No. 1 - Keep your systems up to date
Many attacks target existing security vulnerabilities as the bad guys tend to go for the low hanging fruit. By keeping your systems and software up to date (known as patching), you will save yourself plenty of headaches.
Ask yourself these questions:
- How many IT assets do I have?
- Do I have a plan (and have I implemented it) to keep them up to date?
- Do I have a way to test and assure that the systems have been kept up to date?
No. 2 - Back up your Data
If there is only one take away from the recent ransomware attacks for small and medium businesses, it would be to back up your data diligently. Make sure you have a backup plan and stick to it. You will need to:
- Consider what your most critical data is
- Back up this data as frequently as possible (ideally daily)
- In an ideal world you will want to back up to a copy that is offline and offsite
- Understand and practice restoring the backup
No. 3 - Beware of Malware
Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. Malware can cause absolute havoc with a business.
Out of all of these, the more concerning is the growing threat of Ransomware, which is becoming an issue for unwitting advisers and accountants who install software without fully realising what they are up for.
Be wary with the software you are about to install, or an attachment you are about to open from an email. Ask yourself these questions:
- Do I really need this piece of software?
- How well do I understand what the software or attachment does?
- How well do I trust the source, i.e. where you downloaded the software from, or whom the email came from?
- Do I have anti-malware and anti-virus software installed?
No. 4 - Educate your Users (your Employees)
Today, many attackers target the human mind and exploit the built-in trust in human relationships. It can be incredible easy to lure someone into clicking a link that downloads malware, or to provide the password to login to your corporate network.
A typical “phone phishing” attempt is where the attacker pretends to be someone you trust, e.g. IT Support or a customer, and will tell a reasonably plausible story, in order to trick you to give out your password or help them to get someone’s account details.
In a ‘spear phish’ attack, an attacker sends an email that looks like a legitimate message from a trusted company, in hopes the victim will give up some lucre or account credentials. Normal phishing emails are typically relatively easy to spot (they look spammy), but they are getting more and more sophisticated and believable.
Our suggestions here are to ensure your employees:
- Never give out your password to anyone, including people claiming to be IT Support
- Handle all emails with a bit of suspicion. Remain sceptical of any email that has a strong call to action (particularly attachments)
- Ensure email tone is consistent with what you expect
- Ensure bank transfers and other sensitive businesses processes have adequate sign off measures
- Be wary of spammy social media invites, particularly from LinkedIn.
No. 5 - Sensible Password Management
A password is often your only way of verifying whether someone is allowed to access your critical systems and data. It is also one of the areas that is so often done incorrectly (yes even the experts get it wrong).
Do you still ask your employees and users to use passwords that require special characters? Do you still force them to change passwords every 30 days? Think again. Maybe this technique has actually done more harm than good. Your users may very well come up with a password that goes by Pa$$word1! and Pa$$word2!, which meets all password policy requirements, yet is extremely easy to break using modern password guessing techniques. Or they just write it on a piece of paper and stick it under the monitor.
Consider implementing these new rules:
- Enforce a minimum character length (9 or above).
- Eliminate character composition requirements.
- Eliminate mandatory periodic password resets.
- Ban the use of common passwords (and check it when user changes it)
- Educate users on how to choose a stronger password (or passphrase)
- Educate users not to reuse passwords, or even better, use a password manager (at Change Accountants, we use LastPass):
- A password manager is an application that helps you store and retrieve passwords. The passwords here are usually heavily encrypted and require a master password to access. This master password needs to be very strong and allows you full access to your entire password database.
- You may be wary of putting all the passwords in the one place. What if the password manager itself gets hacked? It possible, but even in that case, your password database is encrypted using industry standard protocols, and by the time the bad guys manage to recover them (millions of years later), it won’t matter.
- Use multi-factor authentication whenever possible. ‘Multi-factor’ is a way of checking to see if you are who you say you are, by using more than just the password. This typically involves a hardware one time password token, biometrics, or SMS text.
Either talk to the Change Accountants team TODAY or your designated IT person within your businesses about the security exposure of your business.
Remember security is only as good as your weakest link. It only takes one security hole for the bad guys to get in and wreak havoc to your business if you don’t have the proper defence in place.
* The above tips were sourced from an article written by Kamino Cyber Security Services.