The cyber security challenge faced by SMBs is multi-faceted: they’re under-resourced, there’s a cyber-skills shortage, and they have an increasingly distributed workforce that is complicating the digital infrastructure. The problems can seem overwhelming to many SMBs. Like any alarming situation, two things inevitably happen… fight or flight. And for many SMBs, running away from the problem just seems easier than figuring out how to fight back.
We get it. As we were preparing to write this article, research revealed that there are nearly 70 acronyms related to cyber security alone. Then there are terms that seem determined to confuse users: Man-in-the-Middle (MitM) attacks, SQL Injections, Zero-Day Exploits.
For many, it’s like trying to decipher a foreign language. I mean, how can you be expected to take measures to protect yourself and your business data, if you don’t even understand what the ever-changing threats are, much less how to prevent them? We like to say, How do you eat an elephant? One bite at a time.
Let’s keep it simple. How about implementing one security measure every week for the next eight weeks? By doing so, two months from now you’ll be a cybersecurity ninja. Let’s call this plan of action: Cyber Thursdays. Every Thursday morning, for the next 8 weeks, you’ll tackle one of these cybersecurity tasks…
WEEK 1 – Implement Routine Backups
Backups protect against human errors, hardware failure, virus attacks, power failures, and natural disasters. Backups can help save time and money if these failures occur.
According to excerpts from an article by Norton, they wrote, “A data backup is a copy or archive of the important information stored on your devices such as a computer, phone, or tablet, and it’s used to restore that original information in the event of a data loss.
Data losses can occur in many forms, from hard drive failures to ransomware attacks and even human error or physical theft. No matter the misfortune, a data backup could be the respite you’re looking for to restore the data on your devices. It’s typically stored in a secure, separate location from an original device, such as the cloud.
The main reason for a data backup is to have a secure archive of your important information, whether that’s classified documents for your business or treasured photos of your family, so that you can restore your device quickly and seamlessly in the event of data loss.
Still, 30 percent of people have never backed up their devices. This might not seem like a lot — until you put it in perspective with how often data is lost:
- 113 phones are lost or stolen every minute. (World Backup Day)
- It is estimated that ransomware attacks a business every 14 seconds. (Cybercrime Magazine)
- 1 in 10 computers are infected with viruses each month. (World Backup Day)
- Laptops are stolen every 53 seconds in the U.S. (Kensington)
- Over 70 million cell phones are lost each year. (Kensington)
So, think of a data backup as the bedrock of your digital disaster recovery plan. By backing up your devices, you’re already one step ahead of any cyber threats that might result in data loss.
It’s worth noting, however, that data loss isn’t always the result of cyber threats. It can also be the case that your external hard drive or computer wear out and you lose your data. That’s just the nature of any piece of hardware, and backing up your data can help you restore it on a new device.”
Adaptive’s Pro Tip: Never store all of your data on a single device. We suggest you use cloud storage exclusively. External drives can be lost, stolen, or damaged. Also, store the information in multiple locations: Dropbox, Google Drive, and OneDrive are great options, as they backup in real-time.
WEEK 2 – Ways You Can Prevent Cyber Attacks
In excerpts from an article by SBA.Gov, they wrote, “Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses.
According to a recent SBA survey, 88% of small business owners felt their business was vulnerable to a cyber-attack. Yet many businesses can’t afford professional IT solutions, [they] have limited time to devote to cybersecurity, or they don’t know where to begin.
The first step in improving your cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements. A cybersecurity risk assessment can identify where a business is vulnerable, and help you create a plan of action—which should include user training, guidance on securing email platforms, and advice on protecting the business’s information assets.
There’s no substitute for dedicated IT support—whether an employee or external consultant—but businesses of more limited means can still take measures to improve their cybersecurity.
Cybersecurity best practices
Train your employees
Employees and emails are a leading cause of data breaches for small businesses because they are a direct path into your systems. Training employees on basic internet best practices can go a long way in preventing cyber-attacks. The Department of Homeland Security’s “Stop.Think.Connect” campaign offers training and other materials.
Training topics to cover include:
- Spotting a phishing email
- Using good browsing practices
- Avoiding suspicious downloads
- Creating strong passwords
- Protecting sensitive customer and vendor information
- Maintaining good cyber hygiene
Use antivirus software and keep it updated
Make sure each of your business’s computers is equipped with antivirus software, [anti-malware], and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.
Secure your networks
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router.
Use strong passwords
Using strong passwords is an easy way to improve your cybersecurity. Be sure to use different passwords for your different accounts. A strong password includes:
- 10 characters or more
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
Multifactor authentication requires additional information (e.g., a security code sent to your phone) to log in. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
Protect sensitive data and back up the rest
Secure payment processing
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
Control physical access
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.”
Adaptive’s Pro Tip: Any device connected to the internet is at risk – Desktops, Laptops, Cell Phones, and Tablets. In addition to the latest Anti-Virus/Malware/Spyware protection (which aren’t enough), deploy Endpoint Detection and Response software that continuously looks for and mitigates threats.
WEEK 3 – Add a VPN to ALL of Your Devices
According to excerpts from an article by Forbes, they wrote, “When people hear the term ‘virtual private network,’ they often believe it’s something too high-tech for the average user and there’s no reason why they should use a VPN. But this isn’t actually true; a VPN can benefit large companies and individuals alike. Traveling and using public wifi, transmitting sensitive information, or even just perusing entertainment options on Netflix are all activities that can be done more safely through the use of a VPN.
VPN software protects your information by masking your device’s IP address, encrypting your data, and routing it through secure networks to servers in faraway states or even other countries. In doing so it hides your online identity, ensuring that you are able to browse the Internet securely and anonymously.
9 Reasons Why You Should Use a VPN
1. Security on Public Wi-Fi
Public Wi-Fi is convenient but comes at the expense of security. When you’re answering emails at a local coffee shop or absent-mindedly scrolling through social media at the airport, someone may be tracking your online activity.
Using a VPN protects your data while you are on other networks, hiding your browsing history, banking information, account passwords, and more from ill-intentioned internet strangers.
2. Data Privacy From Your Internet Service Provider
While connected to your home Wi-Fi, you are less likely to be attacked by strangers than on a public connection. However, your data is still vulnerable.
Your ISP or internet service provider—Comcast, Spectrum, Verizon, or other company who you pay for Wi-Fi each month—can access all your internet data. Your ISP can see when, where, and how you browse.
This data can be collected and sold to advertisers even if you’re using the “private” browsing function, and it can be dangerous in the wrong hands in the case of a data breach. A VPN can help obscure your IP address from your own ISP.
3. Data Privacy From the Apps and Services You Use
Your ISP isn’t the only potential liability that you’ve brought into your own home. Unfortunately, many of our favorite apps and internet services—most notably Facebook—have been called out for the way they’ve used the data of their users.
A VPN will prevent apps and websites from attributing your behavior to your computer’s IP address. It can also limit the collection of your location and browser history.
4. Data Privacy From Your Government
While many ISPs, apps, and internet data hubs suggest they don’t sell your browsing data to governments, the information nonetheless finds its way into their hands.
As recently as January of this year, the Defense Intelligence Agency bypassed a law demanding that government agencies produce warrants before compelling phone companies for their user data by paying third-party data brokers for that same data, according to the New York Times.
If you have qualms about governmental overreach, a VPN is a good investment in protecting your data.
5. Access to Any Content in Any Place
While Hulu may frown upon your use of a VPN to stream the latest Criminal Minds episode in a country where the content isn’t offered, this VPN usage is not illegal (in the U.S. and in most countries), and it helps provide a useful workaround to content restrictions.
VPNs spoof your location, making it seem as if you are browsing from another place. That means you can get your Criminal Minds fix even if it’s not available locally.
6. Security When Working Remotely
One benefit of a VPN is its data encryption features. Encryption, or putting data into a coded format so its meaning is obscured, allows you to keep confidential information safe.
If you are an individual thinking about investing in a VPN for your company, one benefit is that workers can connect to your office network and look at sensitive materials on their own devices while away from the office. As remote work seems a possibility even after the pandemic ends, a VPN is a helpful investment to keep confidential material safe off-site.
7. Easy to Use
While we’d all love to add more security to our lives, some security devices and processes seem like more effort than they are worth for those who are tech adverse. VPNs, however, are easy to use. Several providers have created intuitive and user-friendly interfaces that make installation and use available to non-techies.
8. Adaptable to Numerous Smart Devices
While many of us may first try a VPN on a company-loaned laptop, many VPN services also protect other smart devices such as your phones, tablets, and desktop computers. Each VPN company may offer slightly different protection plans and have different capacities to protect different devices, but many providers offer plans that help keep you safe on multiple devices.
9. Smart Savings
If you are willing to put in a little research, a VPN can help you save money via its location spoofing capabilities. Many types of businesses, such as subscription services and airlines, offer the same amenities or products for different prices. If you change the appearance of your location to a place where services are offered cheaper, you can end up with big savings.
Adaptive’s Pro Tip: A VPN (like ExpressVPN) encrypts data so that it cannot be compromised during a cyber-attack. They’re also useful for hiding your location, IP address, browsing activity, and personal data. NEVER use public WiFi without turning on your VPN, as 50% of public WiFi’s are not encrypted. Make a habit of checking that your VPN is connected before you engage.
WEEK 4 – Start Using 2 Factor Authentication
In excerpts from an article by Heimdal Security, they wrote, “Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism used to double-check that your identity is legitimate.
How Does Two-Factor Authentication Work?
When you want to sign in to your account, you are prompted to authenticate with a username and a password – that’s the first verification layer. Two-factor authentication works as an extra step in the process, a second security layer, that will reconfirm your identity.
Its purpose is to make attackers’ life harder and reduce fraud risks. If you already follow basic password security measures, two-factor authentication will make it even more difficult for cybercriminals to breach your account.
However, you shouldn’t expect it to work like a magic wand that will miraculously bulletproof your accounts. It can’t keep the bad guys away forever, but it does reduce their chance to succeed.
What Are Authentication Factors?
There are 4 main categories of authentication factors:
1. Something that you know – This could be a password, a PIN code, or an answer to a secret question.
2. Something that you have – This is always related to a physical device, such as a token, a mobile phone, a SIM, a USB stick, a key fob, an ID card.
3. Something that you are – This is a biological factor, such as face or voice recognition, fingerprint, DNA, handwriting, or retina scan.
4. Time and location factors can also be used. For example, if you log into your account and someone tries to log in from a different country 10 minutes later, the system could automatically block them.
Why Should I Activate Two-Factor Authentication?
Passwords on their own aren’t as infallible as we need them to be. Cyber attackers have the power to test billions of passwords combinations in a second.
Answers to security questions are also easy to find out, especially now that we are willingly sharing all the details about our lives on social networks and blogs. Anyone that interacts with us on a daily basis can find out the answers to common security questions, such as the graduation year, the city that you grew up in, or our first pet’s name.
Even if you don’t give these out in your Facebook profile, some can be found through public records, available for anyone who cares to look.
This is where two-factor authentication comes in handy.
It will offer you an extra layer of protection, besides passwords. It’s hard for cybercriminals to get the second authentication factor, they would have to be much closer to you. This drastically reduces their chances of success.
Adaptive’s Pro Tip: 2FA is essential to security because it neutralizes the risks of compromised passwords. 2FA should be activated for everything from sign-ins to your email and bank accounts to online transactions – including PayPal. It’s not complicated. You can use any combination of biometrics, passwords, pushed codes, etc. It’s can feel like a hassle at first, but you’ll adjust quickly.
WEEK 5 – Use Unique Passwords on Every Device AND Platform
In excerpts from f-secure, they wrote, “Even if you come up with a highly complex password that is virtually impossible for anyone else to guess, the safety of your account to online services is at risk if you use that same password for each account.
For example, if hackers gain access to the login details for one of the services that you use, they can then use that information to access any of your other online accounts where you have used the same password. Using a unique password for each account means that even in the event of a data breach in one of the services you use, your other accounts are not at risk.”
In an article by Wired, they wrote, “Password managers are the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For seven years running that’s been “123456” and “password”—the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.
Now that so many people are working from home, outside the office intranet, the number of passwords you need may have significantly increased. The safest (if craziest) way to store them is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding.
That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our faulty, overworked memories.
A password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks.”
Adaptive’s Pro Tip: Create strong passwords for EVERY device (yes, including cell phones) and platform that you sign into. Never reuse a password. The key to making this work is by downloading password management software (PMS) – like Keeper or LastPass – onto every device. You’ll only have to remember one password, the one that logs into the PMS. The software remembers the rest of them. You can also use these platforms to store other sensitive data.
WEEK 6 – Why You MUST Separate Business and Personal Data
According to excerpts from an article by CDS, they wrote, “Cybersecurity is a growing challenge for all businesses. In today’s work-from-home climate, there are a whole new set of obstacles and challenges. Added flexibility for workers is a great thing, however, the temptation for remote workers to mix business and personal computing can lead to significant cybersecurity risks and other issues.
The Problem With Personal Stuff on Business Devices
It’s not uncommon for employees to put their personal data and apps on business computers, smartphones, and tablets. However, this can be problematic for both employer and employee.
Allowing your employees to use business devices for personal activities could potentially make the company more susceptible to leaks or security issues. For example, social media sites and especially the links shared therein are often plagued with clickbait and sketchy advertisements.
For employees: Mixing personal and professional also means there is no clear separation of ownership. Personal data stored on a business device may be subject to corporate policy, which may not be desirable if, say, you as the employee have a hobby as a photographer and want to sell your photos online. You don’t want the company “owning” your personal photos!
Furthermore, there may not be any way to ensure that your personal data is completely private or protected from colleagues or management.
Basically, if you store personal stuff on a company device or access personal accounts on a company device or network, you should assume that other people will see your activity to at least some degree. And rightfully so—companies may be liable for activities that involve their devices, therefore it’s their prerogative to monitor and ensure that activity.
Personal activities, such as browsing social media and online shopping, create an increased risk of a cybersecurity event. Using a business device for personal browsing exposes data, networks, and other devices to unnecessary risk. This is also true of performing business tasks on devices used for personal activities.
The Problem with Business Stuff on Personal Devices
Having business data on personal devices is even more problematic than personal data on business devices. First and foremost, business data is more difficult—if not impossible—for the company to protect if it is on an insecure, unmonitored personal device.
First, personal devices and networks aren’t generally subject to corporate security policies. They can be potentially accessed by family, guests, or even rivals or business competitors. You could also suffer a serious data breach or erasure, where an employee could potentially overwrite or delete an important document or spreadsheet by accident.
Mixing business and personal computing lead to a general breakdown of accountability.
Utilize device management software
Companies can issue mobile devices with mobile device management (MDM) software and prohibit the use of personal devices for business purposes altogether.
For example, you can use Microsoft Intune, which is part of Microsoft Endpoint Manager. Microsoft Intune offers mobile device and operating system management with cloud-based administration. It is available for phones, tablets, and computers, and is included in certain versions of Microsoft 365. Per device licensing is also available.
Set up secure business networks and separate guest networks
For clients and customers visiting the office, your company should provide a separate “guest” network, fully disconnected from the company network and restricted.
Employees should never connect personal devices to a network used for business data. The company IT department may not be able to support every personal device or make sure devices like cellphones are secure and free from viruses, spyware, and malware.
Instead, your company can provide a segmented, fully isolated “guest” network and encourage employees (and other visitors) to use that for their personal smartphones, tablets, or laptops.
Having too many devices on a business network can lead to bandwidth and performance issues anyway, so there’s sound reasoning behind segmentation even beyond the cybersecurity implications!
Ensure remote workers have access to and are educated on using remote desktop and VPN
Remote work creates additional challenges for business cybersecurity. Workers may be tempted to just use their personal computers in their comfy, nicely decorated home offices, however, this can still lead to problems.
If users are allowed to use personal devices, they at least need to ensure they are connected to the company network via VPN. This will help obfuscate activity from other devices on the home network and provide a more secure connection to company resources.
When possible, users should be encouraged to use remote desktop (or RDP). Using RDP, users can connect directly to their in-office computers as if they are sitting at their desks at work. Ending the RDP session disconnects them from the work computer and its resources.”
Adaptive’s Pro Tip: Whether mobile devices – cellphones, tablets, and laptops – are business or employee-owned, there should be a separation between business and personal data, including apps, files, email accounts, contacts, etc. You can also use “secure folders” or “locker” functions.
WEEK 7 – Develop Cyber Security and Contingency Plans
Cyber Security: In excerpts from an article by PurpleSec, they wrote, “ Many businesses have begun to realize the risk cyber attacks pose on their operations, reputation, and revenues.
While pouring investments into security controls like monitoring tools, multifactor authentication, security awareness, and other security best practices have their merits, a truly secure business has a sound cyber security strategy in place with a well-defined pathway to address future security requirements.
In short, there are 8 steps to planning out your cyber security strategy including…
- Conduct A Security Risk Assessment
- Set Your Security Goals
- Evaluate Your Technology
- Select A Security Framework
- Review Security Policies
- Create A Risk Management Plan
- Implement Your Security Strategy
- Evaluate Your Security Strategy
The goals of the security strategy typically do not change very often, since they should align closely with the goals of the business, however, the threat landscape changes quite often. It is imperative that the strategy be revisited to determine if any gaps exist in the program. An annual review is a generally accepted review period.”
Contingency Plans: According to excerpts from an article by TechTarget, they wrote, “Before 2020, contingency planning and crisis management were mostly academic exercises. Disasters, shutdowns, and breaches happened, but many companies seemed to hum along for decades only addressing these matters when they arose.
Now, if you think everything is OK, just wait 15 minutes. We have entered an age of continuous events that confound our ability to operate, and we face new threats that impact our enterprise security on a daily basis.
In cybersecurity, contingency planning has traditionally focused on full-scale disasters and was generally connected to mandatory check-the-box regulatory compliance requirements. Big breaches and occasional act-of-God disruptions were feared but rare, isolated, and difficult to prepare for. However, with recent global events and a changing threat landscape, we’ve checked off three squares on the Armageddon Bingo Card in the last year alone with disasters that have had a lingering impact on almost every business on the planet:
- power grid disruption
- civil unrest
As a result, things have changed. Security is adjusting to new threats and vulnerabilities, manifested across expanding attack surfaces, and all with long-term implications.”
Adaptive’s Pro Tip: Establish a partnership with a cybersecurity expert before a cyberattack occurs. Ensure that your team members know the importance of constantly maintaining cyber security best practices and have a set of clearly defined rules to follow.
In the event of an attack, a cybersecurity contingency plan provides instructions to recover data in the event of a security breach, disaster, or system disruption. This plan should include a hard copy of relevant contact information for external parties, such as clients, financial institutions, legal counsel, insurance providers, etc.
WEEK 8 – Clean Up Your Devices
In excerpts from an article by ociso, they wrote, “A good digital spring cleaning can help keep your devices and information safe and secure year-round. It can also help improve the speed and performance of the devices and services that you use. It also reduces the risk that a hacker could access old information that you’ve forgotten about.
Here are a few tips for refreshing, renewing, and reinvigorating your cyber life:
1. Review your online accounts.
- Delete any you no longer use.
- Remove information in any of your accounts that isn’t needed anymore, such as saved credit cards or old documents in cloud storage.
2. Update your devices.
- Update the apps and operating system on all Internet-connected devices – including PCs, smartphones, tablets, home wifi routers, smart TVs, and other internet-connected devices that can be updated – to reduce risks from malware and infections.
- Delete unused apps.
3. Tune-up web browsers.
- Check your browser settings. Clear out old data, such as stored passwords and old autofill information, and ensure your browser is NOT set to store passwords.
- Delete unused browsers.
4. Purge old digital files.
- Clean out your old email, files, and downloads. Always empty the trash when you’re done.
- Unsubscribe from newsletters, email alerts, and mailing lists you no longer read.
5. Lockdown your login.
- Use a password, passcode, fingerprint, or facial recognition to log into all of your devices. Enable the strongest authentication tools available.
- Turn on multi-factor authentication ‒ also known as two-step verification or two-factor authentication ‒ on critical accounts like email, banking, and social media where available. Learn more by visiting https://stopthinkconnect.org/campaigns/lock-down-your-login
- Take an inventory of your passwords. Are they all long and strong? Change any that aren’t.
- Use a unique password for each account.
- Consider using a password manager to store and protect your passwords.
6. Refresh your online presence.
- Review and update your online profiles on social media sites.
- Review your privacy and security settings on social media sites and other sites you use. Set them at your comfort level for sharing.
- Delete old photos, posts, etc. that are embarrassing or no longer represent who you are.
- Review friends on social networks and contacts on phones and other devices. Does everyone still belong?
- Actively manage your location services, Bluetooth, microphone, and camera – making sure apps use them appropriately.
7. Back up your files.
- Make a complete backup of important files. Copy important data to a secure cloud site, another computer, or an external hard drive where it can be safely stored. Password-protect backup drives.
- Back up your files before disposing of a device.
- Be sure you can restore the files from your backup; a backup that you can’t use isn’t very helpful!
- Keep security requirements in mind if you make your own backups of work files. Contact your IT specialist for assistance.
Adaptive’s Pro Tip: Remove documents, files, programs, downloads, browser extensions, temporary internet files, and applications that are no longer needed. Also, delete all passwords and credit card information that are stored on websites and in search engines, such as Google. Don’t forget to clean up your bookmarks, move large files (like photos and videos) to the cloud, clear browser cache, history & cookies, and empty your spam, trash, and recycling bins. Restart your device(s).
At Adaptive Office Solutions, cyber security is our specialty. When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime.
To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at email@example.com