I have recently been talking to a couple of smaller companies about cyber security. Cyber security is a hot subject these days and there is a lot of media hype. Business managers are getting worried, especially those working for smaller companies that have little or no IT competency in relation to cyber security.
As cyber security is something that affects us all, I thought it practical to convey some basic advice that anyone should be able to follow.
The best defense is you and your employees. Do not visit suspicious web sites. Be alert when you receive e-mails that you have not directly or in-directly requested. In fact, be very careful with any e-mail that contain attachments, links etc. Typically, for a hacker to gain access, you will need to make a “deliberate” mistake by running an executable file, or visiting a web site that hosts malicious code.
There is a common belief that anti-virus software will keep you safe. However, in most cases traditional anti-virus is only able to protect you against known threats. A new generation of improved anti-virus is coming, but for now the most important thing is to keep your router/firewall, operating system and applications up to date. Make sure you scan for updates at regular intervals (at least once a month) and that you apply all available security patches. Do not operate machines running a redundant and outdated operating system. If you are still using Windows XP, update to Windows 7 or a newer version – do this as soon as possible.
If you are running Windows machines on your network, make sure that the daily users do not have local administrator privileges. Your users will likely complain that this will complicate things but know that users operating continuously with local administrator privileges poses a SERIOUS and MAJOR security risk. If your users do require local administrator privileges, create an extra user with local administrator privileges that they can uses only when required (e.g. when installing new applications).
You are probably using a password for a lot of services like e.g. gmail, social media etc. Always use different passwords for each service. Make sure that your passwords are long and complex, especially those used for business-critical services (e.g. banking). Try not to use words or phrases that can be looked up in a dictionary. Use a password manager to store your password. LastPass is recommended, but that are other options as well. A good password manager will not only help you store your password, it will also automatically enter login and password when you visit a site.
Make sure that you understand the concept of 2-factor-authentication (2FA). You should use 2FA wherever possible. 2FA will prompt you for a code the first time you log on to a new device or on an unknown network. 2FA is a VERY effective tool to prevent hackers from accessing your mail or social media accounts. It’s likely that you are already using 2FA with e.g. your Net banking application.
It’s good to have a firewall, but it needs to be configured properly. Most entry levels firewalls (routers) used by smaller companies only operate as simple filters, configured to let different types of traffic (e.g. web, e-mail, VPN etc.) in and out of your network. Obviously, the best and safest option is to make sure that everything is closed from the outside and in. In other words, if you have web servers, it's best to let a hosting company operate and maintain those servers for you.
You are most likely operating a WIFI network on you premises? If so, make sure that your WIFI is encrypted with WPA2 encryption. Do not write the access code on your whiteboard and do not allow visitors or non-company devices onto the WIFI that is connected to your LAN. If you need to provide “public” WIFI access, then create a guest network that is completely isolated from your LAN WIFI. If you have more advanced requirements, investigate creating multiple virtual LANs (VLANs). Make sure that the WPS and WAN UPNP functions are disabled on your router, especially if your router is an older model.
If you buy stuff on the Internet using a credit card, or if you transmit sensitive information over the Internet, make sure that the connection is encrypted. If the web URL starts with “https” instead of “http”, then you are properly OK. If you are in doubt, or if your use your laptop of mobile on public WIFIs, then you should buy and use a VPN client. A good VPN client like e.g. ExpressVPN or NordVPN will ensure that all traffic is encrypted.
When you have covered the above point, take a moment to map the threat environment relative to your IT environment. Are you mostly concerned with security or privacy? Consider your potential adversaries: who could and would hack you? What are the threats: e.g. virus, e-mail phishing, ransomware, identity theft etc.? What kind of security have you already implemented: e.g. firewall, anti-virus, 2FA etc.? Which assets do you need to protect: e.g. product blueprints, customer accounts etc. Mapping the threat environment will teach you a lot.
Consult an IT security specialist and get a second opinion on your setup. Even though cyber security might seem complicated, it’s often relatively easy to safeguard the IT environment of a small business. The problem is that many small businesses tend to ignore the concept of cyber security, which is a problem as the consequences can be devastating.
As the manager or owner of a small business it is important to understand that the risk of being hacked has nothing to do with company size, line of business, nationality or anything else. Cyber criminals are well organized, and they send out phishing mails indiscriminately. Likewise, hackers are using automated tools that probes random IP addresses on the Internet, regardless of origin or location. Ignoring cyber security is like ignoring the need for insurance of business-critical assets in an environment where the threat landscape is rapidly evolving – both in magnitude and in complexity.
Blog post by Jakob Seedorff, Director of Innovation