Do's And Don'ts Of Cyber Security
October is Cyber Security month! So in keeping with that theme, let's look into some common “Do's” and “Don'ts” of Cyber Security for your business. There are many things to cover as this is such a big topic but we'll give you some basics and link, wherever possible, to other good resources to help you along in this critical topic. Whenever I poll the business community on what topics they want to hear about most, Cyber Security seems to keep coming up as the most requested, so this is my answer to your requests for more on this vital topic for your business.
Have Strong Passwords
I've talked about the importance of a strong login several times in the past and can't stress this point enough. I've even dedicated entire articles to just that one topic alone. thycotic.com's article about 2017 Verizon Data Breach Investigations Report found that 81% of breaches were from stolen or weak passwords! That means you're 4 times more likely to have a weak or poorly protected password be the point of entry for most hackers (both human and automated).You can read up more on how to make your password strong in my article Cyber Security Basics: The Strong Login
Have A Clear Security Policy
One of the biggest mistakes businesses can make is to not have a strong or clear policy on Cyber Security, or worse yet, to have none at all! This can lead to people doing all kinds of crazy things that open up massive holes in your company's website, social media accounts and networks that hackers can use to gain access.
Enforce Your Cyber Security Policy and Ensure All Staff Follows it
Another failing is even when a company does have a strong and clear policy is to not follow it and not enforce their staff to follow it. Letting "minor" breaches in security policy go for the sake of "convenience". This is a very dangerous policy and when a breach does happen, you'll quickly find how much more inconvenient having your whole website or company network down while IT and Cyber Security people fix it up.
In fact, 60% of small and medium sized businesses go out of business within 6 months of a breach. I'd find being out of work more of a hassle then keeping my passwords strong and encrypting that sensitive document could ever be!
Have Preventative Security In Place
Many business owners I talk with still don't know that there is such a thing as a firewall for websites. Even those that do know they exist don't have one for their own website. The reasons they give are varied, but the bottom line is no matter how big or small, how well known or obscure, or how new or old your business is, it can be attacked. In 2016, about 45% of all cyber attacks were directed at small and medium sized businesses.
Many business owners also think a firewall is expensive and only for massive corporations who can afford to spend thousands of dollars a month on cyber security. The truth is there are now many effective but affordable options to protect your website. If you use WordPress, they have a great plugin called WordFence which even has a free version, as well as a paid version. Their paid version only costs a few dollars a month, so even on a very tight budget, there's no reason why you can't afford security for your website.
If you don't use WordPress or need a bit more robust a solution, SiteLock has great solutions like their SiteLock Prevent plan that adds their firewall protection to your site and even this premium protection still only costs about $500 per year! In fact, I use SiteLock to protect this website even now, and have used them since late 2014 when I ran into problems with getting hacked. Once we got the initial hack cleared out, my site has never been hacked again since, despite repeated attempts for many months afterwords.
No business is too small or too new to be hacked. Earlier this year, I was developing a new website for a new start-up. While still working on developing the site, and configuring the WordFence firewall, a hacker managed to get malicious files on to the site! This was a brand new company that hadn't even launched yet and was still completely unknown. Fortunately, WordFence detected the intrusion and warned us of a problem and we were able to fix it up and still get the site launched on time without a hitch. I am so glad I had WordFence installed, even if the firewall was not yet fully operational, otherwise those malicious files could have hidden there for who knows how long, doing who knows how much damage to my client, myself, our clients.
Clearly Definced Allowed Access Points
This is also known as Network Access Control (NAC) and refers to having a set of systems in place to ensure only devices and users who have permission to access your business network can do so. It also defines what resources they can use, and what conditions they have to meet to be allowed access to those resources.
Essentially, it's the electronic equivalent to having a security guard at the entrance to a restricted area, checking IDs to ensure only those who are allowed access get get through and if their ID checks out, buzzing them through the locked door.
Virtual Private Networks (VPNs) Where Appropriate
If you're working on your business remotely, or have staff that does, this gives you a secure way of doing this, so your date is not in the open for anyone who might be snooping to intercept it and know what they have. Everything in a VPN is encrypted, so unless a snoop has the key, they won't be able to read it, they'll just get garbage.
This is great if you have, for example, sales staff traveling around your country or even internationally, so they can communicate with the main office safely. Or if you have multiple locations that need to communicate securely or share the company network. Or if you run a virtual office with staff located across a wide area.
There are many providers of VPNs and LifeHacker has a great article that goes more in depth on VPNs, and gives recommendations for their top 5 picks for VPN providers.
Strong Encryption Policy to Protect Data
If your business uses a good VPN provider, then you're probably already protected, as long as you have a clear policy about using it for business communications abroad. The key here is to make your data unusable by anyone who might try to steal it. Encryption may not prevent theft, but it will prevent damage from it. However, where it can prevent theft is in protecting login information so a hacker can't just monitor network activity for a valid username and password. The important data is encrypted and not usable without being able to first decrypt it.
Have Strong Detection and Recovery System
Plan On How to Handle an Attack
No matter how well you set up your security, there is always the chance a lucky or determined enough hacker can break in. How do you handle this? The best thing you can do is have contingency plans set up by experienced IT and Cyber Security professionals on how to handle it. Who monitors for problems or threats? What software do you have in place to detect a possible problem and who does it notify? Who does what if a breach is detected? Who looks for signs one might have happened that you don't yet know about? How often to you look? These some of the questions your plan needs to answer.
Have Scanning Software Such As Anti-Virus
Simply put, Anti-virus scanners are great for this part of your security plans. They'll scan all files on your system for signs that any are malicious or infected, or doing something that seems suspicious and warn you about them. Same holds true for your website. For example, WordFence does regular scans of all files on your web server and warns you if anything looks like it was changed from the developer's official version or any files that look malicious or like they don't belong there.
In addition to this, having monitoring software to keep logs of network access and report any anomalies, such as a user repeatedly trying to access something they're not allowed to or their access rights being escalated to a higher level. These logs can provide great clues as to if a breach has occurred, and how it might have occurred, and what might have been damaged or accessed during the breach. This is a powerful tool in knowing what you need to do to prevent future attacks from succeeding.
I recommend Kaspersky for your computer/network secuity solution.
Plan On How to Find and Patch Security Holes That Allowed Threat Into System
If a hacker got in, there was some flaw in your security they used to get in. So once a hack has happened, your security and event recovery plan has to include finding that flaw and fixing it, other wise you'll just keep getting hacked again and again. Hackers love a vulnerable system and will put it on their list to keep on attacking, unless you fix up the flaw they used.
Fixing flaws is also a proactive and preventative solution as well. You can run security audits to check for weaknesses and fix them before any hackers get the chance to use them against you. This is a vital part of your security plan and must not be overlooked.
Routine Backups of Data to a Separate Location (not on main hard drive)
Making backups of your data protects you from costly data loss. If a hacker, for example, hits your business with Ransomeware, which encrypts all the data stored on your servers, and you have frequent enough backups stored in an unaffected location, you can use those backups to recover your system to the last known good configuration (that from before the Ransomware showed up), and restore most of your data.
Malicius intnet is not the only thing regular backups can protect you from. Let's say your server's hard drive crashes, and all data on it is lost. If you have safe backups, you can take the last backup, and restore it to a new hard drive and again limit the loss to only what was added or changed since the last backup.
Backups Stored Securely and Separately From Main Network for Speedy Recovery
What if the worst happens? In the event of a total network failure or fatal breach, these backups can just save your business' life. They give you a fall back point so you can limit how much data you lost during the incident. This holds true whether the incident was a security breach or a catastrophic technical failure.
Think It Can Never Happen to You
As I mentioned before, 45% of all attacks in 2016 were directed at small and medium sized businesses and that number is rising. In 2014 it was more like 36%. I'd expect that number to continue to raise and by 2020 you may even see more then half of all attacks be against smaller businesses.
As I mentioned before, a cyber breach can be devastating to smaller businesses who lack the resources to recover effectively and the resilience to weather the storm when one happens. 60% of all small and medium sized businesses who suffer from a successful cyber attack will go out of business within 6 months of the attack.
Have No Policy or Plan In Place
This is sadly all too common among even larger businesses, and is a major cause of security breaches occurring, and a major cause in delays in detecting breaches too. This also causes panic in businesses who have no plan, and don't know what to do once the worst has happened and they've been hacked.
Ignore Security Policies or Let Violations Slide
Not following your security plan or letting violations go is another common mistake many businesses make. Security policies are there for a very good reason, to protect you, your company and your job from being lost due to hackers doing enough damage to take your company down.
Have Weak Passwords
Surprisingly enough some of the most popular passwords are still, to this day, things like “password”, “admin”, *YourUserName*, or some minor variation of these. Such passwords are among the first things an attacker will try and give you no protection at all!
Another common mistake is to use the same password across multiple different accounts. This means if someone manages to guess or steal one password, they've gotten several, or even all of your passwords. This again defeats the whole purpose of having passwords.
This leave you vulnerable to so many things. A technical failure, a severe hack or security breach. A fire or other physical damage to your hardware. Any of these and other things can cause you to lose all your data. Without those backups you just lost everything!
Store Your Backups On the Same Device Your Normal Data Is Stored On.
Almost as bad is keeping backups, but on the same devise as the original data is stored on. If that device gets hacked, or fails, chances are you've just lost your backups too. Not much help there when you lose your backups to the same event that cost you your main data.
Leave Old User Accounts Belonging to Former Staff Active
This is another common mistake, an employee leaves the company – quits, gets fired or is laid off. The company does nothing with that employee's old user account. That employee can just lot in as if they still work for you and access your data, upload files and so on. That employee can give their login to someone else who now has access to your files or website. A hacker can attack those old, inactive accounts and use them to gain access. There are so many holes these old accounts open up in your system that the simple act of deleting or disabling them would prevent.
Have No Security Software
This is not so common for computers any more, but is still quite common for websites. Still, there is this myth that just because you use Apple products or Linux or something, that this somehow makes you magically impervious to being hacked. That's just not true. There are hacks, exploits and malicious software designed specifically to attack these systems, and as they become more and more popular, more and more hackers are attacking them. No matter what hardware or system you use, put security on it!
Ignore a Successful Attack Once It Has Happened
This is rare, but I have seen companies who show all the symptoms of being hacked, yet they do nothing, and insist they are not hacked. I've even run into 1 or 2 web hosting companies where I have identified active exploits and informed them of this and they did nothing about them, leaving themselves and all their customers exposed to the risk. I'm not a hacker by any means, and if I could with about a few hours of research and effort find them and get to the point I could have hacked them if I wanted to, then you can be sure the experts know all about it and can hack those hosts any time they want.
If your website is hacked, for example, it's not only bad for business to leave it hacked, word will get out sooner or later, but also your ethical responsibility to clean it up so nobody else gets hacked because you ignored the situation.
Think If You Just "Clean Up the Mess" That You're Now Safe
This one comes mainly from lack of knowledge of how cyber security works and how hackers operate. The simple fact is, as soon as a hacker finds a vulnerable network or website, they'll add it to the list of hot targets and their automated hacker programs will run against that site again and again. They'll keep attacking it for a long time to come as it's now been flagged in their community as hackable. Easy targets are generally what most hackers want, since the modern hackers are most commonly in it for the money. So something that takes hours or even months of intensive work to break into isn't worth it for the potential gains, unless the organization is huge and there are potentially millions of dollars in stolen data if they can get in. For your average small or medium business, if your site's reasonably well defended, it'll be more trouble then it's work for the money motivated hackers.
Leave Sensitive Information In Plain Text Especially When Sending
This is another common mistake. People just assume that if you text or email something to another person, that the only one who can get that info is the one you sent it to. That's not true. There is a specific type of attack called a “Man In The Middle” attack where a hacker monitors data being sent for anything of value, such as confidential information, logins (username and password pairs) and anything else they might be able to use for their advantage.
If you know any other “Do's” or “Don's” or have any stories to tell of your own experiences I'd love to hear about them in the comments. If you have any questions, I'd love to hear about them in the comments.