Did you know?
- 1 in 5 small businesses will suffer a breach this year
- 81% of breaches happen to small and medium sized businesses
- 97% of breaches were preventable
Perform a Security Assessment
The first step is to determine: where are you right now? This assessment of your existing services, accounts, access controls, security configurations, user account permissions, and more gives you a starting point; a baseline so you can compare this assessment to future assessments. This will allow you to determine if your changes matched your security goals.
Secure your email by choosing a service that is designed to reduce spam and filters attacks aimed at tricking your staff into revealing information or granted unwanted access to hackers. Stay away from using email accounts that anyone can create, ex: gmail. I could create a fakename.business@gmail.com or follow whatever naming convention you use for your aol, gmail, hotmail, xfinity, etc. email addresses and pose as a new employee, intercepting sensitive data. Use your domain name, if you don’t have one, purchase one and create your inboxes from there.
Passwords
Have a companywide password policy to hold staff accountable. While this may create a sense of distrust between your staff and you – explain that everyone, including you, must play their part in maintaining excellent security practices. Remember, if one person is careless with their password, the result could be a door-closing event. Set system policies so that passwords must meet requirements, USB storage is disable, set screen timeouts, and limit user access to only what is required for their role.
Security Awareness
Train your staff, and make it a habit! Teach data security, email attacks, social engineering, and explain your policies and procedures.
Multi-Factor Authentication
Use MFA! Also know as Two-Factor Authentication, or 2FA, if a service you use that offers it, use it. This is available for banking websites, social media, network access, and more. By requiring another step after providing your username and password, you must also prove who you are by entering a pin code generated by an authenticator app on your phone or enter a pin from a text message you receive after you entered your credentials but before you are fully logged in.
Endpoint Detection and Response
Protect your devices with the latest advanced security software. Traditional anti-virus protection is not enough to protect against malware and ransomware, as well as file-less and script-based attacks. Some can even roll-back your files to before ransomware encrypted them.
Updates
Keep your operating system (OS, such was Windows or MacOS) up to date. Turn on automatic updates. Also keep all installed software and apps on your devices, including smartphones, up to date. Hackers can exploit outdated software and apps, even if the rest of your device is up to date. Perhaps you didn’t download the latest Adobe update, and hackers found a way in through this vulnerability that hasn’t been patched yet.
Dark Web Research
Use a service to scan the dark web for your credentials and banking information. If any data comes back as a match, it means your credentials or banking information was compromised and posted for sale on the dark web.
Web Security
Use a cloud-based security service that detects web and email threats as they emerge on the internet, and block them on your network in seconds before they reach you.
Mobile Device Security
As we have heard this month, FluBot malware has made it from Europe to the United States, targeting Android phone users by sending a seemingly harmless text. Unfortunately, this will become more common as hackers begin to count on users to neglect securing the mobile devices or acting more care-free at home on their personal device than on their work computer.
Firewall
Intrusion Detection and Prevention should be enabled, log files should be sent to a SIEM.
Encryption
Where-ever possible, apply this to files at rest, in motion, and on mobile devices.
Backup
Data located on your premises (on-prem) should be backed up to the cloud. Data only in the cloud should be backed up to a second cloud service. Backup often, on an automatic schedule. In the event of a ransomware attack, you can opt to not pay the ransom and recover your data from these backups. Or, in the event a device or file storage location is suddenly damaged, you can spin up a new device and pull down your data and continue business as usual within a moment’s notice.
Insurance
If all else fails, protect income for you and your staff by insuring your business with cyber damage and recovery policies. This will help pay legal costs in the event contacts you do business with seek compensation, because an event this big will likely impact or even compromise all of your customers, suppliers, and partners.
Contact us today to get started!