Do these things to improve your IT security posture, today.
Did you know that 98% of cyber-attacks involve some sort of social engineering like phishing, phone call scamming, and other tactics that prey on human nature? Also, did you know brute force attacks can attempt to crack open an account, guessing passwords at a rate of anywhere from 10,000 to 1 billion times per second?
The list of ways that the bad people are attempting to steal and exploit your data is dizzying. In a world where you have to run your small business, how can you possibly keep up? More importantly, what if you’re so secure it’s hard for people to do their jobs?
When I ask our customers and potential customers what IT security is and what it means to be secure, the general consensus is making sure they have anti-virus on their computer. Having good AV and monitoring is part of good strategy, but that is only the tip of the iceberg. There’s also email security and all the associated tools for it (DNS records, mail filtering, spoof protection). There’s identity and mobile device management and the ability to prove that whomever accessing work related materials is actually the employee in question. There are firewalls that can help protect a physical location or physical assets, there’s even virtual firewalls that can help protect your cloud infrastructure. You don’t want to get caught with port 3389 exposed to the internet, which I see in my work all too often. The list goes on and on.
So, what are 5 things you can do today, with the right help, to increase your security posture immediately:
1. Multi-Factor Authentication (MFA) – MFA can (and should) be used on as many apps and websites as you can, especially those that involve sensitive information, like financial or health data. Basically, MFA forces the user to perform some type of input from a known second device before being allowed access, usually a code sent to a cell phone. Obviously, one needs to be in physical possession of said second device to then enter the site. It’s unlikely a bad player would have your password AND your cell phone, so it’s a great way to stop them before they get into your account, giving you time to change your account information.
2. Unique Passwords and/or password managers: If MFA isn’t an option, or even if it is, using a unique password for every website and app you log in to is another good thing. If a hacker steals a password for one site, they’ll try it on all the sites they can think of (brute force attack). If you have a unique password for every site, the hacker is thwarted at their second stop.
You are probably thinking, of my gosh I use like 200 different sites there is 0 chance I’ll ever remember them all. Probably not, which is why there are a number of very secure password managers. These services generate a unique, and very complex, password on your behalf, for every app and site you use, so you only must remember the unique (and MFA protected) password that opens up the password manager. They’re doing the hard work on your behalf.
3. Identity Provider (IDP): One item we see lacking in a lot of small businesses when we start working with them is an Identity Provider, like Microsoft’s Office365 or Google Workspace. With these services, you are logging yourself and your computer (personal or corporate) into your company’s “domain” which contains all the policies, setting and user information about your company. The big advantage of these services is that service providers like us can administrate them on your behalf. These services allow you to know which user is logging in, from where, and from what device and based on a set of guidelines you create, you can either approve or deny access to work resources. Think of Identity Providers as building security, ensuring everything is on the up and up before you walk in.
4. Mobile Device Management and Endpoint Detection and Response (MDM & EDR): MDM and EDR provide a robust toolset to enforce good security policy within your company. MDM does things like registering your device, another layer of security, so that only known and trusted devices are allowed past the front door of your company data. It also controls the behavior of what’s allowed, example being if you log in from a company machine you have full access, but if you log in from your home machine you can only access company resources through a web browser (more secure but more cumbersome).
If something does slip through however, EDR is there to thwart the bad people as fast as possible. When it encounters things like mass emails all the sudden being sent (sure sign of a phishing attack) or trying to access data and encrypt it (malware/ransomware attack), EDR quarantines the machine, limiting the damage and “trapping” virtually the hacker on the machine. This allows a service provider like us to come in and determine what happened and fix it with the least amount of damage done. We can even create automated responses to fix it without ever needing to touch the machine.
5. Account Controls: another thing we see often in small businesses is that the account administrator (the person with all the keys) is using the same account information for their account as they are for the company’s administrative needs. The best practice is to create a totally separate administrator account, with MFA and a unique complex password, and only use that account when necessary. The less an admin account is utilized, the less likely it is to get compromised. Think of it as handing out valet keys when parking your car. Just giving out the minimum amount of access necessary for that person to do their job, is the best way to lessen the attack surface that can be exposed. Lots of admin accounts means lots of people holding all the keys to all the doors.
+1 more – Physical Security: it’s always a good strategy to have physical security at your company’s point of Internet access, a firewall. Today’s firewalls can be remotely managed by service providers like Endpoint Utility and allow you and us to see who is attempting to traffic your company network. When we see bad behavior, a firewall (literally) allows us to stop them at the front door and not get in.
While all of this seems like a lot (and it is), these are services we perform for our customers every day without them even knowing it. Utilizing a quality managed service provider allows you to get a whole team of IT professionals for less than the cost of hiring 1 full time employee (a lot less). This gives you the best of both worlds, less cost and more capability to keep you and your company more secure.
While one size never fits all, these are some of the important pieces of the puzzle that every organization or business should setup to remain as secure as possible.