The good news is that there are some things that you can do starting today to protect your information, your client data and build cyber resilience. No security solution, product, or process is 100%. But these 5 simple steps will bring you closer to “Fort Knox.”
Want to download the Top 5 Ways to Protect your Data, your Business and your Reputation? Click here for the free PDF.
Train your employees (and yourself)
You may be aware of the risks to your business, but your employees may not. They may also not realize the consequences of that risk. One concept is to personalize the risk. If your employees learn how to protect themselves at home (including the 5 steps here), they will bring those habits into work.
In our businesses, we need to communicate with the outside world: clients, prospects, suppliers, and partners. That includes email, chat, voicemail, text message, video, and more. These tools are fantastic, and most businesses couldn’t function without them. However, they are also the source of our most significant risk. Phishing is the act of sending a message to trick or lure the recipient into taking an action that they wouldn’t otherwise do. It’s a specific type of social engineering or “human hacking.” Although these come through email, they also use other mechanisms as our email filters are getting better. Nearly 90% of breaches or other incidents start from a successful phish.
The FBI calls Business email compromise, or Impersonation attacks one of the most financially damaging online crimes. Essentially the criminal will send an email that appears to come from a known source. The message will make a legitimate request, such as a vendor changing bank accounts or the CEO or department head making a purchase request. Ensure that you have protocols such that you use another form of communication to verify that these requests are legitimate.
Think before you click (and then don’t click)
Your bank will never send you a link to log into, and they aren’t going to ask you to reset your password over email. Contact the bank directly or type out the bank website address manually. Similarly, you may get a link to download a file or an attachment that asks you to “Enable Content” to view the secure information. Please don’t do this! Hackers frequently use this tactic to get you to launch malicious software hidden in that PDF or Excel spreadsheet.
Similarly, you may be asked for your password to retrieve the document. Check the website. There is a good chance it’s not a legitimate site, and they are trying to harvest your login credentials.
Create policies around approved use of your technology and seek guidance when putting these together from peers and human resources.
Train your employees (and yourself) to be aware of the risks around them and develop policies for your employees on how to use technology
Who are you? Protecting your identity
Although we hear about identity theft related to credit cards and social security numbers, business login credentials are also high on that list. Our login credentials are a primary target as more cloud applications provide business solutions. We access these critical systems using a username (or email) and password.
The problem is that passwords are frequently shared, reused, and stored insecurity making them ripe for attack. Unless you are a savant, creating and remembering unique random passwords across all your websites and services is impossible. Get a solid, reputable password manager to generate and store a unique random password for each application. If you do not have to remember it, you will not have to write it down. And if any one of them is compromised, you need to deal with that one website.
Get a reputable password manager
The reality of passwords is that they are easily phished or compromised. A token-based login where you approve the login from a phone or enter a code from a token, commonly known as Multifactor authentication or MFA, is recommended. You dimmish the risk significantly of damage from a credential/password-based compromise. And if you are using a password manager, make sure you use MFA with your password manager.
Use Multifactor Authentication wherever it is available
Also, limit what each identity has access to (authorization). You may be the business owner and should have access to all the things at your company, whether its services or accounts. However, your daily account should not also double as the Global Administrator for your Office 365 domain. Create a separate account just for admin use. Yes, it’s a little bit of a pain to log off and back on. However, if your daily account gets compromised, you only risk your information and not the entire company. Similarly, set up separate administrator accounts to allow for software installations (if you allow individuals to do this at your company) to minimize the risk of a virus infecting the entire computer.
Do not use your everyday account for administration
Your backup is only helpful if you can use it
Putting files in an online file share is not a backup, and neither is the USB drive that you are copying files to every other week. You should automate your backup, which should occur at least once a day, encrypt the data from visibility, and transfer it to at least two places. Without these steps, you aren’t doing enough to protect yourself.
Besides the fact that malicious software can (and does) destroy your data, you and your employees are human and make mistakes. We’ve all deleted that file that we needed later or accidentally moved it and can’t find it. Your backup protects you from Acts of God or Acts of Humans.
Unless you are testing your backup by doing periodic restores, it is useless. Ransomware was first making the rounds several years ago. (Ransomware is a malicious program that scrambles your data and holds it hostage, asking for a ransom payment to unlock it).
We had two companies that were affected nearly at the same time. One was a client where we detected the incident, cleaned it up, and recovered the lost data within 30 minutes. The other was not a client and found out the hard way that their backups were not working for two years. The only way to ensure your backups are working is to do test restores. It will give you an idea of how long it would take in case of a real emergency, and you’ll feel better. Trust me.
Get a Secure Backup Solution and Test it Regularly!
Update all the things
Humans write software. And humans make mistakes.
Whether there is a flaw in the design or implementation, there are bugs in the code. Some bugs cause crashes and prevents you from getting your work done. However, some bugs or flaws result in the software turning against you and providing others a back door into your data or the ability to leverage you to attack others. As a result, our systems get patched and updated all the time. Yes, it may not be convenient to have to reboot your computer every couple of weeks for the updates to apply. Just do it even if your computer is so slow that it takes an hour to reboot. Do it at the end of the day, and your computer will be up to date and patched for the next business day.
Don’t forget your other items too.
On your computer, we all use software including Office, web browsers like Chrome and Firefox (or my favorite Brave), Adobe Acrobat, and more. All these also bring flaws to the game. Your computer provider will also have drivers and firmware. These are not usually automatic, so you may have to run their update tool to get those patched up. Get them up to date. They will not only plug the holes, but they will probably run better too. Your web browsers will show an arrow pointing up or an Update indication in the corner. All you must do is close your browser (yes, all your tabs, too) and reopen it. Other devices on the network should also have their software updated, including printers, routers, firewalls, network switches, and yes, your Amazon Alexa. Make sure they are getting updates too.
Keep your Computer, Software, Drivers, and Firmware Up to Date
Protecting your devices
There is a piece of software that we haven’t discussed, Antivirus. Most computers come with basic antivirus built-in. These applications use an old detection style by matching the program or code running with a massively increasing list of harmful software. The problem is that new malicious applications are coming out all the time, and it’s difficult for the antivirus companies and our operating system vendors to keep building signatures. The next-generation endpoint protection software includes some additional skills.
These Endpoint Detection and Response solutions can bring another level of protection to your devices. In addition, in this hybrid remote/workplace world, the EDR can provide better protection against unknown threats, frequently called zero-day threats, through its use of artificial intelligence. Add a human element by having these managed by a security team, and you have an even level better protection.
Two other solutions are a little more technical that are worth mentioning here as well. The first is an application allow-listing system. Application allow-listing solutions prevent any application from accessing the internet or even running unless you explicitly allow it. These systems can be challenging to maintain, so it sometimes requires a technical expert. The second is a solution that has been evolving but now goes by the name of SASE (pronounced-like “sassy”) or Secure access service edge. These solutions build a secure connection from your computer to a centralized but distributed security layer that checks all the activity. From there, it decides what systems or data you and your computer should be able to access. It’s a great way to protect access to both your office and replace traditional VPN (virtual private networks) and your cloud resources such as Office 365 and Salesforce.
Get an Advanced Endpoint Protection solution (or solutions) that protects against unknown threats and can identify malicious network activity
The most important next step is to take action
Although there are things that you can do yourself, if you’re not a Cybersecurity or IT expert, a lot of this can seem very time-consuming and complicated.
We completely get that.
However, it is very much a worthwhile investment of your time and energy.
If you feel it is not something that you can do justice, it is wise to bring in the experts. A great cybersecurity-focused IT support provider that focuses on asset managers should be more than willing to help you. A great technology support partner will get it all done for you without you having to prompt them.
To be frank, the things we’ve talked about here are just the basics you should be doing to cover yourself. Think of it as brushing and flossing.
You should also have someone to monitor and maintain your devices and network to identify and solve most issues before you even notice them. And someone who can make sure you’re using all the right tools and software to optimize security and staff productivity. Often, it’s unrealistic to have a full-time employee on your team to do this work for you.
Fortunately, partnering up is a superior alternative in most cases.
Not only do you get support when you need it and benefit from all the above, but you also get access to a whole array of expertise. If you don’t already have a plan in place to help keep your business protected from cyber-attack, I hope you can see how vital it is. And if you do have a plan, perhaps it’s time to revisit it and make sure it’s still effective in this ever-evolving world of cybersecurity and cyber-crime.