Batten Down the Hatches
Here we explain how you can ‘batten down the hatches’ when it comes to defending against cyber-attacks. If you are a small business, there is a 1 in 2 chance of being affected by a cyber-attack. Although this guide cannot guarantee 100% protection, it aims to increase your security posture.
There are four main topics each with their own tips and tricks to help you improve your I.T. infrastructure’s security. This document is intended only as a starting guide when it comes to beefing up your security.
Businesses of today rely on data, regular backups should be a daily occurrence to protect it. Backups should be readily available and tested to ensure you can restore from them when you need to. In the event of the unthinkable, such as disastrous fire, flooding or cyber-attack, you will thank your lucky stars you have your critical data backed up.
Backups should be kept ‘offline’. This means they are not connected to the same network that your data resides, you wouldn’t want your backups to be encrypted along with all your data if you were subject to a strain of ransomware. A very good option for small business is regular cloud backups.
You should have a firewall at your boundary or at the very least your router should have one built in with its software. You can normally access it via the web user interface. The default username and password for this interface should be changed, as they will be the same for all devices of the same model making access easy to visitors (aka Hackers). The interface should only be accessible from inside your network.
The firewall policy should be applied with some thought, you don’t want attackers outside of your network passing through your firewall and into your network. That makes their job easy! Ensure only approved external connections are allowed, such as email if you have internal mail servers and controlled VPN traffic. An access control list should be applied limiting the use of non-business approved applications and web sites, such as gambling, games and the more graphic of content.
Your endpoints should have Anti-Virus installed that is configured to automatically update its definition files (the things used to detect the latest strains of malware).
The operating system (Microsoft Windows in most cases) should also obtain its security updates automatically if you do not have a patching policy/schedule.
User accounts should have limited access and be able to access the resources they need to do their jobs and no more. Admin accounts should be limited to your administrators and only used for administrative tasks. Once complete, they should use their standard user account for normal daily operations such as email and web browsing.
Only approved software should be installed on your workstations, users shouldn’t have the ability to install or run executable files. The use of USB drives should be controlled by management or administrators.
Promoting good ‘cyber-hygiene’ to your users can improve your security posture tenfold. A lot of the security problems we see are due to the interface between the chair and the keyboard, yes, the squidgy thing sat in the chair (user).
The boring bit, users should sign up to an acceptable use policy as well as a set of security operating procedures. They should detail what a user can and can’t do using I.T assets and have further information such as your password policy.
Security & Phishing Awareness
You could well have seen the stats floating around relating to phishing attacks. They account for nearly 90% of all security breaches. Most, if not all, organisations allow email in through the firewall, adding a malicious link or weaponised document to that email is seen as an easy delivery method for attackers. Training your users in the ninja art of spotting phishing emails along with security good practice, should be completed regularly.
Encourage the use of complex passwords such as three random words strung together. Don’t make users change passwords regularly, this is seen as detrimental and encourages short cuts. Writing passwords down and leaving them lying around is like leaving your keys still in your car with the doors unlocked. If users must write down passwords, supply a lockable cabinet to store them in.
Download a Copy
Download a copy of our self help guide to improving your cyber defences. The document covers a whole host of 0 cost options to improve your security posture.