Cyber Security Best Practices for Small Businesses
Cyber Security is All About Risk Management
Cyber security is all about risk management. There is no such thing as being 100% secure or completely eliminating risk. The goal is to mitigate risk to an acceptable level, and to make your systems, networks and users a difficult target such that attackers will look for an easier target elsewhere. The vast majority of cyber attacks are automated, and the most likely targets are those organizations that have not implemented basic security hygiene measures. Below is a list of basic security practices that apply to any organization, regardless of size. It is important to keep in mind that this is a minimal list of security controls from a Storable perspective, and depending on your business and budget, you may need or choose to do more, especially if your organization is subject to any state, federal or industry compliance requirements.
Securing the endpoints (e.g. laptops, desktops and mobile devices) is critical as many of today’s threats look to take advantage of weaknesses at the endpoints. Increasingly, staff often work from remote locations and we no longer have a strong perimeter to protect our endpoints. The endpoints themselves need to be resistant to attacks. Below are some controls that are important to have in place to protect them:
- Advanced Endpoint Protection Software – Traditional signature-based antivirus software is no longer good enough. It is important to utilize endpoint protection software with advanced capabilities based on machine learning and artificial intelligence (AI). Example vendors include:
- Encryption – Full disk encryption will help ensure that if a device is lost or stolen, the data stored on that device cannot be accessed by anyone other than the owner of the system. This is particularly important for laptops, tablets and phones. Most current versions of Android and Apple phones have disk encryption enabled by default. This can be verified in the device’s settings. Laptops typically need to have full disk encryption enabled by the owner/administrator of the system. Fortunately, both Windows and MacOS provide this capability with Bitlocker (Windows) and Filevault (MacOS).
- Automated Patching – Ensure that endpoints are configured to automatically install security patches for both the operating system and third-party software. Windows and MacOS are both configured to install security patches automatically by default. Many third-party software products do as well, but not all. So it’s important to make sure that security patches are installed regularly for all software.
- Limit Admin Access – When using a computer system for general purposes, make sure to use an account that does not have administrator privileges. If something needs to be done on an endpoint that requires administrator rights, login with a different admin user account to perform those tasks, and then logout when finished. Daily use should be performed using accounts that do not have administrator rights.
- Hardware and Software Inventory – It is important to maintain an accurate inventory of all endpoints and installed software. You cannot secure systems if you don’t know what you have.
Email and Web Security
Email and web browsing are two of the primary attack vectors utilized by attackers today. It is very important to make sure your email system detects and blocks malicious emails before they make it to the user’s inbox. Similarly, employ software to block access to malicious websites. Below are some important controls to reduce the risk of email and web-based attacks:
- Email Vendor – Use a reputable vendor such as Microsoft or Google. Both do a very good job of detecting and blocking malicious emails such as phishing, and invest heavily to stay ahead of these attacks. They also provide the ability to implement additional security controls such as allow lists and block lists.
- Web Protection – Implement software that will prevent users from accessing malicious websites. Many endpoint protection tools have this capability, but there are also network-based solutions that will block access to known malicious websites. Some examples include:
- Cisco Umbrella
Most attacks today focus on the end user. The reason being is that it is easier for an attacker to have a user click on a malicious link or divulge a password than it is to try and circumvent network and software security controls. Below is a list of controls that focus on the end user that Storable also employs:
- Security Awareness Training – All computer users should be provided with security awareness training. This is extremely important so that users will be able to recognize and defend against attacks such as phishing. Some good security awareness training vendors include:
- Passwords – Passwords are typically the first line of defense against unauthorized access to your systems. As such, it is important to implement a strong password policy that will make it difficult for attackers to guess or otherwise obtain these credentials. In general follow these guidelines:
- The longer the password the better. Use a minimum password length of 12 characters.
- Encourage the use of a passphrase.
- Use software to prevent users from choosing a password that is easily guessable or already known to have been compromised.
- Multi-factor Authentication (MFA) – Reusable passwords should be supplemented with MFA wherever possible. MFA raises the bar significantly for attackers and prevents the most basic and common types of attacks where the attacker obtains the user’s credentials and uses those for unauthorized access to a system.
Since most attacks occur across the network, it is important to ensure that network traffic is properly managed. This includes both wired and wireless networks. Below are a few actions that can be taken to prevent attackers from accessing your network:
- Firewalls – Firewalls should be installed and configured to deny all traffic by default. Then add rules to allow only that traffic that is required for business purposes. This applies to both network firewalls and host-based firewalls installed on your endpoints. Also be sure to limit both inbound and outbound traffic.
- Wifi – Most devices connect to the network over a wireless network, and it is very important to make sure this wireless traffic is secured. Enable wifi encryption using either WPA2 or WPA3, and do not expose the management interface of your wifi controller to the Internet. And as with your endpoints, be sure to keep your wifi network devices up-to-date with the latest software.
It is very important to develop a security incident response plan so that in the event that your organization ever suffers a security incident, you will have a plan in place to guide your response activities.
Below are a number of free cyber security resources that are geared toward helping SMBs with their security practices and controls:
- The GCA Cybersecurity Toolkit for Small Business – This is an excellent resource to help small businesses implement practical and effective cyber security controls.
- Center for Internet Security Computer Security Controls – This is a list of 20 controls that if implemented, will greatly increase the security posture of your organization.
- NIST Small Business Cyber Security Corner – This is another great resource published by the National Institute of Science and Technology which is funded by the US government.
- NIST Cyber Security Framework – This is one of the leading cyber security frameworks used by both public and private sector organizations.
- FTC Cyber Security for Small Businesses – This guide was developed by the Federal Trade Commission to provide SMBs with a list of basic security practices.
- FRSecure Incident Management Template – This is an excellent template to assist in the creation of an incident response plan for your organization.
Obviously, these are just a few of the ways to prevent the increasing concern of cyber attacks. Awareness that a risk exists is the first step in thwarting the risk. We remain committed to partnering with you in this effort and will be vigilant alongside you in this effort.