Top 5 cyber security actions for small and medium business
With the recent high profile Uber and Optus cyber attacks in September 2022 having received widespread media coverage, public interest in hacks and cyber risks has never been higher. It’s never been a more pertinent time to look at your own cybersecurity and wonder if you’re doing enough (..no, you’re not!) and if it should be improved (..yes, it should! Consider visiting our Cyber Security as a Service page for help getting started).
We’re get asked a lot of questions about cyber security, such as “What should a small to medium sized business to do protect itself from cyber threats?”, “What should our cyber security stance be?”, and “How does activIT protect us and our customers from attack?”. If only the answers were straightforward!
Every company operates differently and faces different types of cyber threats. Even so, there are some absolute essential recommendations that ALL organisations need to follow.
Cyber security mindset must be open to change – and fast
Defensive cybersecurity evolves FAST; it twists, it turns, pirouettes, it waves its jazz hands at the hackers (who issue a rude finger to said jazz hands and evolve as well). What worked last year, last quarter, last month, is likely not going to work this year, this quarter, this month.
A successful cyber security strategy recognises that attackers adapt to new tactics all the time; attackers do not rely on a single tactic nor remain stagnant, so nor should your defensive efforts. Cyber defense, protections, and resiliency need to constantly change and improve itself as new threats emerge, not bound to any one course of action.
This mindset needs to be at the top of the organisation. Business owners and managers who have this mindset have already started their cyber journey and are miles ahead of those who haven’t. Who is more likely to be hacked?
Cyber awareness training for your team
The largest percentage of cyber risk for any organisation comes from the humans that they employ. Despite best intentions, people make mistakes and are easily manipulated by hackers. It only takes one person to make a mistake, once. Traditionally people are targeted with social engineering, email phishing, or credential harvesting (with fake logon screens), but recently there has been a huge increase in phishing attempts from trusted third parties who you normally work with, but have been hacked.
Teaching your team about the types of attacks and what to look out for is important, but more successful is teaching them:
- their workplace cares about cybersecurity and takes it seriously
- their identity is the key that unlocks countless doors for business and personal life – and most people’s identity is tied up to their smart phone
- many attacks aimed at people can be thwarted by critical thinking, scepticism, and slowing down a smidge
- how to be a cyber champion and help protect those around them
We run Cyber Security Awareness and Training workshops regularly, with the whole team at Noshu, a national healthy snack food producer (low sugar, low carbs, super tasty!) recently completing their cyber training with us.
Check out this video of what cyber awareness education is all about and why it plays such a vital role:
Good password hygiene and security
We cannot stress enough about the importance of good “password hygiene” – that is, a practice that uses cryptographically strong passwords, and a secure way to store passwords and credentials within your organisation.
Far too often we see Word, Excel, or Notepad documents with plain text, unencrypted passwords, usually named “office passwords.docx”, available for staff to utilize as they need. If you’re unlucky enough to have a hacker get into your systems, we guarantee you this document will be found quickly and they’ll use it to their advantage against you. Why would you voluntarily give them the keys to unlock more of your doors?
With password managers so easy to deploy and use, it’s almost a crime to not have it running. A password manager will also help you avoid the dreaded password re-use, where the same credentials are used in multiple places. We use and recommend Bitwarden for password management, and it is part of our Cyber security as a Service solutions.
For a bit of a laugh check out this list of Most Common Passwords in Australia in 2022 and see if one of your passwords is on the list!
Multifactor authentication and single-sign-on
Many of us are now familiar with multi factor authentication when logging in to systems – where it combines something you know (your username and password) with something you have (a one time token, smart phone authenticator, Yubikey) to better protect your accounts. But did you know that many cloud and on-premise applications can now integrate with systems like Microsoft 365, so you use the same logon for those services as well? When coupled with some of the advanced identity protection features in Microsoft 365, you can get a pretty rock solid identity management platform PLUS the convenience of fewer sets of credentials needed.
By the way – for multifactor authentication methods, we highly recommend AGAINST using “push” notifications where your phone asks you to push Approve or Deny, as these can be subject to “MFA Spam” or “MFA Fatigue” attacks, or SMS authentication, as that is vulnerable to an attack method called SIM-jacking, where a hacker impersonates you and arranges your phone number to be transferred to a new SIM that is in their possession, thereby getting your SMS authentication codes sent to them. This will be an especially hot topic due to the recent Optus attack in September 2022.
We highly recommend taking advantage of some of Microsoft’s newer authentication techniques, such as passwordless logon. Quick and easy to set up, it removes a large portion of the risk associated with old-school MFA logons.
Old-school IT security fundamentals are hip again
You cannot build a strong cyber posture without having a base to work with – good old fashioned IT security practices go a long way to protecting your business.
Here’s our core fundamental IT security principles that we often find in horrible shape when we start working with a new client. None of them require heavy dollar investment nor anything special; just good configuration practices and governance.
- Backups – not just data, but systems crucial to your business process
Too often we see horrible backup strategies that have never been tested, don’t work properly, and are too easy for hackers to tamper with. Easy to fix!
- Antivirus and antimalware software – across all systems
In July 2022 we started work with a new client who had half their systems running one vendor’s antivirus, a quarter running a different vendor’s product, and the other quarter of systems with NOTHING at all. Easy to fix!
- Operating system and application patching
Not glamourous, but vital for the health of your IT systems, patches from vendors often fix security vulnerabilities; and with nearly 70 vulnerabilities being announced each day in 2022.. what are you waiting for? Easy to fix!
- Principle of Least Privilege!
The “P.O.L.P.” dictates that a user account should not have permission to perform tasks or access information that is not required for its day to day function – like Bob from Accounting doesn’t need global administrative access to the entire network; he just needs access to Accounting. Too often we see POLP ignored for the sake of convenience. Reasonably easy to fix!
These old-school fundamentals are addressed as part of our regular Managed IT Support, the type of work we do on a day in, day out basis.
In conclusion
IT and cyber security starts with getting the basics done right before anything else. When they above cyber security actions are in place and properly configured, you’re operating with a basic cyber security posture, and great platform to build on. As your cyber security posture and maturity increases, it builds on these five fundamentals above by adding additional layers of defense.
Need cyber security help for your organisation? Drop us a line below or call us on 1300 228 480.