Experts weigh in: 20+ cybersecurity guidelines for individuals and SMBs
Bored or intimidated by the idea of beefing up your cybersecurity? We get it. Online security is not the most exciting or accessible concept in the world. But if you do anything important online, then it’s one of the most critical things for you and your organization. Read these cyber security guidelines.
Why you should choose to care about online security
Reports show that 701 to 902 percent of cyber attacks are against individuals and small and medium businesses (SMBs).
For every small and medium business (SMB) that has not been the target of a cyber attack, one has been3. Yes, 50 percent of SMBs have experienced cyber attacks.
And it makes sense. While breaching a major company might reap major rewards for the attacker, security tends to be far more sophisticated. That’s not so much the case with smaller businesses. In fact, Endurance International Group’s4 2015 Small Business & Cybersecurity survey shows that 83 percent small business owners manage their cybersecurity efforts rather than have in-house or outsourced IT for the job.
When cyber attacks are successful, and a data breach occurs, the typical cost to repair the damage is more than $36,0005. Worse still, as much as 60 percent of small businesses crumble within six months6 following.
But take note—there is a huge difference between being the target of a cyber attack and being successfully breached. What keeps someone in the former group and out of latter often comes down to simple oversights.
Steps to prevent a cyber attack (or its success)
“Cybersecurity lapses have common trends and problems that can be traced back to laziness, lack of knowledge, and awareness of how common pitfalls can be leveraged against an individual or organization,” explains Morey Haber, VP of Technology at BeyondTrust.
For instance, the National Cyber Security Alliance reports7 that over 75 percent of employees leave their computers unsecured.
For the safety of yourself, your coworkers, and your customers and clients, read through the following cybersecurity tips. Then, commit to practicing them and help others by passing the advice to your organization.
Stop mixing work and play
Don’t mix work and play. Just don’t. Separate profiles, accounts, storage mediums for work and personal life. Just keep things compartmentalized. Don’t make it easy by being lazy. -Robert Nicholson of Concept Shifts
Delete old login emails
If you never delete the (probably hundreds) of login detail emails from your email account, you have created a gold mine for hackers. All they have to do is get into your email and then they have access to every service or website you’ve used. -Emmanuel Schalit, CEO of Dashlane
Think before you click
Think before you click. Today’s scams look very convincing, coming in the form of voicemails, eFaxes, invoices, social media, ADP theme or from the IRS. -Anurag Sharma, Principal of WithimSmith+Brown’s Cyber & Information Security Services
Be pickier about where you download and install software from
Try to use things like Microsoft Store or the Mac App Store for your desktops and iTunes and Google Play for your mobile devices. Again, this isn’t an absolute. You can more gradually move toward better practices, and each step you take will make you more secure. –Jeffrey Goldberg, Chief Defender Against the Dark Arts at AgileBits, the makers of 1Password
Don’t ignore security updates
We have all seen the nagware to update Adobe and Java, and we click ignore or remind me next month. The same is absolutely true for operating systems and MS Office Updates. [Overcoming] the laziness to apply the patches and reboot is the best method, above anything else, to ensure you are not exploited by a common vulnerability. Although it takes time to apply them, the few minutes it takes is well worth securing your system. -Morey Haber, BeyondTrust
Often just switching to automatic updates where that is available will make the task easier for you and keep you safe…And this isn’t an all or nothing thing. The more things you keep up to date the better, but you will start reducing your risks with each thing you keep up to date. I would recommend starting with your operating system, but look for little improvements where you can. –Jeffrey Goldberg, AgileBits / 1Password
Beware of free USB drives
Don’t ever fall for the free USB device drive—a very popular tradeshow giveaway these days—which when plugged in can easily deliver a malware or virus onto your computer. -Anurag Sharma, WithimSmith+Brown
Raise employee awareness about device theft
Often, IT has no insight into the types of data stored on their devices—devices that are left in taxis, hotel rooms, and stolen at airports. In fact, according to Gartner, one laptop is stolen every 53 seconds in US airports. And hotel safes are as secure as hiding the laptop under your mattress!
Encourage employees to be vigilant about physical device security but have a plan B because mistakes and unfortunate incidents are inevitable. Choose security solutions with geotechnology so you can monitor devices, set geofences, and receive alerts to activities that could mean a device was compromised, lost, or stolen. -Chris Covell, Chief Information Officer at Absolute
Prevent shoulder surfing
Screen guards should be employed to limit the potential for ‘shoulder surfing,’ in which an attacker stands near an employee and notes everything they are displaying on their screen. Better yet, do not allow employees to store sensitive business information on their devices in the first place, if at all possible—this will also protect secret data should the device ever be lost or stolen. -Lee Munson, Security Researcher for Comparitech
Ditch the dated machines
If are you still running Windows XP or Windows Server 2003 within your home or business, all security professionals know they are end-of-life and no longer receiving any maintenance including security patches. So, if the best method to secure your system is applying security patches, and you are still running older systems, then they are wide open for attack with minimal mitigation strategies available to thwart an attack. You, or your business, should consider replacing these systems as soon as possible to ensure they can be maintained properly. Many times this is a combination of laziness and money, but being breached and cleaning up the mess could be much more costly than replacing the systems in the first place. -Morey Haber, BeyondTrust
Limit unnecessary admin privileges
Are you providing everyone in your company unfettered access to all data so when your least technical savvy employee gets hacked, all that data is exposed? -Greg Kelley, CTO of Vestige Digital Investigations
Employees should be able to access only those systems and data that they absolutely need to perform their jobs. So that all activity can be traced to a particular user, each employee should have a unique access ID and should be authenticated using a strong password or passphrase, biometrics, or a token device or smart card. Strong cryptography should be used to render all passwords unreadable during storage and transmission. Physical access to systems and consumer data should also be restricted to prevent employees and building visitors from accessing or removing devices, data, systems, or hardcopies. -Mike Baker, Founder of Mosaic451
Limit remote access
Many businesses leave their firewalls open to outside entry by allowing access for managers working remotely or vendors who routinely perform maintenance on systems…Always change default firewall settings to allow only essential access, and limit remote access to secure methods such as VPN. – Kevin Watson, CEO of Netsurion
Password protect and encrypt sensitive info
This is especially important with regards to data stored on portable devices such as laptops and USB sticks, which can potentially be stolen, or lost. There are many encryption applications that achieve this, however, when choosing there are several aspects to consider:
1. How easy is the application to use? Could the CEO, who doesn’t have any IT skills, use it? If the application is hard to set up and use, it’s not a good solution for a small business.
2. Does the application interrupt the user’s workflow? Is there a wait time every time the user wants to access the encrypted file? If so, employees will do their utmost to avoid using the application.
3. Does the application automatically lock the data when the user stops working on the protected files? If not, this could be a security issue, as users are bound to forget to manually lock their documents.
4. What is the cost? Clearly, small businesses cannot afford an enterprise solution.
-Sandra Styskin, Co-founder & Developer at Safeplicity
Implement a password policy and multi-factor authentication
It’s tempting to use your dog’s name for every password, but it makes you very vulnerable to cyber criminals. Not only do you need to change your passwords often, you should use different passwords for every site, service or app you use. -Emmanuel Schalit, Dashlane
All companies, specifically SMBs, should implement a password policy for all employees and use multi-factor authentication. The password policy should at a minimum require employees to change the passwords every 90 days and they should always use multi-factor authentication to verify identity. The verification of identities when accessing work files and information is critical. I suggest implementing a solution similar to Okta or PingIdentity. -Ray McKenzie, Founder and Principal at Red Beach Advisors
Two-Factor Authentication (2FA), where users are required to put in a second form of information in addition to a password, like a PIN or security question, allows for only the intended user to access accounts. From password protected documents and accessing the network to staff’s personal and company accounts on company desktops, adding 2FA to accounts requiring passwords strengthen security. While sites like Gmail already implement this, many password managers also offer this as an additional feature to sites that don’t. -Kevin Shahbazi, CEO of LogMeOnce
Use a password manager
One of the impossible things that people like me tell the world is that everyone needs to have a unique password for each site. If I use the same password on a dozen different sites and services, then it takes only one of those to be broken into for the attacker to have my password for all of them.
Asking people to remember a different password for each site and service is absurd. Nobody will do that. (Ok, I once met someone with an eidetic memory who actually did do that for more than 70 sites.) This is what password managers are for. They remember your passwords for you so that you don’t have to. Once you start using a password manager — and doing so will already make things easier for you — you can slowly start chipping away at password reuse. Sure it will be a while before you get to truly having a unique password for each site and service (I still don’t), but each time you change one password on some site to a new and unique one you are making a real improvement in your own security. -Jeffrey Goldberg, AgileBits / 1Password
(Hey, SaneBoxers. If you’re interested in trying a password manager, our friends at 1Password are offering you a 6-month free trial of Password Families here.)
Learn where you fall in the food chain of cyber security attacks
Banks and the financial sector are the number one targets, hospitals and the healthcare industry are number 2, universities number 3, and so on. There is a lot of online data and statistics on this topic. By understanding where your industry falls on the spectrum, you can understand generally what level of hacker you will be dealing with and the types of cyber attacks that they are capable of. -Regan Marock, CEO of SPC Cybersecurity
Make upkeep the #1 priority
Have you ever heard the phrase, Upkeep is cheaper than replacement? This adage applies closely to cybersecurity. One of the most important things SMBs can do to keep their systems safe is continually update them, perform routine maintenance, and ensure they’re clean. By regularly performing software updates on company devices and continually patching any discovered vulnerabilities, many basic cyber threats can be stopped or lessened significantly. -Stephen Coty, Chief Security Evangelist at Alert Logic
Don’t just take IT’s word for it
Business management must not take we have it handled as an appropriate answer from IT. I had a client come to me once that was told by his IT that their vital data was backed up daily. When the server containing that data crashed, the client said let’s restore the data only to find out that the backups were stored on the same machine! That story is replayed over and over today because organizations do not go through the process of executing a test plan to recover from disaster or hacking. A plan for recovery from hacking (especially ransomware) must be thought out, planned, and tested. –Greg Kelley, Vestige Digital Investigations
Embrace the human element
I will tell you one of the most tragic mistakes companies make regarding data security is to only approach data privacy from the perspective of the company as a whole, which is a very general perspective. The employees of your company don’t understand how data theft and data privacy is relevant to them. Good people can easily leak data, or cause leaks in security by simply being careless or leaving it unprotected. All privacy starts with the employees. -Anthony R. Howard
Know who to contact for help
Contact the right person for help. If you are a victim, if you encounter illegal Internet content (e.g. child exploitation) or if you suspect a computer crime, identity theft or a commercial scam, report this to your local police. If you need help with maintenance or software installation on your computer, consult with an IT professional. -Mark Grabowski, internet law professor at Adelphi University
Laziness is not an excuse for not knowing
Learning to protect ourselves online is just as painful as sitting through a defensive driver’s education class or jury duty. We do it because we have to, and for many, they will do anything they can to get out of a class on cybersecurity. The realization is no one is immune to an attack, and learning how you can be hacked and how to protect yourself is really important, and laziness or boredom is no excuse for skipping the class. -Morey Haber, VP of Technology, BeyondTrust
This online article from:
1, 7 http://www.paychex.com/articles/human-resources/creating-cyber-security-culture
2, 5, 6 https://www.firstdata.com/downloads/thought- leadership/Small_Businesses_Cost_of_a_Data_Breach_Article.pdf