Do you keep databases with information about other people?
Do you allow teleworkers, road warriors, suppliers, contractors and so on to connect in remotely?
Do you accept payments, for example from credit cards or NFC devices? Do you make payments of your own online?
Do you keep important business or personal data – tax returns, bills, receipts, pay slips and so on – on your computer?
Do you have an email account, or a website, or a blog, or a social media presence where you promote your business or simply hang out with friends?
Admittedly, that’s a lot of questions – but whether you’re a small business, a sole trader, or even just a home user, chances are that you do some or all of these.
At the same time, you are probably your very own IT department, which doesn’t give you much time to invest in even doing IT, let alone trying to decide what to do in the first place.
So, here at Naked Security we decided to come up with five security tips to help you get started with keeping your business safe online.
Of course, if you’ve already decided to do one or more of these and you’re still having trouble from cybercrooks, maybe it’s time to make sure you really are doing them?
1. Divide and conquer
Firewalls aren’t for “your network” and “the internet” any more. Why have your cash register on the same network as your web developer? Why have your accountant on the same network where you keep active on social media? And so on.
If a crook gets into the network where your web developer works, that’s bad because they might be able to steal your intellectual property. But why make it easy for them to go from there into your accounts network, where they might be able to steal personally identifiable information (PII) belonging to your customers!
Setting up modern firewalls isn’t terribly difficult, and if you buy a product like Sophos, with user-based licensing, you can add as many firewalls as you like to your network without paying extra licensing fees.
2. Patch early, patch often
Brand new vulnerabilities and exploits hog the limelight of security news.
Because you couldn’t have patched ahead, they’re known scarily as “zero-days.” But if you’re worried about brand new attacks from cutting-edge crooks, you should definitely also worry about automated attacks against old holes that are well-known and easy to exploit.
One problem with old exploits is that the crooks have had time to fine-tune their attack code so that they almost always get in if you haven’t patched. In other words, a new zero-day might give a 1% “it works” result on unpatched computers. But an old and practised exploit may give a 100% “it works” return if you haven’t patched, making you into low-hanging fruit open to more than just the cutting-edge of criminality.
People often put off patching either to save time or because they’re scared something might break. The problem is that the longer you leave it, the more time it will take when you get around to it, and the more likely that what will “break” will be crooks getting in.
3. Improve login hygiene, and consider two-factor authentication
Come up with a checklist that you use before giving someone remote access to your network. Remember that it’s not enough to trust the person: you also have to trust their computer, because a PC with malware on it that connects to your network is essentially letting cybercriminals in with it.
And consider requiring all remote users to have two-factor authentication (2FA). It costs a little more, and it is slightly less convenient when you come to log in. But it helps to prevent egregious attacks where a criminal steals (or guesses, or buys) one of your user’s passwords today and then uses it at their leisure to raid your whole network.
4. Heed warnings and look at those logs
Don’t collect logs just so you can look back and cry over spilt milk after a breach. Use them proactively to watch out not only for attacks, but also for otherwise-innocent behaviours you want to improve anyway.
If the logs from your patch assessment tool are trying to tell you that your remote sales guy in Kuala Lumpur somehow missed out on the last three Microsoft Word updates, do something about it!
If you don’t, the crooks will, because they don’t have to know you have a hole. They can just keep poking at you and everyone else, and they’ll know you had a security hole because they’ll succeed in breaking in!
5. Use encryption wherever you can, not just where the law says you have to
Regulators are becoming increasingly strict about encrypting sensitive data, to the point that the US Appeals Court recently ruled that it is unfair business practice not to protect your customers’ information.
Nevertheless, many small businesses stick to encryption as an unavoidable cost that goes with compliance, rather than as an investment that helps keep the business healthy. Similarly, home users often avoid encryption because they’ve heard stories that it may slow down their computer or cause compatibility problems.
However, wisely used, encryption gives you a valuable extra layer of protection against hackers, eavesdroppers, intellectual property thieves and many other sorts of cybercriminal.
The bottom line
No business is immune to data theft and loss, regardless of geography, size or industry sector.
Put these tips into practice and you’ll have not only defence, but also what’s known as defence in depth.
If you force the crooks to jump through multiple hoops to get into your network…
…then they have to get through every hoop, whereas you only need to block them at one, which turns the balance in your favour.