As a cyber security professional, I often get asked this question
I think the legacy view that hackers are only targeting big multi-national corporations or governments is highly outdated. The reality is that most attacks are automated and seek out the weakest businesses via flaws in a particular system that have long gone unattended, which are often SMEs without their own dedicated IT or security teams.
I think it’s also a misconception that you can’t do anything about it without spending thousands, if not millions, on security consultants that act like a SWAT team to prevent attacks in real time.
The reality is that cyber-attacks, or attempted cyber-attacks are happening all the time, and as business owners, there are definitely some things you can do on your own to get started to at least improve the security of your company and client data. I’ll also add a couple of tips regarding external solutions you can deploy at the end if I may.
Well, onto the key points –
Firstly, (pause for emphasis) review your active users. This may sound simple but reviewing active users and accounts across all technology and services and removing old or disabled accounts is a very efficient way of removing weak points in security. People that have left the company obviously won’t follow the prompts or alerts to update their password or other security settings, making those accounts more vulnerable. As a bonus, this can also manage costs by reducing the number of licenses and subscriptions you have in place.
Secondly, I’m sure you’ve heard this before, but enforce Two-Factor Authentication, also known as Multi-Factor Authentication. This is pretty much available across all online services now and can be configured within the settings panel. As a bonus tip, try and avoid SMS-based methods as they are outdated and insecure, even though I appreciate they’re convenient.
As a more technical recommendation, disable password expirations and instead use longer, at least 20 characters, more secure passwords through an enterprise password management tool. These are super cheap nowadays, and have a host of other benefits. This will manage logins for you and your teams, so everyone isn’t using admin1 with some combination of special characters and capitalized letters.
I’m hoping you’re already doing this one but keeping antiviruses up to date is my second to last tip. An estimated 91 to 95%, the stats are not consistent, of corporate breaches are caused by human error. Install corporate antivirus software and web filtering tools that preventatively and proactively stop attempts to infect devices. This helps prevent users from making a mistake, which is so easily done with the modern sophisticated phishing attacks. Interestingly, we recently published an article about the use of AI and deep fakes. The focus was on the benefits but there are also malicious uses to trick people into giving over confidential information.
Lastly, update your network equipment every 3-5 years. That old yellow looking modem in the corner, or the rusted switch in the server room. Make sure they’re up to date, patched etc., albeit I appreciate this tip is likely to need some support from your IT vendor or a security consultant like our team at Buchanan Technology.
As I mentioned at the start, if you are looking to get support from external consultants, which I obviously would suggest given that’s our area of expertise, but it’s important, nevertheless.
We strongly recommend implementing data encryption, to prevent it from being readable by hackers, adding strict access controls to ensure only appropriate people can access data that is relevant to their role or function within the business, and considering device management tools like Microsoft Intune, which gives you, as an organization, a degree of control of your data that is on user devices, regardless of whether they’re company provided or personal. The weakest link is usually that old laptop that you let one of your employees use from home to keep up to date. I appreciate the productivity benefits, but you shouldn’t ignore the increased security risks.
As a final point, users. Help them. Train them. Keep them up to date. As I said earlier, 95% of breaches are ultimately caused by users, and a lack of security in place.
Here’s a couple of additional ‘quick wins’ that you can undertake today.
I’m a strong advocate of using technology in all aspects of business, and with that comes the responsibility of protecting ourselves. Here’s some tips to ensure that we get the basics right first. Here are five actions you can take today to enhance your business’s cybersecurity practices:
- Active Users: Review active users and accounts across all technology and services. Remove any old or disabled accounts that are not required. This can also manage costs for licenses and subscriptions.
- Authentication: Enforce 2FA/MFA (Two-Factor Authentication/Multi-Factor Authentication) through authentication applications. Avoid SMS-based methods as they are outdated and insecure.
- Passwords: Disable password expirations and instead use longer (at least 20 characters), more secure passwords through an enterprise password management tool. This will manage logins so passwords do not need to be memorized by staff.
- Antiviruses: An estimated 91% of corporate breaches are caused by human error. Install corporate-grade antivirus software and web filtering tools that preventatively and proactively stop attempts to infect devices. It is critical that user devices are fully protected, especially when working remotely and/or using personal devices that aren’t covered by corporate policy.
- Update Equipment: Ask your IT provider when networking devices such as Firewalls, Switches, and Wireless Access Points were last updated. These should be updated once per month, or immediately in cases where there is a notable outbreak globally.
The more difficult items are those that require specific care, and focus, and probably a firm like Buchanan Technology to further protect your business. i.e. get cyber professionals to support you. Also need proactive monitoring in plcae with an external vendor.
Data Encryption: Ensure that all sensitive data is encrypted both in transit and at rest. This means using encryption protocols like TLS for data being transmitted over networks and encrypting storage devices to protect data from unauthorized access.
Access Controls: Implement strict access controls to limit who can access sensitive information. Use role-based access control (RBAC) to assign permissions based on job roles and regularly review access rights to ensure they are up-to-date.
Incident Response Plan: Develop and maintain an incident response plan to quickly address and mitigate the impact of security breaches. This plan should include steps for identifying, containing, eradicating, and recovering from incidents, as well as communication protocols for notifying stakeholders.
Device Management: Utilize a mobile device management (MDM) solution to enforce security policies on all devices used for work purposes. This includes ensuring devices are encrypted, have up-to-date antivirus software, and can be remotely wiped if lost or stolen.
User Awareness Training: Conduct regular cybersecurity training sessions for all employees to raise awareness about common threats like phishing and social engineering. Educate staff on best practices for identifying and responding to suspicious activities to reduce the risk of human error.