BUILD YOUR BUSINESS CYBER SECURITY FORCEFIELD

To protect your business from Cyber villains you need to prepare for the Battle. Create a strong Cyber Forcefield by Implementing the following Cyber Security Procedures.

1. Build a HUMAN FIREWALL

Clear out employees’ doubts by educating them and yourself.

The idea that technology can prevent all cyber-related incidents has never been further from the truth because cybercriminals know the easiest way in is through your humans. Security leaders must understand that there is no such thing as a perfect, fool-proof, impenetrable secure environment. Many organizations fall into the trap of trying to use technology as the only means of defending their networks and forget that the power of human awareness and intervention is paramount in arriving at a highly secured state

Employee Education is the easiest – and usually cheapest – IT security to implement: Training and educating your employees, no matter what size of your business, should be one of your top priorities.

The Office of the Australian Information Center shared in its Notifiable Data Breaches Scheme July – December 2020 stating that the “Human factor dominates latest data breach statistics.” Australian Information Commissioner and Privacy Commissioner Angelene Falk said 38% of all data breaches notified during the period were attributed to human error and added that “organizations need to reduce the risk of a data breach by addressing human error—for example, by prioritizing training staff on secure information handling practices.

2. Use Anti Virus Software as a bare minimum

Anyone with a computer knows that antivirus software is just as essential as a keyboard and mouse. There’s just too much personal information on your computer these days to risk even a day without it.

Viruses, spyware and other malicious software or malicious code (malware) can stop your computer working properly, delete or corrupt your files, steal information, or allow others to access your computer and your personal or business information.

Your computer can be infected by malware in a number of ways, including:

  • clicking on false website links.
  • visiting websites that have been infected by malware.
  • downloading infected apps and files from the internet.
  • opening infected email attachments.

Antivirus protection works in the background while your other applications are running. Whenever you download and open a file or program your antivirus software is scanning it for any malware. It protects your computer.

Depending on the size of your network, whether you have remote workers or have a need for centralised security controls, you may need Endpoint security rather than Anti-virus software. Endpoint security aims to protect IT infrastructure as a whole rather than just one endpoint.

In the world of information technology (IT) , an endpoint is any device( be it a laptop, phone, tablet,.or server) connected to a secure business network. When you connect to a network, you are creating a new endpoint.

3. Use a phrase or sentence, not one word, as your password

You’ve probably heard that strong passwords are critical to online security. The truth is passwords are important in keeping hackers out of your data! But according to the FBI, using paraphrases are far more secure than passwords. The FBI recommends your organisation should:

  • Require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters.
  • Only require password changes when there’s a reason to believe your network has been compromised.
  • Have your network administrators screen everyone’s passwords against lists of dictionary words and passwords known to have been compromised.
  • To help prevent a denial of service attack against your email service, don’t lock a user’s account after a certain number of incorrect login attempts. That way, even if an adversary floods your network with purposefully incorrect login information, your users won’t be locked out of their accounts.
  • Don’t allow password “hints.”

*://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/oregon-fbi-tech-tuesday-building-a-digital-defense-with-passwords

A passphrase is similar to a password. It is used to verify access to a computer system, program or service. Use passphrases for all fixed and mobile devices.

When setting up a passphrase, ensure they ae unique and not a famous lyric or phrase, and long, at least 15 characters.

Villains us sophisticated programs such as Brute Force Attacks and Dictionary Attacks- both generate millions of password/passphrase attempts per second- to crack passwords.

Passphrases will significantly increase security across all of your business’ devices. See below for a comparison of password vs passphrase security and the time and cost it would take for a Cyber Villain to break in.

*source: cyber.gov.au

Estimated time to crack your password

Password /Paraphrase Time to Crack Easy to Remember Comments
Brute Force Attack Dictionary Attack
password123 Instantly Less than AU$0.01 Instantly Less than AU$0.01 Very Easy (too easy) One of the most commonly used passwords on the planet.
Spaghetti95! 48 hours AU$587.50 Less than half an hour AU$6.10 Easy Some complexity in the most common areas, and very short length. Easy to remember, but easy to crack.
5paghetti!95 24 hours AU$293.70 Less than 1 hour AU$12.20 Somewhat Easy Not much more complexity than above with character substitution, and still short length. Easy to remember, but easy to crack.
A&d8J+1! 2.5 hours AU$30.60 2.5 hours AU$30.60 Very Difficult Mildly complex, but shorter than the above passwords. Hard to remember, easy to crack (against BFA).
I don’t like pineapple on my pizza! More than 1 Year More than AU$107,222.40 More than 40 days More than AU$11,750.40 Easy Excellent character length (35 characters). Complexity is naturally high given the apostrophe, exclamation mark and use of spaces. Very easy to remember, and very difficult to crack.

4. Eliminate log in risk with Multi factor authentication process

Multi factor authentication is a security measure that requires two or more proofs of identity to grant you access.

Multi-factor authentication (MFA) typically requires a combination of something the user knows (pin, secret question), physically possesses (card, token) or inherently possesses (finger print, retina).

The multiple layers make it much harder for criminals to attack your business. Criminals might manage to steal one proof of identity e.g. PIN, but they still need to obtain and use the other proofs of identity. Two-factor authentication (2FA) is the most common type of MFA.

5. Keep your Software Up to date

How many times you seen a software update pop up on your computer or phone and you have chosen to ignore it or hit the remind me later button?

Ransomware attacks continue to be a major attack vector for both businesses and consumers. One of the most important cyber security tips to mitigate ransomware is patching outdated software, both operating system, and applications. This helps remove critical vulnerabilities that hackers use to access your devices.

Here are a few quick tips to get you started:

  • Turn on automatic system updates for your device.
  • Make sure your desktop web browser uses. automatic security updates
  • Keep your web browser plugins like Flash, Java, etc. updated.

6. Don’t use public wifi

Don’t use a public Wi-Fi without using a Virtual Private Network (VPN). By using a VPN, the traffic between your device and the VPN server is encrypted. This means it’s much more difficult for a cybercriminal to obtain access to your data on your device. Use your cell network if you don’t have a VPN when security is important.

7. Use VPN’s but ensure controls are implemented

A VPN, or virtual private network, is a secure and private network connection through the public internet. VPN services protect your personal data, hide your IP address when you use the internet, and let you bypass censorship, content blocks, and website restrictions
Virtual Private Network (VPN) connections can be an effective means of providing remote access to a network; however, VPN connections can be abused by an adversary to gain access to a network without relying on malware and covert communication channels.

User accounts

User accounts for VPN connections should be separate from standard user accounts. This will limit the activities that can be performed by an adversary should a VPN user account be compromised.

Further, the permissions applied to VPN user accounts should be restricted to each user’s required level of access. This will minimise the severity of a successful compromise. VPN user accounts with minimum permissions, that can only perform basic operations on a network, will also impede the ability of an adversary to gain a foothold on a network.

Finally, access to applications, servers and shared resources on a network should only be granted where necessary for users to perform their duties. For example, if a user only needs access to email services, they should be denied access to file servers.

8. Eliminate joint WiFi connections for employees and guests

Companies should provide a guest WiFi network that is separate from their private network infrastructure. Hackers can penetrate a victim’s computer without their knowledge and then pivot to other information systems. Ensuring that only computers and devices approved by a company’s information security personnel have access to the private network will make it more difficult for attackers to penetrate that barrier.

9. Back up your Data

Regularly backup the data on your personal computer, phone or tablet to the cloud or to external hard drives. This will protect you from data loss from hardware failures, breakage, theft, or malware infection like ransomware.

Setting up automatic updates and restoring your file:

  • Choose a backup system that’s right for your business.
  • Test you’re able to restore your backup regularly.
  • Store a physical backup somewhere safe offsite.

If you do not have automatic updates Daily backups are recommended or weekly at a minimum.

10. Mobile Security

According to McAfee Labs, your mobile device is now a target to more than 1.5 million new incidents of mobile malware.

Here are some quick tips for mobile device security:

  1. Create a Difficult Mobile Passcode – Not Your Birthdate or Bank PIN.
  2. Install Apps from Trusted Sources.
  3. Keep Your Device Updated – Hackers Use Vulnerabilities in Unpatched Older Operating Systems.
  4. Avoid sending PII or sensitive information over text message or email.
  5. Leverage Find my iPhone or the Android Device Manager to prevent loss or theft.
  6. Perform regular mobile backups using iCloud or Enabling Backup & Sync from Android.

11. Buy Cyber Insurance

“A cyber policy is part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack,”
Every business that has a website or electronic records is vulnerable to cybercrime or an accidental data breach – and the consequences of a cyber-incident can be very costly.

Depending on the situation, you may be up for the cost of ransoms or IT solutions to unlock and repair your systems. You could also be liable for the costs of reporting the breach, legal claims, and remediating any losses suffered by your customers or clients.

Remember, a cyber attack or data breach may cost your business more than just money. It could threaten your intellectual property, put your customers’ personal information at risk and cause major damage to the reputation of your company.

12. File Sharing

When sharing files with friends and colleagues using the internet, email, CDs or memory sticks, activate your security software (firewall and anti-virus) and scan files to make sure they are not infected.

Do not assume that because a file was sent or given to you by someone you know, it is safe. Plugging in a removable device can infect your computer if it is not protected.

HINTS & TIPS

When sending and receiving files via email, remember the following:

  • Never open an attachment from a source you do not know or are unsure about.
  • Even if you are comfortable about the source of the file, scan it before opening using your anti-virus software.
  • Set your anti-virus software to scan every incoming and outgoing email and attachment automatically.

Portable storage includes CDs, DVDs, memory sticks or external hard-drives. When using these devices:

  • Never connect or insert a storage device into your computer or open files if you are unsure of its origin or owner, or if your anti-virus software is not up-to-date.
  • Scan your device before opening any files using your anti-virus software.
  • If you are sending files to someone else, save the file to the portable device, then scan the device using your anti-virus software before giving it to them.

When sending and receiving files via email, remember the following:

  • Never open an attachment from a source you do not know or are unsure about.
  • Even if you are comfortable about the source of the file, scan it before opening using your anti-virus software.
  • Set your anti-virus software to scan every incoming and outgoing email and attachment automatically.

13. Protect Accounts

Wipe out admin privilege to users who don’t need them

That means you must revoke the rights of those who don’t need them. When more people have access to company data but are not knowledgeable about information security, this means a higher risk of data and security breaches for your business. Limit the number of users with administrative privileges. The rule is: don’t be generous, ask the real need for the user’s everyday work. Don’t give security shortcuts.

What is a standard user account or administrator account?

A standard user account is a user that has partial control of the computer and often cannot make changes to other users on the computer. A standard user account should be used for everyday home tasks, such as editing photos and browsing the web.

Administrator accounts are the ‘keys to the kingdom’, as they give a user full control of the computer. Cybercriminals will target administrator accounts in order to take full control of a user’s computer. By not using an administrator account for everyday use you will help limit what a virus or exploit can access if your computer becomes infected.

The daily use of an administrator account on a computer can be likened to a caretaker using an apartment block master key to enter their own apartment, instead of the dedicated apartment key. Whilst the apartment and master key achieve the same purpose for the caretaker (and might seem convenient for their day job), carrying a master key all the time opens up the caretaker to a greater risk of compromise

Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses. It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.

14. Cleanse (or at least limit) BYOD

While a large majority of companies now permit employees to use their own devices for work, they have concerns over security and privacy. What can be scarier is that some organizations are extending the BYOD (bring your own device) practice to contractors, partners, customers, and even suppliers. Security concerns are the main barrier to BYOD. The main worry is data leakage, followed by unauthorized access to data and an inability to control uploads and downloads.

15. Be Careful on Social Media

Social media is a great way to keep in touch with friends and family. But, be aware of what you are sharing online. Criminals and hackers can learn a lot of information about you by observing your public profile. And just like you wouldn’t share all your personal information with a stranger, you shouldn’t share it all online either.

Why your business needs protection

Top Causes of Security Breaches

Hacking, phishing, and malware incidents are becoming the number one cause of security breaches today. But, what’s more troubling, these hacking attempts are the result of human errors in some way. Education and awareness are critically important in the fight against cybercriminal activity and preventing security breaches.

91% of all cyber attacks begin with Human Error.
(Deloitte report 9/1/2020)

Download Cyber Security Checklist

1

You will be redirected to Agile in 10 seconds to complete your Cybercare quote