1. Keep your systems (IT and software) up to date
Many attacks target existing security vulnerabilities. By keeping your systems and software up to date (known as patching), you will save yourself plenty of headaches. Many cloud based or SaaS solutions will provide this by the nature of the product, but for om premise applications, be sure to stay safe.
Questions to ask your self:
- How many IT assets do I have?
- Do I have a plan (and have I implemented it) to keep them up to date?
- Do I have a way to test and assure that the systems have been kept up to date?
2. Back up your Data
If there is only one take away from the recent ransomware attacks for small and medium businesses, it would be to back up your data diligently. Make sure you have a backup plan and stick to it. Dropbox, Google drive, Box are great options to get you started.
Questions you need to consider:
- Consider what your most critical data is
- Back up this data as frequently as possible (ideally daily)
- In an ideal world you will want to back up to a copy that is offline and offsite
- Understand and practice restoring the backup
3. Beware of Malware (Viruses of any form)
Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. Malware can cause absolute havoc with a business.
Out of all of these, the more concerning is the growing threat of Ransomware, which is becoming an issue for unwitting advisers and accountants who install software without fully realising what they are up for.
Be wary with the software you are about to install, or an attachment you are about to open from an email. Ask yourself these questions:
Questions to ask:
- Do I really need this piece of software?
- How well do I understand what the software or attachment does?
- How well do I trust the source, i.e. where you downloaded the software from, or whom the email came from?
- Do I have anti-malware and anti-virus software installed?
4. Educate your team
Today, many attackers target the human mind and exploit the built-in trust in human relationships. It can be too easy to lure someone into clicking a link that downloads malware, or to provide the password to login to your corporate network.
A typical “phone phishing” attempt is where the attacker pretends to be someone you trust, e.g. IT Support or a customer, and will tell a reasonably plausible story, in order to trick you to give out your password or help them to get someone’s account details.
In a ‘spear phish’ attack, an attacker sends an email that looks like a legitimate message from a trusted company, in hopes the victim will give up some lucre or account credentials. Normal phishing emails are typically relatively easy to spot (they look spammy), but they are getting more and more sophisticated and believable.
5. Password Management
A password is often your only way of verifying whether someone is allowed to access your critical systems and data. It is also one of the areas that is so often done incorrectly (yes even the experts get it wrong).
Do you still ask your employees and users to use passwords that require special characters? Do you still force them to change passwords every 30 days? Think again. Maybe this technique has actually done more harm than good. Your users may very well come up with a password that goes by Pa$$word1! and Pa$$word2!, which meets all password policy requirements, yet is extremely easy to break using modern password guessing techniques. Or they just write it on a piece of paper and stick it under the monitor.
Consider implementing these new rules:
- Enforce a minimum character length (9 or above).
- Eliminate character composition requirements.
- Eliminate mandatory periodic password resets.
- Ban the use of common passwords (and check it when user changes it)
- Educate users on how to choose a stronger password (or passphrase)
- Educate users not to reuse passwords, or even better, use a password manager (Last pass is a great example)