November 13, 2019
The way we work is changing, with more businesses adopting online-only models and remote working every day. However, while these new practices offer new opportunities, they also provide additional vectors for attack. Given that cybercrime is on the rise, and that almost 60% of cyberattacks target small businesses, this is a problem that we can no longer afford to ignore. Below, we’ll outline a few simple ways you can test your company’s vulnerability and improve its resilience to cyberattacks.
Remove unnecessary clutter
If you’ve had your computers for any length of time, they likely have applications installed that aren’t strictly necessary for work. Perhaps you have a few games installed or a couple of drivers for a device you no longer use?
The problem is that every single piece of software you install, whether it’s freeware or a well-known application, has its own dependencies and vulnerabilities. In other words, every unnecessary program you have is another potential weak point for an attacker to exploit.
The good news is that these days, most of the things you need for work can be accessed in a browser. For instance, you can create documents, listen to music, and send emails without needing any dedicated applications. Simply: the fewer programs you have, the less risk there is.
Harden your infrastructure
Now that you’ve closed as many doors as possible to a potential hacker, it’s time to block the remaining ways in. One of the most important things to do is install a Web Application Firewall (WAF) on your company servers. This prevents some of the most common threats outright, including Cross-Site Scripting and cookie poisoning attacks.
We also recommend using a company Virtual Private Network (VPN) whenever possible, as well as separate email encryption. The VPN not only prevents attackers from observing your employee’s internet traffic (which includes login credentials, contact lists, and internal communications), but it also nullifies most kinds of Man-in-the-Middle attacks.
Meanwhile, the email encryption stops spear-phishing attacks by guaranteeing that the person you’re talking to is who they claim to be.
Plan for the worst-case scenario
If something goes wrong, it’s vital that you’re able to find out what happened as quickly as possible. This is where proper monitoring procedure comes in. Your IT staff can use applications like NetCrunch or Spiceworks to find out all kinds of information about the network in real-time. For example, you could set up an automated alert letting your team know about multiple failed login attempts or new changes to user rights.
Further, it’s important to consider the risk of a breach when designing your systems. This sounds obvious, but even major companies neglect this (Sony infamously stored thousands of user passwords in plaintext). We cannot stress this enough: user details should always be salted, hashed, and encrypted to ensure that even if the data is stolen, it cannot be read.
Introduce an internet usage policy
It’s often easy to forget that not everyone is a computer expert. As such, it pays to implement a commonsense internet usage policy. This doesn’t have to be overly restrictive; generally, a simple web-filter, an ad-blocker, and limited application installation rights should protect you from most problems.
We’d also recommend creating disk images of your machine periodically so that you can just roll back to a fresh installation should a rogue piece of malware slip through.
Don’t neglect system maintenance
Unfortunately, even the best systems need regular maintenance. New software vulnerabilities are discovered on a daily basis and if these aren’t addressed, they can pose a major threat to your network’s security. Take Heartbleed, for instance: this server bug allowed hackers to view encrypted web traffic and five years later, there are still 200,000 vulnerable devices.
Passwords should also be changed every few months at least to prevent attackers or former employees from logging in with old credentials. A good rule of thumb is that a password should be at least eight characters long, with mixed-case letters, numbers, and punctuation.
Ideally, your system would reject dangerously simple passwords like “qwerty” and prevent staff from reverting to a previously-used password.
Simply put, business owners are caught in a game of cat-and-mouse with cybercriminals. The odds are in your favor, though, as attackers have to try increasingly hard to find cracks in your network’s defenses. In contrast, all you have to do is minimize risk, and the steps above are an excellent way to start.
Ian Garland is a tech writer, programmer, and author with a particular interest in digital privacy.