Cyber security doesn’t have to be complex or require large investments in complicated software and hardware to protect you, your business and your customers. There has been a lot of stories in the news about cyber crime and how anyone can be affected by it, and this is true but it’s not a reason to loose sleep over. Preventing cyber crime is similar to locking your car, you lock it to help prevent someone stealing it but there is still a remote chance that it might get stolen. Like you securing your car, you can implement steps to help reduce your likelihood of becoming a cyber crime statistic, it’s all about reducing the risks.
This blog covers 6 simple tips that will help you protect your business from data breaches and ensure that you protect your customers information in the same way that you’d expect a supplier to protect yours.
#1 – Smart phones
The majority of us own a smart phone, we check email, work with documents, check our banking and do our shopping to name a few. They are the centre of our personal and business lives and yet this phone that sits in your pocket could be one of the biggest security holes for your business.
Think about the data that you have on your smart phone, consider all the business contacts you have in your email or contacts app? this is most likely a lot of personal information about them i.e. names, addresses, phone and email. If this was your information you’d expect a supplier to keep this information secure. The easiest way to protect this information, setup a password. It may be a very simple thing but we see a lot of customers that don’t secure their smart phones. By simply adding a password, newer devices support a multitude of authentication methods like bio-metrics (finger print, retina scan), secures the device. It has the added function of automatically (on modern devices) enabling encryption on the device which ensures if the device should fall into the wrong hands the data is secure. Encrypting the device is highly recommended.
The next level of protection is to consider mobile device management (MDM) which is covered in a bit more detail here.
#2 – Passwords
Are you like the majority of users that has a single password that is used on many different sites? Did you know that password reuse is one of the biggest security faux pas by users from all backgrounds. We all know that remembering passwords for all the different sites we use is a hassle, however compare that to a number of your important accounts being compromised/hacked then hassle of having different password for different sites/services seems less so.
There are some great applications available that allows you to store passwords for different sites in a database. This sounds complicated but it really isn’t, these “Password Safes” are a great way to ensure that all your sites have unique passwords. The are designed to allow you to simply cut n paste the password straight from the password safe to the website/application you’re trying to access. One of the popular password safes is KeePass which is a free to use product. The database can be stored on a cloud drive so it can be accessed by your mobile devices, the database itself is encrypted and has a master password to access it. As with all important files keeping a backup of the database is very important.
A good guideline for a password is that it shouldn’t contain full words i.e. “Monday123”. It should be made up from a selection of upper and lowercase letters, numeric and some punctuation and ideally be 12 or more characters. For example B7uKu8A&UfE& Don’t worry the password safe software will normally generate a random password for you.
In addition to passwords a lot of vendors are now support MFA (multifactor authentication), sometimes called “two-step verification”. This assumes that you have two forms of identification, for example
- What you know = Your password
- What you have = A Phone (can be an app or simply a call/text)
The biggest advantage of this type of authentication is that if your password is compromised the perpetrator will still need to have access to your phone (what you have) to be able to access your account. A lot of the big companies (Google, Facebook, Microsoft, Twitter etc) offer this service now and is well worth switching it on for that piece of mind.
#3 – Public Wi-Fi
The advent of public Wi-Fi has been a blessing for those who are constantly on the go however they do come with some risks. The clue is in the word “public”, this means that when you are connected to this network you are potentially connected to everyone else that is also on that network. Now that is not a bad thing in itself but understanding the risks will ensure that you are kept safe.
Think about you talking on the phone and the conversation moving between you and the person your speaking to, this conversation is private between you and that person but anyone nearby will be able to hear at least 50% of the conversation. The same happens when you connect to a website, a conversation starts between your PC/phone/tablet and the website. As with the telephone call it is possible for someone to eavesdrop on this conversation, only this time the whole conversation can be listened to. This might not be an issue if you’re scanning the news on the BBC website, but if your logging into a website that isn’t secure then your username and password are transmitted as part of that conversation and can be read by the eavesdropper.
When browsing websites that require a login there are a couple of simple checks.
The first is the URL of the website, ensure that it starts with HTTPS. The “S” is the important part as this verifies that the site has been secured using a SSL (Secure socket layer) certificate and any conversation between the site and your PC/phone/tablet will be encrypted. Be aware that some sites cache your username and password so you can login quicker, my advice would be to check the URL to ensure that it’s HTTPS before connecting to over a public Wi-Fi.
The second is to check what your internet browser is saying. All the browsers will show if a site has been secured with a certificate, simple check on the address bar of the browser to verify that the site is secure which is confirmed by the presence of a padlock.
Some examples of how different browsers show this padlock
Microsoft Internet Explorer
How much consideration do you give to accessing your email? you set it up on your PC/tablet/phone and forget about it. Just like with websites your device is having conversation with your email provider and just like the websites if that conversation isn’t secured then it can be eavesdropped.
The good news here is if you’re using a known vendor for email, for example Google, Microsoft, Apple, Yahoo then you’re most likely already using a secure connection as these vendors provide this as a standard service.
If you are using your own email provider, for example your email is provided by a hosting service such as Go Daddy, 1and1, Dataflame etc then there is a chance that the communication isn’t secure. This is usually because these vendors don’t provide automatic configuration of a email client like the big vendors and it is left to the user to setup, or the automatic process they do provide simply uses the older unsecure method.
If you’re connecting to a website to read your email (webmail) then you just need to follow the guidelines as above regarding secure websites, so long as you can see that padlock you’re covered.
If you read your mail through a email client, be that on your phone, PC or tablet then you may need to check the settings of that client. In terms of email you won’t see the HTTPS URL as you do with websites, the mail server address is usually specific to the service i.e mail.domain.com. This information will be provided by your supplier, as a side note always select IMAP as a mail protocol when setting up email.
Within the client you’ll either have check boxes to enable SSL communications, for example here is the setting from Windows 10 Mail
Some email clients will require “Ports” to enable the SSL service, these can be obtained from your vendor, most of the hosting providers have a dashboard that can be accessed and within here you’ll find information for populating your email client ensuring SSL is used. The image below shows an example from Dataflame hosting control panel.
#4 – Broadband routers
Most small business offices have a router that is connected to a broadband provider, this is a permanent connection between your office and the internet and should be considered like your front door. If you leave your door open people will walk in and probably disrupt your tea time or worse steal your television. So we keep our front door locked and only let in people we know, this is the same for your router, only difference is that you don’t know when someone is knocking at your door or possibly breaking through it. Securing your router is straightforward process and depending on the vendor they often provide information on their website on how to achieve this.
Change the administration default password: All routers come with a default password, change this to a complex version and make sure you make a note of it somewhere.
Update the firmware: The firmware is the software or operating system of the router, like your PC/phone/tablet sometimes there are updates made to this to ensure that security patches are applied. These updates can normally be found on the vendors website or you can sometimes initiate an update from the route itself by logging into its administration console. A tip here is to backup the configuration of the router before upgrading the firmware, again you’ll find instructions on how to do this on the vendors website.
Check for open ports: Depending on the services you have at your office there may be ports open on the router, for example to allow a office based server to communicate with an internet based service. Although this is an advanced task it is something anyone can check by using a third party company to test your connection for security vulnerabilities. One such company to offer this service is Qualys, they will test your router from the internet to check that its secure and provide a report on any issues they find.
Change the Wi-Fi password: Like the administration password most routers will be supplied with a default Wi-Fi password, best practice is to change this to something different. Try to make the password complex so to include letters (upper/lower case), numbers and punctuation as this will make the password a lot hard to guess.
Guest networks: If you have a lot of visitors to your office you may not want them to have access to your Wi-Fi network as this would give them access to all of your office resources. Instead you can purchase router that provide separate “guest” networks. This guest network allows you to setup a separate network with it’s own Wi-Fi password that your guest can use, and they are kept separate from your office resources.
#5 – Virus, malware, ransomware protection
Virus, malware and ransomware are the biggest threats to users of the internet, virus/malware can cause devastation to a business data. Ransomware is a newer threat that locks a users data and forces them to make a payment before the data is unlocked. Taking precautionary steps like back ups are the only way to be secure that if you are hit by a virus then you can recover your data. You can also take preventative steps like ensuring that your PC/tablet/phone has the necessary protection installed to combat these threats. It is worth stating here that no product will provide 100% protection but combine them with other protection services and some common sense you can have a existence that is almost threat free.
Windows PCs: Windows has been around for a very long time and although it is regularly updated but because of shear number of Windows devices in the world it is often targeted as impacts can be large and thus headline grabbing. Windows 10 is by far the most secure Windows platform to date, unless you have a business need for staying on a lesser version you should consider upgrading to Windows 10. Windows Defender is the free anti-malware tool that is installed with the operating system, so as long as you don’t disable the Windows updates this tool will help to protect you. There are many third party tools available as well, we sell both Custodian360 which is a modern threat protection system and the more traditional anti-virus system Symantec Endpoint protection cloud.
Mac: Mac OS is gaining popularity in the business sector and with this popularity it has become more of a target for virus writers. The threat isn’t as high as a Windows PC but it is there and as such installing an anti-virus product on your Mac is very advisable. Again both the products we sell, Custodian360 and Symantec Endpoint Protection Cloud provide a product to protect Mac as do a number of other mainstream antivirus vendors. The days of Macs not being a target for virus, malware or ransomware are long gone sadly.
Smartphones/Tablets: Smart phones are designed very differently to PCs/Macs and as such to infect a smartphone is a lot harder to achieve. Vendors like Apple and Microsoft have very secure operating systems on their phones (and iPad for Apple) and currently don’t benefit from a separate AV product. Android can be a little more susceptible to infections, this is less of a risk than it was as Google have cracked down on the number of “suspect” apps on their app store. However of the three mobile operating systems Android is considered the least secure and might benefit from additional protection. Symantec Endpoint Protection Cloud provides coverage for the Android based devices.
Email: A lot of infections come from email, these could be dangerous attachments or links to malicious websites. A lot of the virus applications will detect these emails when they are received on your device. To stop these emails getting past your email servers is dependant on your email provider, some vendors will provide antivirus checking at the mail server but these are usually part of a paid subscription, for example Office 365, which will scan all mail entering your business email and stop any malicious mail before it gets to your mailbox.
Common sense: Some emails and websites can be very convincing and it is very easy to click on them and then find you’ve been infected. There are some warning signs to look out for.
Certificate errors, if you go to a site with a broke certificate your browser will prompt you, heed the advice and don’t proceed
Popups: If you suddenly see a screen pop up that is alerting you to a threat on your PC and you must buy some software to clean it, don’t. This kind of software can be very destructive and difficult to remove.
Strange emails: Receive an email that contains an attachment (document, PDF, Zip etc.) from someone you don’t know, in the wrong currency or relates to a purchase you’ve not made, delete it. This is a very common way of infecting a computer and by opening the attachment you’re doing the hard work for the virus, by passing your security software.
#6 – VPN (Virtual Private Networks)
Virtual Private Networks (VPNs) have been around for decades but where as in the early days they were generally used for connecting offices together over the public internet. These days they are increasingly used by businesses to protect they users local devices (PCs, Mac’s, Mobile) when using insecure networks i.e. public Wi-Fi.
What is a VPN?
A VPN is a service that provides a secure connection between two devices, in the context of this blog this is a connection between a users device (PC, Mac, Mobile) and a trusted endpoint. Once this connection is established all network traffic that the users device sends go via the VPN.
Why is this a good idea?
When a user is sat in a café connected to the public Wi-Fi the user can surf the internet or connect to business systems i.e. email. As mentioned above public Wi-Fi it is possible eavesdrop these conversations between devices. When a VPN connection is established this creates a private network connection over the internet which now handles all the network traffic. To explain this better, imagine being sat in the café on the internet. When you click “Connect VPN” an IT chap appears and plugs a ethernet cable into your PC and connects it directly into your companies network. This means you are isolated from the rest of the internet traffic in the café and of course out of sight of those eavesdroppers. You can continue to surf the network or access business systems but now the traffic is going via your companies network which you know is secure allowing you to surf with confidence.
What are the options?
There are various commercial VPNs solutions available, most are on a monthly subscription. However the purpose of this blog is to provide information on how to protect your business so we would recommend setting up a VPN service on your office infrastructure. The good news here is that most business grade routers will support VPN connections. If you are running Windows Server Essentials then you already have VPN capability built into the server, likewise all versions of Windows Server support VPN services. The key here is that when a user establishes a VPN connection they are connecting back to your business and not a external VPN provider. Not only does give you confidence that your business data is secure it also has the added benefit of being able to provide access to internal business systems i.e. file shares to the VPN users.