducted. A differential backup will back up all the changes made since the last full backup, i.e. the differences made to files since the last full backup.
- How often do I need to back up?
- This can be flexible depending on the level of security you require and your budget. If your business handles lots of data on a day to day basis, you may want to back up your data at the end of every business day. Otherwise you could consider backing up your data on a weekly, 2 weekly or monthly basis. It is up to you but the more frequently you backup, the less data you will lose in the event of an attack.
- Where will I store my backups?
- An organisation has numerous options on where they can store their data. One of the simplest options is to back up your data to the cloud. There are many cloud providers such as AWS, Google Cloud, and Azure whose job it is to ensure your data is stored securely. 99% of AWS breaches in 2019 were due to the customer misconfiguring their storage account, so it is important to get the setup done right. Once you set up your backups in the correct way, there is no oversight needed on your part as the backups can take place automatically. If you want to keep your data closer to home, you could also store it on-premises using your own servers. However, this has a tremendous upfront cost and needs a lot of oversight to maintain the security of the servers.
Identity and Access Management
This is another simple solution to implement in your organisation, regardless of size. Having identity and access management controls in place ensures that employees only have access to data that they need to have access to, and nothing more. This ties in with the principle of least privilege, which states that employees should only have access to data that they need to do their job. This ensures that if an attacker manages to steal credentials to an employee’s account, they can only access a limited amount of data. It also protects you from malicious insiders, who are employees that want to cause damage to the business from the inside due to them being laid off, fired or missing a promotion.
Identity and access management control to ensure that employees can only access data that they are authorized to access. There are numerous solutions that can help you enforce this control across organizations such as Azure Active Directory, Centrify, SailPoint, Keeper Security, and Oracle Identity Cloud Service among others. These solutions ensure that if an employee wants access to a file or folder, they will have to request access to it from a manager and give a reason as to why they need to access it. You can also set up the system so that this access is reviewed every 90 days and if the employee no longer needs access to do their job, then is it revoked.
Password Management Policies
Password management policies are another control that is easy to implement, but often overlooked or not enforced properly. With 76% of breaches caused due to weak passwords, it is important to make sure this is an area that is secure.
Password management solutions come in very useful when trying to enforce password policies across the organisation. Take LastPass for example, which I subscribe to for personal use. LastPass allows you to specify the minimum amount of characters employees have to include in their passwords and can enforce the use of special characters and numbers making passwords very secure. You can also set it up so that it forces users to change their passwords every 90 days, which is the best practice for managing passwords.
LastPass includes a password generator which takes the hassle of having to come up with passwords yourself. The password generator will create a password of up to 50 characters, including numbers and special characters, and will save the password so that you don’t have to remember it. All the passwords can be accessed from your LastPass account, which is protected by a master password which you do have to remember. Multi-factor authentication can be setup to provide extra security for the account.
The Enterprise version of LastPass provides a lot of options to your IT team when it comes to password management. Admin controls allow you to configure over 100 policies across the organisation. You can enable single sign-on for employees so that they don’t have to remember their password or write it down anywhere. LastPass allows you to share one time passwords which can be given to people outside the organisation, to a client for example, and will expire after their first use. You can add multi-factor authentication for all employees signing into their accounts for even more protection and you can also set it up so that employees can login using Active Directory credentials, meaning they don’t have to enter their password at all.
LastPass is just an example and there are many other password manager solutions out there that may be a better fit for your organization’s needs. This is another example of a simple addition that can greatly improve the security of the organization as a whole.
Security Awareness Training
Employees are the No. 1 cause of breaches form small businesses. Your employees can be the deciding factor between an organisation which has never been hacked with a good IT reputation and a major data breach which has serious effects on the whole organisation. Security awareness training is a hugely important to train employees in good cyber security practices and every employee should have to undergo this training as part of their onboarding process. As a small business you may think this is overkill, but it is worth the time and effort to increase your security posture and reduce the chances of a breach.
No security solutions will help you secure your business unless you create a good culture of cybersecurity awareness in your organisation. Encouraging good cybersecurity awareness can be easy to promote too. For example, you could offer some type of bonus to employees who report phishing emails that turn out to be genuinely malicious.
Encouraging behaviour like always locking your laptop before leaving your desk, being sceptical of any links included in emails and not using work assets for personal use can all contribute to keeping your organisation safe from threats. Encouraging an open and honest workplace will also help employees feel more comfortable reporting a mistake they make, resulting in any malware being caught quicker and reduce the damage.
Set Up Multi-Factor Authentication
This is a super simple control to implement which can greatly improve the security of all organisation accounts. Multi-factor authentication (MFA) involves the user having to enter not only their username and password, but also another piece of information unique to that user, such as a code send to their phone. Setting up this feature across the organisation is very simple to do and it is easy for all employees to comply with. This ensures that if an attacker does manage to compromise the password of one or several employee accounts, they won’t be able to sign-in to the account without the employee’s phone.
There are many software solutions that offer MFA such as Microsoft Authenticate, Google Authenticator, etc. LastPass also offers MFA which can be used when logging into every account you have, which is a useful security feature. If you are using any cloud services, many of these vendors will include MFA as an optional feature. It’s as simple as enabling the feature in your account settings to add this extra layer of security to your business. MFA is very easy to implement and is a good “quick win” for small businesses when increasing the security of their organizations.
Secure Your Wi-Fi Network
This is another easy security control to implement, but one that is often overlooked. There really is no reason to have an insecure Wi-Fi network in your business. If hackers manage to get on your Wi-Fi network they can conduct a number of attacks on your servers and other IT assets such as monitoring traffic and Man-In-The-Middle attacks (which allows them to change the content being sent over your network) among others.
There are a number of simple things which only take a few minutes to do that can greatly reduce your chance of having your network hacked such as:
- Change the routers default administration password – Often, if you google the router make and model the default password can be found online.
- Configure the router to always use WPA2 encryption – Never use WEP or WPA, both of these encryption standards are insecure and are laughably simple to crack.
- Establish an updating schedule for updating the routers firmware, for example every month check for updates.
- Use a strong passphrase that is not easily guessed for your router
- Physically secure your router
- Hide your network – You can set up your network so that it is hidden from devices looking for networks to connect to. If a hacker can’t find your network, they can’t attack it.
Implement a Secure Firewall Solution
A firewall is your first line of defence between your IT assets and the internet as a whole. A firewall is a security solution which sits between your businesses network and the internet. It is an essential piece of software that helps prevent unauthorized individuals from gaining access to your network and stored data. There are a number of firewalls available depending on your needs and budget, but they are not all made equal. The latest firewalls are known as Next Generation Firewalls which offer a huge amount of increased security in comparison to your traditional firewall. Careful consideration should be made when selecting a firewall and a bit of extra investment in a newer model is money well spent when it comes to keeping your IT assets secure.
Firewalls help filter out the good from the bad when it comes to network traffic. Firewall rules can be set which determines which traffic to allow into your network and which traffic should never be allowed. Many companies are beginning to install internal firewalls between their servers to provide additional protection. This will protect against what is known as lateral movement, which is when an attacker breaches a system and moves across to another system in order to gain more information.
Document your Cybersecurity Policies
This is another process which can be easily overlooked by small businesses with a smaller budget. While it is normal for a small business to operate by word of mouth, documenting your protocols is essential when it comes to cybersecurity. It is not only important from a compliance perspective, but it is also useful for employees to refer to. In the event of a breach for example, when stress is high and it is difficult to think straight, it is incredibly useful to have an incident response plan mapped out to get you back on track much faster. It is also useful for employees to know how to access these documents in case they are unsure of what steps to take in a particular situation.
The Federal Communications Commission (FCC), which is a cybersecurity regulator of American companies, provides the Cyberplanner 2.0 which can provide you with a starting point for your security documentation.
There really is no excuse for small to medium businesses to ignore cybersecurity in 2020. Many of these tips can be implemented in a very short space of time and bring with them huge benefits for the security of the business. According to SiteLock’s 2020 annual security report, the average website is attacked 94 times a day. That works out as over 34,000 attacks a year, and only one of those has to be successful in order for your business to have a major data breach. Small businesses may feel that they are safe from cyber-attacks due to their smaller infrastructure, but this is far from the truth. Attackers know that small businesses have smaller budgets for cybersecurity and are therefore easier targets.