Every business, no matter how large or small, should be prepared to make a larger investment in cyber-security; data shows that 73% of businesses admit to having inadequate defences.
The numbers are concerning and while some businesses are taking steps to appropriately protect their systems, many continue to ignore how serious the risk actually is. And that’s exactly what cyber criminals count on:
“It’s the hacker’s job to find those places people aren’t going into or thinking about. They run a business, after all, and they want to find where those new opportunities are [and capitalize on them].” (Jim Love, ITWC via IT World Canada)
Business leaders need to also understand that cyber-security is more than an IT problem, it should be implemented as a company-wide effort that requires everyone to be involved. Your security team should manage the technical aspects, however the entire team should receive regular training and real-time communication about past, present, and emerging threats.
To help you get started, SIRKit has put together a list of common pitfalls and best practices your business should look into. This is not a complete list, you should absolutely consult your IT security professionals for more.
Many recent and highly publicized breaches were the result of missing updates. For example, Equifax was the victim of a vulnerability contained within Apache Struts. A critical flaw was discovered in the software, however Equifax neglected to patch its systems in a timely manner and as a result, over 140 million U.S. and approximately 100,000 Canadian consumers’ names, addresses, SINs, and credit card numbers were compromised.
Unfortunately, too many organizations around neglect to perform regular updates to their systems.
Our advice? Update everything. Repeat - EVERYTHING. This includes (but is not exclusive to) the following:
Windows Operating Systems (Monthly)
Apple Operating Systems (Monthly)
3rd party applications (eg. chrome, mozilla, itunes, java, etc.) (Weekly)
Routers, Switches, Printers, Firewalls, Wireless APs, Phones, etc. (Monthly)
Firmware and BIOS (Semi Annually)
Internet of Things (IoT) - All web connected devices and equipment such as cars, phones, thermostats, surveillance systems. (Weekly)
In the event of a major security issue, update your systems very quickly. Applying updates to everything can be time consuming, use built-in automatic updates where possible, or subscribe to a good MSP (Managed Services Provider) that can take care of it all for you. Their services typically include a preventative maintenance process and zero-day updates.
Recent data shows that over 80 percent of breaches succeed through stolen or weak passwords, yet many users continue to use dangerous password methodologies. Did you know a password that is 8 characters long can be broken in less than 18 milliseconds?
Going forward, mandate stringent password measures throughout the organization:
Configure systems to force passwords updates after 3-4 months
Never use similar password (eg. “MyKidsAreAwesome1”, “MyKidsAreAwesome2”)
Use Passphrasing instead of complex passwords
Use passphrases that are at least 16 characters in length and include a minimum of 4 words
Passphrases should never contain anything that relates to you
Passphrases shouldn’t create a proper sentence; randomize the words
Never reuse passwords or passphrases on multiple systems (this is critical!)
Never use the default passwords (eg. routers, cameras, etc.)
Never send passwords by e-mail (consider using pwpush.com)
Never write passwords down; Use a password manager like LastPass or Dashlane
By definition, multi-factor authentication (MFA) is a system that requires more than one method of authentication from independent categories of credentials to verify a given user's identity for a login or other transaction.
In plain english, this means in addition to a password, you need to provide a secondary piece of information during the login process.
There are numerous types of MFA, including (but not exclusive to):
Text messages (unique code is sent)
E-mail (unique code is sent)
Mobile Applications (eg. google authenticator)
Physical items - Magnetic strip cards, smart cards, carded security codes, USB drives
Biometrics - Voice recognition, fingerprint scans, retina scans, facial recognition, etc..
If you’ve used text messages for MFA in the past (most likely two-factor authentication), you should stop, as the messages can be intercepted under the right circumstances. Instead, we recommend the Google Authenticator app (if it works with the particular application), it proves you are you by generating a unique code on your mobile device. It's a test that doesn't involve any communication between the two computers, and thus prevents interception.
In many situations, malware and ransomware are effective because the user was provided administrator privileges or unrestricted access to shared content. Users should be locked down to prevent substantial risk to the entire organization.
In ransomware scenarios, the infection is generally contained to information the user has access to.
In a business environment, ensure UAC (User Access Control) is enabled, avoid giving users administrator privileges, and ensure all shared content is locked down to an “as needed” basis.
This includes locking down the senior management team.
First and foremost, an antivirus solution is not an all-encompassing answer to cyber-security. An antivirus offers some protection for the machine it's running on, and even in that fashion, it has its own limitations. You need much more than an antivirus to protect the entire network.
Additionally, modern threats need modern solutions. Traditional antivirus (AV) technologies require definitions built on predefined patterns to identify most threats. As the number of threats released daily continue to climb, the traditional antivirus can’t keep up because most of these patterns are created in some fashion by humans.
Modern security solutions are emerging that use AI, machine learning, and real-time behavioral analysis to get ahead of the curve. This is essential for zero-day exploits. Instead of waiting for updates to arrive, these systems analyze the system for suspicious activity instead.
Lookup Intercept-X by Sophos, an advanced endpoint security system that we highly recommend.
Certain types of equipment or systems should be isolated.
For example, guest wireless and staff smartphones, IoT such as surveillance, door access control, and audio, should not be positioned on the same network as your servers or users.
Isolating equipment to specific networks prevents compromised systems from being able to attack critical servers that house sensitive information.
Setting this up requires the right equipment and expertise, ensure you use an experienced technician.
This “old school” tactic is commonly overlooked. Not all hackers focus exclusively on digital channels to access your information. Dumpster diving through recycling is an easy way to secure documents that have sensitive information. We recommend following this practice at home too, to combat identity theft.
Long live the paper shredder people! If you printed anything with ANY of your information on it, shred it.
As you can see, cyber-security for 2018-19 can be complicated, and any attempt to manage it yourself can leave you vulnerable to advanced threats. Don’t let your business become another statistic. Learn more about our services and how SIRKit can put together a custom package to serve your unique cyber-security needs. Contact us today.