Comprehensive Guide to Cybersecurity
For Small To Medium Businesses
What is Cyber Security And How Does It Apply To My Business?
Have you noticed the constant news headlines about cyber attacks and online tracking and thought:
Is my computer infected with malware?
You might be surprised to know that it’s not uncommon for computers to have some amount of malware or trojan software on them. The chances are even higher when you have a series of computers sharing a physical or virtual network.
In today’s digital landscape small businesses are becoming an ever increasing target for cyber criminals and scammers alike. From data breaches, to phishing attempts, or even ransomware attacks, business owners are finding it a challenge to keep up with the numerous updates required to keep their operations safe from these cyber crimes.
This comprehensive guide takes aim at some of the most common methods used by cyber criminals and the cybersecurity experts that aim to thwart them. Here we will answer some of the most frequent questions that small to medium business owners ask, and break down a few technical terms into easily understood concepts.
Why Would Anyone Want To Hack Me?
It could be for a variety of reasons. You might be targeted with a ransomware attack and demands for a payment to return your sensitive data to you. Or perhaps someone in your company inadvertently gives the hackers a back door into your CRM which allows them to exploit your database to sell your customer information on the dark web. Of course, the threat could be something more direct. If a bad actor was able to gain access to your online banking, they could essentially send your money to themselves through a complex scheme that made it untraceable and irreversible. The simple answer is your private data is worth a lot on the open market or in the wrong hands.
Why Do Cyber Criminals Target Small and Medium sized businesses?
In the ever escalating arms race of cyber security and cyber criminals, more businesses have taken measures to protect their networks and operations. So while the high value targets continue to attract the more enhanced cyber attacks, the less sophisticated hackers go after increasingly softer targets. Essentially, they don’t need to rob a single bank for a million dollars, when they can easily rob a million users of 10-100 dollars each.
The reality is that most small businesses need to take further steps to enhance their networks, devices, and security protocols if they want to remain relatively safe from malicious interference.
How can I protect myself and my business from Hackers and Cyber Attacks?
The good news is, there are many simple solutions and policies you can put into place to protect yourself from Cyber Attacks, Hackers, and illicit Data Mining operations. The level of cyber security required in most cases is in proportion to the value of your data and sensitive operations.
As a business owner, you don’t have to match the cyber security of the US government or Fortune 500 companies, just to keep your banking and customer details from falling into the wrong hands. Then again, if you have nationwide offices with a large customer database or detailed inventory management, you wouldn’t want to rely on basic software aimed at the average home computer user, because you are a bigger target. Essentially, your level of cyber security and protection should be in proportion to the assets worth protecting and the size of your operations.
With that in mind, let’s look at some of the ways that hackers and cyber criminals commonly exploit businesses.
Topics and FAQ’s:
Select a link to jump to that section
methods to Protect your Business
Password Protection and Two Factor Authentication
Weak passwords are an invitation for disaster. Some of the most common passwords are “123456”, “Password” and “Admin”. Hackers and Cyber Criminals love it when you use a weak password. Because even though they have access to sophisticated software to crack passwords, they will always check for these default passwords first.
“I have a strong password and I use it for everything!”
Another common problem is having the same password for multiple sites or software. Even if your password game is strong, that doesn’t mean that you’re protected. The servers of large organizations get compromised from time to time, so if your password is exposed, malicious actors will try using that same password on other sites or networks you have access to. Once access has been gained to one account, it becomes easier to gain access to all of the user accounts in your organization. Therefore it’s important for unique strong passwords and other countermeasures and compartmentalized access.
How Do I Create A Strong Password?
Let’s start with the basics.
Don’t use your pet’s name, kid’s name, birthday or anything else that would be easy to find out about you.
Create a password that is 8-12 characters long at a minimum.
Use a combo of uppercase and lowercase letters, numbers, and special characters.
Change your password often. Every 2 weeks is ideal, but monthly is better than yearly
Don’t allow old passwords to be reused.
Is A Strong Password Enough To Keep Me Safe?
While a strong password is your first line of defense in most settings, it’s advisable to use a “belt and suspenders” approach when it comes to keeping your business safe from corporate spies and cyber criminals. In addition to a strong password, we recommend you also add one of more layers of additional security. Some examples of this could include:
Multi-factor Authentication
The use of single use tokens are a good example of 2 factor authentication. Having to get a one time code sent to a different device or platform creates an extra layer of protection. Most of us are already familiar with doing this for things like online banking or logging into our email from a different computer.
Password Encryption
Strong passwords are only as secure as the route they travel on between servers. When data is encrypted, it gets jumbled into nonsense until it arrives at the intended destination. The computer on the other end holds the encryption key and can easily decipher the data and take the appropriate action. A simplified analogy of this is like school children passing notes in class that have been written in a coded language. If the teacher catches them and tries to read the note, it’s meaningless. Of course modern day encryption is very advanced and even the encoding is randomized to ensure security.
Use of Passphrases and Security Questions
In addition to a single password, adding a secondary passphrase or set of predetermined security questions can create robust access controls. Passphrases are easier for humans to remember because they can be a single line of text. This could be anywhere from 10 to 20 words and written as a sentence. It’s good to choose a passphrase that isn’t obvious and even nonsensical, as it will be harder to guess.
Likewise with security questions, it’s best to not choose easy to guess answers or simple facts that anyone could find out while combing social media or public records. You can also give false or humorous answers to security questions as long as you will remember what you entered when setting them up.
Example, Q: What is your favorite vacation destination?
A: Jupiter
GONE PHISHING
What is Phishing?
Most of us have experienced some type of phishing by now. The classic example are emails from a “Nigerian Prince” wanting to send you money. Recently it’s more common to get these annoying text messages saying “Your Amazon order of $1000 for a new iPhone needs to be approved.”
Now you know you didn’t order an iPhone so your first inclination might be to open the message and press “cancel”. However, you have just unknowingly entered a scammer’s web. Obviously, the correct action would be to log into your real Amazon account (on a device that you trust) and look at your account history. If you don’t see anything suspicious, then you can rest assured that the message was fake and you don’t need to take any further action. Of course, you can reset your Amazon password just to be safe.
That example of phishing is something that happens countless times each day and sadly some people do fall victim to that. When it comes to phishing attacks on Small to Medium Enterprises. (SME’s), it can be a bit more complex and harder to spot. Let’s look at some other examples.
We’ve Detected Suspicious Activity On Your Account!
“Please log in and confirm if this was you or
reset your password if you think your account has been hacked.”
Most of us will get a sinking feeling when we read something like that in a message. Our heart naturally drops and we feel that we must act fast to put a stop to whatever activity is happening before something truly awful happens. That’s pretty normal and that is what the hackers are counting on.
When you see a seemingly convincing email or message like that, you’re less likely to stop and look at the sender’s info. If you think that someone on the other side of the world is reportedly trying to access your account, you probably won’t hesitate to hit the button that says “Secure My Account”.
However, you will most likely be redirected to a look alike site that asks you to confirm your username and password, and then set a new password. Only later will you find out that you have unknowingly just given the hackers your real username and password. Like the Amazon scam, this happens millions of times each day.
What’s the difference between Phishing and Spear Phishing?
Like the name would suggest, Spear Phishing is more targeted at one individual or organization compared to putting out a lot of “bait” and waiting for someone to bite. In a Speak Phishing attack, the cyber criminals have done their research on their target. They may have collected data by doing an extensive search of social media profiles for the employees of a company, or even posed as a legitimate potential customer to learn the names and procedures of a business.
From this they can create real looking internal emails that appear to come from one employee to another to not arouse any suspicion. As busy people in a work environment, we naturally drop our guard a bit when we see a message from someone we know well. If your boss sends you an email with an attachment, you’re far more likely to open it without a second thought. By the time you figure out that your computer isn’t working right or the attachment doesn’t seem to be opening like it should, it’s usually too late to stop the virus that may be spreading to every database on the company's internal server.
How Do I Protect My Business From Phishing Attacks?
Education Is The Key!
The example shown in these images are a typical Spear Phishing attack. This looks like a real Microsoft Teams request from a coworker you know about a real sounding company project. Sometimes there are obvious spelling errors, but when these are done well, they’re quite believable.
The correct action would be to message the sender directly and confirm that they did indeed send you a request or file before clicking anywhere. Logging into your team's account through the normal process is another good practice rather than entering your password after following a link.
When evaluating a message, pay close attention to the sender's details and the links being sent. While it’s easy to make something look legit visually, the technical aspects are more difficult to fudge.
Here is another example of a fraudulent link:
www.secure_vendor_account.com/paypal-admin
This is just something we have created to show how you might think this is coming from PayPal. It’s important to educate yourself and your employees about how a URL is structured.
Buttons Are Tempting To Click!
We have all become so used to the buttons that say “More Info” or “Click Here”, that we don’t even stop to ask: Where is “Here”?
Did you know that a link can be written one way but actually go somewhere completely different? It’s actually very easy to do!
Most desktop browsers, such as Chrome, Edge, or Safari will show a destination in the lower left side of our screens when we hover over a link or a button. If you don’t see this you can copy the link. Then in a notepad or new browser window, paste the link but DON’T actually open it. This will allow you to examine the full link to determine if it actually looks like the destination you expected and if it seems safe. Of course if you’re still not sure, contact your company's cyber security expert before doing anything else.
If you are ‘flying solo’ you can try using a few of these resources to check out links or files that you are unsure of. While these tools can be helpful, they are no substitution for a dedicated cyber security consultant or anti-virus software and firewalls.
Virus Total: https://www.virustotal.com/gui/home/upload
URL Void: https://www.urlvoid.com/
PhishTank: https://phishtank.org/
Google Safe Browsing: This is something you can enable in Chrome and other Google products such as Gmail: Learn more about this in your browser / app settings, or by visiting their site: https://safebrowsing.google.com/
Click Images To Enlarge
Anatomy of a URL: (using a fraudulent link example)
http://www.secure.vendor_account.com/paypal-admin?user_id=12345
-
The first part is called the protocol. Most of the time this will include the last letter as “S” which stands for ‘Secure’. This doesn’t necessarily mean that it’s to be trusted, it just means that the site is less likely to leak sensitive data as it passes it to the next server.
If you see HTTP:// and not HTTPS:// that means it is not secure and you should NOT enter any information on that site or page.
-
When we see www.example.com, “example” is called the domain. You should pay close attention to the domain (and subdomain) names. This is a good way to spot an imposter URL.
There can be subdomains which come before the domain and are separated with a period. This would look like this: www.sub-domain.example.com So if you see an email from secure-vendor.paypal.com that is most likely from the official company of paypal. However if it says “secure.vendor_account-paypal.com” that is a different domain and paypal probably does not even own it.
The difference is in the dots vs dashes and underscores. -
Next we have the extension. This is the “.com” part of our example URL. Some common extensions you see everyday are
“.com” “.org” “.net” “.edu” “.gov”.
Within the last decade, many more extensions have been created because domain names that were in demand were already taken. While this has been great for businesses trying to get a memorable domain name, it’s also been helpful to hackers trying to fool people into thinking they are going to a site they know. If you are used to going to www.example.com you might not think anything was wrong with clicking on www.example.net. Especially if it looked identical when your browser opened that page.
Country specific extensions are also common and some examples are:
.uk (United Kingdom)
.de (Germany)
.us (United States)
.fr (France)
.ru (Russia)
.in (India)
.cn (China)
Statistically speaking, links that end in .ru, .cn, and .in account for a higher percentage of phishing attempts and scams than other country extensions. However, we want to acknowledge that many legitimate businesses have domains with those country specific extensions and also that the majority of cyber criminals looking to fool unsuspecting victims will use a popular extension that users are more familiar with such as .com, .org, and .net.
That said, if you’re already unsure of a link AND it ends in one of these three, we would consider that to be a red flag and urge you to consult your cyber security expert or IT department before deciding what to do next. ription text goes here
-
Everything that comes after the extension (and a forward slash “/”) is a path to a directory (or folder) on the site's server. This is typically something like www.example.com/about-us This would probably take you to the “About Us” page of a company, but there is no rule that the path or ‘slug’ must be accurately labeled. There can also be “parent” and “child” pages.
This is just a way of organizing paths and may look like this: www.example.com/about-us/ceo-john-doe or www.example.com/about-us/#ceo-john-doe. This link will take you to the CEO’s page or the CEO’s section of the About Us page
This is important to keep in mind. Just because you see a familiar word in a URL, like “Paypal” from our earlier example, it doesn’t mean anything if it comes AFTER the domain and extension.
-
Finally we have Parameters. These are the items that come after the path and begin with the “?” and are separated by the “&” symbols.
These are variables that tell the target page some information being passed on to that page. A good example of this is if you see an ad with a cute tank top in 3 different colors, and you click on the blue one, you would then be directed to the page featuring the blue version of that item. www.example.com/products/shirts/?shirt_style=tank-top&color=blue
Simply put, if you hover over a link and see a very long set of parameters, this means that the page you land on is receiving some data about you or where you are being redirected from. This can be normal, but it can also be used in a targeted Spear Phishing attempt.
How To Safely Copy A Link
To do this on a PC you can right-click and look for “copy link” or something similar.
On a Mac, you hold the Command button and click the link. Then a menu will appear and you can copy the link location.
On most (non Apple) mobile devices if you press and hold on a button or link for a few seconds, you should see the option to copy the link location or target.
On iPhones it’s slightly different. Try pressing and holding on the link or button and then swiping up slightly without taking your thumb off the screen. This should open a menu allowing you to copy the link without going there.
Obviously we can’t cover all browsers, devices, or operating systems so you should try this first with links you know are safe.
Can Filters Keep Me Safe From Phishing And Other Treats?
Yes, filters can be a great way to keep you and your employees from ever seeing potentially malicious emails and websites! That said, your filters need to be updated regularly to adapt to an ever evolving cyber security landscape. Unfortunately there is no catch-all solution to keeping you from being the target of a phishing or malicious attack because cyber criminals are constantly trying new ways to exploit vulnerabilities. So while a good filter system works well, you will need to keep it updated to match the ever changing tactics of online bad actors.
What Is Required To Keep My Data Safe?
If you have a reputable cyber security expert or dedicated IT department, you can rest assured that you only need to follow their direction and advice.
However the reality is that most small to medium enterprises either don’t have the budget for full time professionals like this on their payroll, or they simply don’t recognize the need for them and consider this an unnecessary expense. If you’re curious what a cyber security professional would even do for your business, let’s cover some of that here.
Keeping Your Software Updated With The Latest Security Patches
Most business operations are focused on their day to day routines. They’re not constantly thinking about digital boogeymen hiding in the shadows of the dark web. To be fair, that’s how it should be. At the same time, the people looking to exploit your vulnerabilities don’t seem to take any vacation days. As soon as one weakness has been identified in any given software, the people looking to gain access to your data start working on a work around. That is why we see updates and patches being constantly being released to everything from operating systems to our social media apps. On average these updates get pushed out every month or so, but the reality is that developers are constantly playing this game of cat and mouse with their shady counterparts.
Don’t Hesitate: Just Update!
As soon as new patches are released your IT department or cyber expert should be grabbing these patches and updates and installing them when become available. Of course it’s not always as simple as clicking the “Update and Restart” button that you might see on your laptop's operating system.
Some updates require a backup to be created first, and others need to be applied sequentially, partially, or may not even apply to your specific situation. This is where a deeper understanding of the update notes and other technical details can be beneficial.
The best practice is to partner with a cyber security expert that constantly updates your filters and software to block the recently discovered tactics of hackers and scammers. These patches and updates will help to ensure that you are not a soft target for malicious activities. Fortunately just like in the physical world, cyber criminals are often lazy. If they see the doors are locked and their intended victim is using cameras plus an alarm system, they are more likely to move on to an easier target. To them it is simply a numbers game when evaluating effort and risk vs potential rewards.
Don’t make it easy for cyber criminals.
Keep your systems Patched and Updated!
Network Security
How Secure Is My Network?
The phrase “A chain is only as strong as its weakest link” also applies to network security. Far too often, network admins set up a flat network for ease of installation and maintenance. Sometimes, they intend to circle back and make upgrades to increase security measures. However, when a period of time passes and there don’t appear to be any threats, the mentality of “Don’t fix it, if it isn’t broken” comes into play and these systems get left in the basic configuration.
Let’s assume your network was configured properly when it was set up. When we assess network security we often ask the following questions:
Are your firewalls being maintained and patched on a regular basis? (option A)
Are you maintaining and patching your firewalls on a regular basis? (option B)
Is your Anti-Virus software up to date with the latest signatures?
Do you have a segmented network to compartmentalize potential threats?
Is there a “Guest Wi-Fi” in place that is separate from your internal traffic?
Have you created user roles with appropriate access for different people?
How often is your data backed up to multiple sites?
How you answer these questions can help to determine your level of exposure to anything from data leaks, to hacking, ransomware, or corporate spies.
User permission levels
When possible, cyber attackers will target the highest permission levels. After all, if they can get a “master key”, then they can gain access to every other user's data in the organization. Once they have extracted everything they want, they can effectively take over the system and lock everyone else out.
Having a tiered or hierarchical approach to user permissions is a sign of a healthy network. This simple security measure can protect you from both system intrusions, either internal or external. Appropriate user permissions also keep your most important data closely guarded and accessed by only a handful of people which allows senior management to keep tabs on which files are being accessed and by whom.
Storage Backups:
Back It Up BEFORE You Need It!
How Often Should I Backup My Data?
This concept is as old as the written language, and yet as busy people with full lives, we don’t think about duplicate data storage. That is, until disaster strikes and it’s too late! Don’t feel bad about this, we are all guilty of being complacent about this and the reality is that almost every single person will suffer through some lost data eventually. This can be from malicious activity like a cyber attack, but it also happens from physical theft of devices or even disasters, both natural and man made.
If you care about your files, and we know you do, an automated backup process to redundant devices and cloud storage is imperative. There are several methods and levels of data backup processes that your IT professional can help you to choose from.
The important things to keep in mind are this:
The backup process needs to happen on an automated schedule.
You can’t rely on a person to complete the backups with the certainty that an automated process will provide. This process can also be scheduled for off business hours when system resources are more available and files aren’t being edited.
You can’t rely on a single backup.
If one storage device becomes infected, corrupted, or otherwise compromised you’re skating on thin ice if you only have a single backup. If malicious programs infect your main computers, they may have already been saved to your initial backup as well. For this reason we always suggest a multi-staged backup procedure. In the worst case scenario, you might lose a few days worth of work but your second backup will be free of the infectious code and you will be able to recover faster than if everything was lost.
Out of Sight, but not out of Touch!
Having at least one off site backup is important too. We sometimes call this the “cloud”, but all this really means is remote storage. Depending on your storage needs, resources, and operations there are many options when it comes to choosing a remote storage option. Some will be paid services and maintained by a 3rd party, while other organizations will invest in the hardware to create their own remote storage.
This piece of mind is important because as we mentioned earlier, the loss of data doesn’t always happen from remote attacks. Fires, floods, and in person theft or damage can be just as devastating to a small business. If you only have one or two backups but they are at the same location, a disaster could wipe everything out at the same time.
Backups Can Be As Simple As Hard Drives
Or As Secure As Off Site Cloud Storage…
Malware And Ransomware
Malware is a general term for software of a piece of code that was not intended to be on your devices or is performing actions that are not in your best interest. Some Malware is harmful to system resources or even causes irreversible damage. At the same time, there are other types of Malware that are performing more benign actions such as tracking software built into many apps and programs. This topic gets complex and nuanced to the degree that opinions will vary depending on who you ask and volumes could be devoted to the subject at large.
Ransomware is a particularly nasty form of Malware that no business is truly safe from. That said, let’s look at what it does and how we can reduce our exposure to Ransomware.
What Is A Ransomware attack?
In technical terms, most Ransomware is data encryption that users can decrypt without the secret key being held by the cyber criminals. There are several variations on the style and methods of ransomware attacks, but typically the hackers will infiltrate a single computer (preferably the host) and any other devices connected to their network. Once they have access, they will install their code or run it remotely to encrypt all of the users data. When that is complete they will send a demand for payment to provide the user with a decryption key so the files become accessible again. That’s why the term “Ransom” is used. Unlike a traditional kidnapping or theft, the files never actually leave the user's device. The data just becomes unusable until it can be decrypted.
Am I The Target Of A Ransomware Attack?
Most small to medium enterprises assume that they’re safe from such malicious cyber crimes as a Ransomware attack. However, as larger enterprises continue to increase their own networks and harden their defenses, small businesses have increasingly become the targets of these types of attacks. While the ransom demands are generally smaller, the sheer volume of victims and the ease of access to their systems makes them valuable targets for cyber criminals. Like we said earlier, you can rob one bank for a million dollars or a million people for 100 dollars.
Will My Backup Keep Me Safe From A Ransomware Attack?
Yes and No.
If you’re using a multi-pronged approach to data backup, you may not suffer any permanent losses from a Ransomware attack. However, many instructions go unnoticed for a period of time and this gives the hackers the opportunity to encrypt your backups as well.
This is one reason that backup processes can be staged to create a separate daily, weekly, and monthly backup so if a data loss occurs due to malware, a previous version of the data is free from the infectious code. Some malware may also compromise the physical hardware you use. If you have to replace 10 or 100 computers, that expense could be a financial hardship for most SME’s.
Lost time and a damaged reputation aren’t so easy to be recovered. Regardless of the data and hardware being backed up or insured, business operations are likely to come to a grinding halt during a ransomware attack. Additionally, any reputation management expert will tell you that customers whose data has been potentially exposed during a security breach such as this, will at the very least be hesitant to continue doing business with the organization who failed to safeguard their information. In some cases lawsuits have even been filed for negligence of the company that was itself the victim of the ransomware attack. Talk about being kicked when you’re down!
Should I Pay The Ransom To Get My Data Back?
If you’ve been the victim of a Ransomware attack, it might be tempting to just pay the cyber criminals to quickly get back to normal with no long term damage. There have been large fortune 500 companies that have begrudgingly paid this ransom in the past. After all, it's not uncommon for these large enterprises to have an insurance policy in place to cover this situation.
The amount demanded can vary widely. Home PC users have been charged $500-1000, while business ransoms can be in the thousands or even millions depending on the size of the company and the data that was encrypted. However, paying the ransom is no guarantee that things will work out as promised by the cyber hijackers.
How Do I Protect Myself From Ransomware?
Many of the principles we have laid out in this guide apply to this exact situation. While there is no one size fits all solution, or a bulletproof approach, there are some ways to mitigate your risk. The best way to protect yourself is to stop the intrusion all together. One way of doing this is of course with firewalls and anti-virus software, but adding an Intrusion Protection and Intrusion Detection Systems (IPS & IDS) are ideal for stopping outsiders from gaining access to your systems and data.
Layers Of Protection
Going back to that ‘Belt and Suspenders’ approach we mentioned earlier, a layered approach to security is helpful to protecting yourself from Ransomware attacks. Adding more than one firewall system and filters at different levels will help ensure that if some malicious code gets past one of them, it may be caught and killed by another..
The Threat From Within
Up to this point we have mostly discussed these mysterious cyber criminals hiding in the shadows of the dark web just waiting to pounce on unsuspecting businesses. Don’t assume that all of these internet bogeymen are acting on their own from the other side of the world. Many times they need help to get past your defenses. This can happen with help in the form of an insider who intentionally or unintentionally leaves the door open to a cyber attack.
Who Can I Trust To Keep Me Safe From Online Threats?
The Best Solution:
Educate, Regulate, & Report
Always E.R.R. On The Side Of Caution!
The last thing we want to do is arouse your suspicion to the point that Roger in Accounting gets fired for logging into his work computer from home. Our goal is not to spread unreasonable fears that everyone is out to get you. That said, the existence of bad actors harming their own companies network is not without precedent. The reasonable thing to do is Educate everyone within the company, Regulate your network with strong policies, and develop a culture of Reporting suspicious activity or hacking attempts.
How to Spot Suspicious Activity In The Network
The best way to spot an insider threat is to think like one. What data or systems are important to your company or would be worth something in the wrong hands? Without performing an analysis, we can’t answer that specific question for you. We can, however, talk about some generalizations to keep an eye out for.
Careless Mistakes
Network Nanny
Every office has a routine which makes it easy to spot anomalies when it comes to network activity. Of course there are going to be times when people need to work late or answer emails on the weekend. Then again, a lower level employee looking at files containing Intellectual Property might be a red flag worth investigating.
At the very least managers and admin should have a way of monitoring everyone’s digital activity. There are many cybersecurity softwares for small businesses that offer real time reporting. These programs have an automated system in place which raises alarm bells to notify senior admins when certain criteria are met. It might be an justified activity, a silly mistake, or it could be someone probing the security guardrails. Regardless, it’s better to address these things in near real time to prevent any mishaps or simply reaffirm the policies.
Most people can’t wait to clock out for the day and go home. When someone starts to work late or on the weekends for no reason, it could be a sign of suspicious behavior. Maybe they’re just trying to get a promotion, or maybe they have some unscrupulous activities planned which require a lack of oversight. Employees left unsupervised have been responsible in the past for logging into admin devices which provide them with access to sensitive data and relative secrecy because the network logs only show the user that accessed that data.
Guess again!
When someone is attempting to log into an area that they don’t normally have access to, it’s common for them to make several attempts before they are successful. That’s why a lot of password protected systems have a limit on the number of tries that are allowed to fail before a lock out mechanism is triggered. A smart hacker will know about this limit and try once less than the maximum in a given period of time. Then they will wait for the cool down period to be over and try again. This type of activity should be noted and reported for further action..
If you’ve taken the steps necessary to create a hierarchy when it comes to access, but then for the sake of saving time, employees are sharing their access with higher privileges, that is a huge potential for problems. Rather than a manager sharing their password or logging in on a team members workstation to complete a project, a temporary access code should be used. This can be configured to restrict the lower level user to access only the data or programs they need without giving them the ability to change settings. Additionally it should be configured with an automatic timeout so as to not rely on the person giving the access to remember to turn it off again.
Likewise, if people with less access are being given escalated permissions which don’t match their role in the company, that is another red flag. Privilege escalation should be monitored and reviewed by someone with the bigger picture in mind to safeguard the company's overall digital wellbeing.
Starting with the easiest area of improvement, educating your teams on how to be proactive and avoid creating opportunities for bad actors to gain access to your data and networks is a worthy investment. Numerous training programs exist both online and in-person which can help your employees recognize and report any incident or activity which might be a security threat, regardless if they originate from outside or within the company.
This type of training should be repeated or updated on a regular basis and be incorporated with your new hire onboarding process to ensure a unified approach which adapts to new threats overtime.
Working with a cyber security expert enhances this training to make it specific to your business operations and structure. A cyber consultant can also circulate regular bulletins to keep everyone up to date of new threats or tactics as they become known.
This approach keeps everyone vigilant the same way news of recent break-ins in your area reminds everyone to check their window and door locks. Establishing a relationship with such an expert means that people know who to contact with questions when they come up. Your cyber consultant can even perform random phishing tests to see how your team performs to make sure they’re putting the training into practice.
Working Late Again?
Borrowed Access and Escalated Privileges
Final Thoughts
This guide was created to be comprehensive without going into case specific details. The reality is a small business with 10-25 employees is going to take different steps to safeguard themselves than a company with 50-150 people on the payroll.
The core essentials we have laid out apply to everyone who uses a computer or smartphone though. Even a business with 5 staff members should still follow the best practices when it comes to strong passwords, spotting a phishing attack, updating their software, backing up their data, and educating themselves so as to reduce their vulnerability to cyber threats.
As small businesses start to grow, incremental upgrades to their cybersecurity is in their own best interest. Enhanced firewall systems, antivirus software, network security, and employee training are a small investment towards protecting their hard earned assets. By adopting a security-first mindset early on and adapting to changes in the company as well as the digital landscape, business owners and their representatives can continue to focus on what makes them successful rather than reacting to data breaches and threats after they’ve occurred.
As experts in the cybersecurity field, we are constantly following the developments in the ever evolving world of online threats and ways to eliminate or mitigate them. We work with businesses of all sizes to advise, educate, update, monitor, and help them react to cybersecurity issues. We hope this guide has helped you by raising your awareness and answering some of your questions. If you would like any clarification or more details on the topics we’ve covered here, or you’re unsure of how to apply the suggestions made here to your business, we encourage you to reach out. Working with a cybersecurity professional can empower you to be more confident in your business decisions both now and in the future.