Cyber Attacks Are Targeting Small to Medium Entities right now – what are you going to do about it?

Businesses of all sizes rely on computers and the Internet to record and store sensitive business data and to access important online services.

For growing businesses especially, the accidental loss of important data and the danger posed by malicious hackers are genuine threats to business survival: the potential financial and reputation costs of such incidents can be make or break. All too often, however, steps aren’t taken to protect against these scenarios until the worst has already happened

1.PHYSICAL SECURITY

It is infinitely easier to steal a laptop that is sitting on a desk than to hack through multiple layers of security, bypass firewalls, crack passwords and download data from remotely hosted, well-protected datacenters.

The first line of defense for any business seeking to protect itself should be to ensure its physical infrastructure is secure. To protect your business you should:


• Physically lock desktop computers to desks. Make it difficult for thieves to remove your computer hardware from your premises.
• Limit access to business servers/computer rooms. Do not hand out keys or codes to those who do not need to be there, and change them if contractors who needed temporary access or employees leave.
• When employees are away from their desks, ensure that they lock their screens so that anyone passing by cannot access their device without a password.
• Where employees are using mobile devices, enforce the use of passcodes, so that should the devices be lost or stolen they cannot be easily accessed.
• Use drive encryption on all desktops, laptops and mobile devices so that in the event of the devices being lost or stolen the data on them is useless in the hands of criminals.
• If it is necessary to transfer data using USB sticks, ensure those sticks use encryption. This way, if the USB stick is lost or stolen in transit, the information contained is useless in the hands of anyone else. Truecrypt is free software that allows you to easily encrypt data on your USB sticks.

• Enable remote wipe on mobile devices so they can be wiped by the company should they be lost or stolen.

2. Keeping the Cloud Secure

The proliferation of cloud-based services has resulted in all of us having at least some data stored in the cloud. Whether it is simply the company website, or whether you use the cloud to deliver SaaS solutions to your customers, it is vital you protect your data, and any customer data you store there. To keep your cloud environment protected:
• Choose a hosting provider that is ISO 27001 accredited. This ensures that your data is hosted in an environment that meets international baseline information security management standards of confidentiality, integrity and availability.
• Limit access to the cloud servers to those who need it. If encryption keys are required to authenticate, keep a record of who has access to them, and change the keys if employees leave the business. It is important to have a clear audit trail of who has access to what and when.
• Always keep the development and live environment separate. In 2012, the social media company Formspring had its development server hacked, with hackers using the less-secure development server as a route to gain access to live data on its users.
• If you are storing customer information in the cloud, ensure it is either encrypted or hashed in a way that it is useless, or difficult to crack, for any intruders. LinkedIn, Dropbox, Wyndam Hotels and Yahoo all faced legal action for failing to adequately protect customer data they stored after hacking incidents.
• If you are using your own in-house servers to store information, then take all necessary precautions to lock down access to those servers, install a firewall and lock down access from only known IPs and even Mac Addresses for added protection.

3. Securing Your Internet Security

Protecting your office internet connection and ensuring it is not a route for criminals to gain access to your internal systems is vital. To keep your internet connection secure:
• Do not share your internet connection with another business, even if they are in the same shared office space. Always have your own direct connection to the internet and be in sole control of the hardware that connects it.
• Change the default authentication to access the router’s admin panel, both username and password, and do not store the new, strong credentials on the device.
• Physically restrict access to the hub/router.
• Protect any Wi-Fi network with WPA2 and use a strong password that is not used elsewhere.
• Do not write down the office Wi-Fi password on a whiteboard, and do not just give it to anyone. If necessary, have a second Wi-Fi network that you can give out to guests. Do not let non-staff members onto the same network as the one your team uses to access any cloud services the company has.
• Use SSL when transferring any data from your internet network to a cloud-based network.
• Use traffic monitoring software to keep track of all data in and out of your network to detect anomalies. A hardware firewall will provide additional protection.

4. Remote Working

Employees being able to work from home or when travelling helps productivity, but it is a challenge to keep things secure when you do not have control of the environment. Here is how you can maximize your security:
• When employees are working remotely, ensure that they are not using unsecured Wi-Fi networks to do their work. It may be convenient for employees to hop onto a free Wi-Fi network, but in most cases it iss not known who owns that network, who is eaves dropping, or what information is being collected. It is better for an employee to use a slower 3G connection to access business system than a faster Wi-Fi network where their data could potentially be compromised.
• If remote working is a common occurrence, it is worth investing in a VPN to ensure the traffic to and from business systems is secure. Employees can freely use unsecured Wi-Fi networks if they are connecting using a company VPN as all of their network traffic is encrypted and therefore protected from eaves dropping at a router level.
• If employees work from home, then it is important to stipulate that their router must be password protected, ideally using WPA2. They should also be instructed to change the default router admin username and password to mitigate against an intruder gaining access to their router. Again, a VPN is an ideal solution if there are concerns about employees working from home using unsecured networks.
• A password management service will allow employees to securely access business systems from home or elsewhere without having to email passwords to themselves, or use the same password for everything so that they can easily remember it. Using strong passwords is no use if an employee writes it down, or emails it to themselves because they need access to it outside of the office.

5. Good Password Policy

A strong password policy is vital to protecting a whole range of systems within the business environment. Here is how you can create a strong password policy:
Your Company Passwords
• Make all business passwords at least 15 characters long.
• Use entropy in passwords. They should contain uppercase & lowercase letters, numbers & symbols.
• Avoid the use of dictionary words or common names, and avoid using any personal information.
• Don’t replace ‘i’ with a ‘1’, or ‘a’ with a ‘4’ etc. These are well-established password tricks which any hacker will be familiar with.
• Avoid sequences or repeated characters.
Strong Password Practices
Strong passwords need to be augmented with strong practice.
• Do not use the same password on multiple sites.
• Never allow passwords to be written down or stored in the notes section of phones.
• Do not store passwords in Word or Excel. Even if those files are later deleted there will still be a recoverable imprint of it on the computer, long after it is sold or donated to a recycling company.
• Do not allow passwords to be emailed. Emails are able to be read by provider of the service.
• Do not feel the need to regularly change strong passwords. A very strong password that is used for a long time is more secure than a weaker password that is regularly changed for a similarly weak password. Enforcing regular changing of passwords can often result in employees adopting weaker passwords to make them easier to remember.
My1Login Password Management for Business makes it easy to adopt strong password policies. It highlights insecure passwords and practices, while giving employees the convenience of only having to remember one strong set of credentials.
Using strong passwords protects the company by making it extremely difficult for passwords to be cracked. Using different passwords for all business services means that should one account be compromised, the company’s exposure is isolated.

6. Educate Employees

A strong password policy can be undermined if employees are not security conscious and aware of the various methods hackers use to steal passwords. To keep your business secure:
• Be sure that employees know about ‘phishing’ and ‘spoofing’. Spoofing is the technique of making something appear to be something it is not – it could be building a fake banking website, or masking a link so that it appears to go to a trusted site. The aim of spoofing is to make you trust something you shouldn’t.
Phishing is the process of trying to dupe individuals into disclosing private details. It could be your login credentials, your bank account numbers, your phone passcode, or anything that is useful to criminals. Phishing often uses spoofing in order to achieve its goal – to trick you into disclosing sensitive information by making you think you are disclosing it safely to the intended recipient. Educate employees on spoofing and phishing and make them think before they enter their passwords into sites.
• Instruct employees not to click links to sites and then enter their passwords.
• Employees should know not to give out passwords to people phoning the company, or people they do not know asking for the Wi-Fi password. If in doubt, do not give anything out.
• Enforcing a strong password policyis ineffective if employees are writing down passwords, emailing them to themselves, or telling someone who phones purporting to be from ‘Twitter’ what the company Twitter password is.
• Do not trust unsolicited emails asking you for personal information, or requiring you to click website links to verify personal accounts.
• Do not use email links to visit banking websites.
• Be aware of website address changes for sites in which you have to enter private information. If in doubt, do not enter your details.
• Check for ‘https’ and the padlock symbol on banking and other secure websites. If it does not have it, do not use it.
• When visiting banking and other secure websites, use the normal process you have used before. If you use my1login you know using the website bookmark you created yourself will always take you to the same place.
• Always report fraudulent or suspicious e-mails to the service they purport to be from, forwarding the website address so it can be checked.
• For websites that use anti-phishing images make sure that image is always the same. If it ever changes, you are not on the legitimate site.
• If you are concerned you have been duped into handing over personal details you should contact the relevant company and the police as soon as possible. If you have entered your bank details into a spoofed website, contact your bank using the information on the back of your card. The quicker you make your bank aware, the easier it is for them to reduce the risk of you being affected. If you have entered login credentials into a spoofed website, you should immediately visit the legitimate website and change those details.

7. Keep up to Date

Cyber criminals are extremely clever people, with holes in existing software packages being found and exploited every day. Keeping your Operating System, browsers and other software up-to-date will help protect the company against known security flaws. In addition to this, all computers should have anti-virus and anti-spyware software installed and scans should be run regularly. Always make sure these are up-to-date.

8. Good Practice

Put good practice policies in place to keep the company secure:
• Keep track of who has access to what; from employee passcodes to suppliers you have shared login credentials with. An audit trail ensures that should an employee leave, or a contract with a supplier end, it is clear whose access needs to be revoked and what authentication details are required to be changed.
• Always use SSL/HTTPS on websites if possible. Using SSL ensures your data is transmitted to and from the cloud securely and is less susceptible to man-in-the- middle attacks. Restrict the ability for employees to download software onto their devices.
• Where employees are using their own devices to access business systems, ensure that those users do not jailbreak their devices as this removes .es the in-built security and opens the devices up to malware.

9. Social Media Policy

Social media plays such a huge role in most businesses, and it is a huge target for hackers, we felt it was worth having its own section. To keep your social media account safe you should:
• Restrict access to only those who need access and are trained to use social media platforms.
• Third party apps can make running social media accounts easier, by aggregating multiple Twitter, Facebook, LinkedIn accounts for example. However, do not give unrestricted access to just any apps. Be sure they are needed and monitor what access those apps have over your social media accounts. They are another point of attack for hackers, so only use apps which are necessary to do the job.
• Keep an audit trail of who has access to what social media accounts and shut off access to employees who leave the business.
• Phishing is a huge issue on social media, so be sure your social media team are trained in spotting phishing scams and will not hand over their company social media passwords by mistake.

10. Be Pro-Active

Do not wait until the worst happens before taking action. Be pro-active and implement strong security policies before the company suffers a breach. Seek out penetration testers to test the firm’s security and identify any vulnerability before the criminals do. The financial and reputational damage caused by a hack can be huge, so it is best to find out what is wrong in time to fix it before the weakness is exploited.
As a business expands, so does the threat of data security breaches, both accidental and malicious. Adding more employees, additional premises, new hardware and mobile devices into the mix, increases your businesses exposure to potential dangers capable of causing significant financial and reputational damage. Do not cut corners on security or wait until it is too late to protect your business.

Ths may sound like a lot of items to be aware of, but it is worth keeping your awareness on these items, remember just one cyber attack can compromise your entire operation, files, payroll, records, etc.

ALso, don’t think you are save because everything is synced to the Cloud, if there is a compromise on one of your hosts or mobile devices, that leaks into your cloud database, the vendor is not responsible for malware or ransomware attacks coming from your local area network.

Read the fine writing with all Cloud contracts!


Dana Onyshko
Security Operations and Media

Cleveland, OH