Small and medium businesses are the backbone of the economy, employing more than half of all private sector workers and contributing 50 per cent of UK GDP. Now, imagine you are a cyber criminal and you are picking your next targets. Do you go for the businesses which cumulatively have vast sums of money, but lack security controls (most likely) or do you go for the large enterprises which probably have an internal security team which focuses solely on protecting the company's assets? It's not like the movies - hackers don't want a challenge, they want your money and will go for the low-hanging fruit.
Whether you have in-house IT support or you use a third party, here are some tips for protecting your company:
When a vulnerability is found in an operating system by the manufacturer, they work out how to patch the problem and send out fixes to all registered users. These are the software updates that pop up now and again on your screen. Some companies rely on staff to apply these upgrades, whereas some manage these centrally. Either way, patch immediately. A published vulnerability is a security hole hackers know exist, and they also know that millions of people won't bother to patch them. Until every computer is patched, you are susceptible to a security breach.
Upgrade Windows XP as soon as possible
In April, Microsoft will cease support for Windows XP. This means that any vulnerabilities with the operating system will not be fixed. Essentially, it will open the door to hackers who find these faults and use them to gain entry to your network via malware. It's highly likely that many of these faults have already been found by hackers and they are holding them back, just waiting for April, when they will unleash a barrage of cyber attacks globally. The only way to avoid becoming a victim is to upgrade your operating system before the support ends. Operating systems launched after Windows XP were designed with security as a priority, so are a far better option.
Mobiles and tablets need protection too
There is little point protecting your computer network if the mobile devices which also link into it are not protected. To a cyber criminal, it is an access point to be exploited. People are still becoming accustomed to the concept of securing mobile devices, but consider would happen if a criminal gained access to your work phone - the contacts, the emails and financial information they would have access to, not to mention the data on your network they would be able to use as well. Whether your staff are using company-provided or personal devices, they must all have mobile security running on them.
Back up and synchronise
There has been a spate of ransomware attacks in the past year and these are set to become more commonplace. Once attacked, a message will appear on your screen telling you your files or computer has been encrypted and it will demand a ransom to give you access again. Of course, there is no guarantee you will get access. By backing up all of your content on an automatic basis, you are in a better position if such an attack occurs, as you haven't lost your content. But be warned, the backup must be offline or the ransomware could possibly encrypt this too.
Use up to date antivirus software
AV works as a community. When a new piece of malware is detected trying to gain access to a computer or mobile device, it is quarantined and sent to AV labs for testing and breaking. Once the virus' signature is defined, it is sent to every registered user of that labs' software to protect them in future from this new threat. This can happen in as little as eight seconds! Without up to date AV software, you don't have this protection. At the time of writing this, our labs had detected 15,742 malware variants in the last 24 hours alone, which gives a little perspective on the size of this problem.
Ensure your cloud and virtual environments are also secure
Virtualisation is becoming more and more commonplace with small and medium sized businesses (SMBs) rapidly adopting the technology in order to increase performance and reduce costs. As you can imagine, securing these environments is also important to prevent unwanted eyes prying on your private corporate information.
Give employees privacy screens
These are easy to use screens which clip onto a laptop screen or can be put on mobile devices. The user won't notice any difference in the screen when they look at it head-on, but the person next to them will not see anything but a black screen. This is particularly good for commuters and business travellers.
Secure your WiFi (circa 2001)
More than ten years after WiFi started to become prevalent in UK businesses, it is surprising how many networks are still unsecured. Also, as a minimum, try to use "WPA2" (WiFi Protected Access II) encryption rather than WEP (Wired Equivalent Privacy), WEP is relatively easy to crack. Little more can be added to the subject, except secure them!
It is great to hear that, for the first time ever, 'Password' is no longer the most commonly used password. Unfortunately, it has been replaced by '123456'. Hackers use tools which try multiple combinations to crack passwords. The most common ones (like '123456') are tried first. After that they try word combinations, sometimes helped along by information they find about people online, such as their birthday. Adding symbols and numbers makes it a lot more difficult to crack.
Trust me, your data is more interesting than you think it is
There is often a malaise amongst SMBs that their data isn't going to be that interesting to anyone, so there is no need to protect it. But your competitors care about it, as it means they would be able to undercut you on bids. You care about it, because you would pay a cyber criminal for it were they to hold it to ransom. And cyber criminals care about it because it gives them access to your financial accounts. Never underestimate the value of your livelihood to others.
Prepare your people
Computers don't make mistakes, people do - we've all heard this. Employees are often the weakest link when it comes to digital security, so teach them. Create a security policy which sets out how they are to behave online and your expectations of them. Run regular sessions on security in general, and explain why it's important to them personally and to your business. They hold a great deal of responsibility, so need to be taught the dangers and given processes to follow.
Accept that devices will get lost/stolen
It happens to the best of us, so be prepared for it. Recently, I lost my phone in a bar in Stockholm. I remotely wiped the phone of all data using the mobile security software running on it. My replacement phone arrived the next day and I was able to upload all of my contacts and data onto it immediately, as everything had been backed up. Losing devices is inevitable, but losing time and content is entirely avoidable.
Follow Allen Scott on Twitter: www.twitter.com/@fsecureukteam