Practical Cybersecurity Basics Every Small Business or Professional Individual Should Follow (Part 1)
This two-part article has been written by Meetig8 member Hani Banayoti, a cybersecurity and information security expert. With over a decade of experience in consulting and corporate roles, Hani now runs his own cyber risk consultancy practice, CyberSolace, assisting organisations of all industry sectors and sizes to manage their cybersecurity/information security functions.
A lot is said these days about cybersecurity and data security, but you can never have too many reminders of the basics. Ubiquitous internet connectivity and large-scale digitalisation of all aspects of civil life continue to dramatically transform the way we interact with technology at an individual level as well as at a business level.
As digital technologies impact business models and individuals, the technological transformation means that we will face increasing vulnerabilities to cyber threats, and a single incident can inflict serious damage. This security vulnerability inherent to emerging business technology has fuelled an unprecedented dark market for cybercrime that has grown to unimaginable scales and profitability in recent years.
Each year the UK Office for National Statistics (ONS) releases a Crime Survey for England and Wales. In the most recent survey for the year ending in September 2018, the ONS estimates that around 4.5 million cybercrimes were committed in England and Wales during that 12-month period. Of those, around 3.5 million were fraud offences and about 1 million were related to computer misuse. You are far more likely to fall victim to cybercrime than any other kind of crime in the UK. In 2017, around 17 million UK residents were the victims of cybercrime, with around £130 billion being stolen.
Here are some tips and habits every computer user should know. Consider it a quick checklist to audit your own security or help others you care about get the essentials down.
1. Watch Out for Social Engineering Attacks
Social engineering is a form of baiting humans to unknowingly do things that would expose them to a security compromise. It’s how hackers and data thieves cleverly access your secure information through phishing—impersonating other companies, people, websites and email originators. Awareness is of primary importance here—be suspicious of all links, emails, phone calls and other communications that are out of the norm.
But there are also some simple and free technical measures that can be considered to reduce the risk, at least in the context of webpage visits. One example is the Quad9 initiative that helps users to implement a secure DNS service that vets and blocks suspicious or blacklisted websites before the user opens them on their web browser. This, therefore, protects them from any malicious/phishing content that may be lurking in the webpage by preventing access to the page in the first place.
Other technical measures include email spam and malware scanning solutions as well as web browser plugins to detect and block superfluous adverts, pop-ups or malware scripts. In 2017, Google blocked 79 million ads that attempted to send people to malicious websites and removed 48 million ads that suggested the installation of unwanted software.
2. Secure Your Smart Mobile Devices
Mobile security is a serious concern these days for businesses as nearly all workers now routinely access corporate data from smartphones. That means keeping sensitive data, be it personal or business, out of the wrong hands is an increasingly tricky challenge.
Data leakage protection
Data leakage is widely seen as being one of the most worrisome threats to enterprise security. It can something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. Often, it’s a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information.
To such end, it is advisable as a minimum to implement an app vetting process that checks what data access activities are allowed and alert the user to prevent unnecessary granting of data access to apps that don’t require it. Only download Apps from trustworthy sources such as the Apple/Google stores and check reviews and ratings around those apps before installing them.
Also make use of free services such as PrivacyFlag, which allows users to “gather” information on the potential privacy risks from installed applications in their Android-powered mobile phones and tablets. The application informs users whether installed software is considered as “privacy friendly” or “not privacy friendly”, based on the analysis conducted by the Privacy Flag backend system.
Mobile phishing attacks awareness & defences
Phishing is a form of social engineering that relies on tactics like impersonation to trick people into clicking dangerous links or providing sensitive information. Mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender’s name, making it especially easy to spoof messages and trick a person into thinking an email is from someone they know or trust. In fact, users are three times more likely to respond to a phishing attack on a mobile device than a desktop, in part simply because a phone is where people are most likely to first see a message.
The line between work and personal computing is also continuing to blur. More and more workers are viewing multiple inboxes connected to a combination of work and personal accounts. Almost everyone conducts some sort of personal business online during the workday. Consequently, the notion of receiving what appears to be a personal email alongside work-related messages doesn’t seem at all unusual on the surface, even if it may, in fact, be a scam.
Accordingly, users should be vigilant to phishing attempts and constantly be wary of what they are clicking on and responding to. Many mobile-device security products now offer phishing detection mechanisms to aid users in avoiding this type of attack.
Safeguarding against malicious WiFi
A mobile device is only as secure as the network through which it transmits data. In an era where we’re all constantly connecting to public Wi-Fi networks, that means our data often isn’t as secure as we might assume.
General industry statistics highlight mobile devices use Wi-Fi almost three times as much as they use cellular data. A quarter of devices routinely connect to open and potentially insecure WiFi networks, and four percent of devices have encountered a man-in-the-middle attack—when someone maliciously intercepts communication between two parties—within the most recent month.
The basic advice in these situations is to implement a mobile VPN software that secures the connection between the device and the WiFi station as well as encrypts all the data traffic in transit. If you don’t have a VPN, you’re leaving a lot of doors on your perimeters open.
Keep devices patched and up-to-date
Our recommendation would be to enable automatic updating on your devices, so they are always running the latest version of the operating system and apps. Attackers are always looking for new weaknesses in software and vendors are constantly releasing new updates and patches to them.
By always running the latest operating system and mobile apps, you make it much harder for anyone to hack into your devices. If your phone is no longer being updated, then it’s time to start shopping for a new one. When looking for a new smartphone, in addition to other features, look for a phone that’s likely to receive updates over the long term.
It may surprise you to know that the biggest risk to your mobile device is not hackers, but most likely you. You are far more likely to lose or forget a mobile device than have someone hack into it.
The number one thing you should do to protect your devices is to enable automatic locking of the screen, often called a screen lock. This means every time you want to use your device you first have to unlock the screen, such as with a strong passcode or your fingerprint. This helps to ensure that no one can access your device if it is lost, stolen or left unattended.
3. Back Up Your Computer Automatically
“We should have set up a rigid backup schedule.” That’s the thought that eventually comes into minds after a disaster strikes. If you don’t make regular backups and store them in a secure secondary location, all the data that’s important to you can be at jeopardy. It’s not as much of a pain as you might think, so there’s no excuse not to back up your files. For example, you can use Windows’ built-in tools or Mac’s Time Machine.
Establish a regular backup schedule that suits the nature of your business and its data churn. As a general rule of thumb for small businesses, we suggest a full backup at least twice a month. Make at least three backup copies: two for your local storage devices and a third for off-site storage. The advantage of having your important data backed up off-site, away from your home or office, is that it’s safe from theft, fire, and other local disasters.
Nowadays, cloud-based backup storage solutions exist at affordable prices for everyone. They can range from roughly £100/year for a 2TB capacity to £250/year for unlimited capacity and unlimited devices. CrashPlan, Carbonite and SpiderOak are a few examples of such cloud-based backup storage services. But there are many others to consider in the market, so it is important to do your research and choose the best fit for your case (Wikipedia has a useful page comparing the main service providers in this space).
4. Implement Next Generation Anti-Malware
Viruses and malware are always a threat. But the current reality is that traditional anti-virus solutions that rely on predefined signature mechanisms are not adequate in today’s advanced threat landscape. Current industry insight highlights that traditional anti-virus products are effective only 50 percent of the time, which is a sobering fact. That’s why we typically advise users to consider ‘next generation anti-malware’ software rather than traditional anti-virus packages.
Because the market and technology changes constantly and rapidly in this space we often advise users to research independent sources of information about the latest product test reports and reviews. Examples of such sources include laboratories such as AV Comparatives, NSS Labs or AMTSO. Current market trends highlight some promising options in this space, including SentinelOne, Carbon Black CB Defense, CylancePROTECT, Trend Micro Endpoint Security and Sophos Intercept X Advanced among others. It’s worthy to note that Microsoft, in the last three years, has improved its standard MS Windows Defender, which is freely built into the latest versions of Windows 10 and now offers reasonable protection if configured appropriately.
Ultimately, there are a few key factors that should be examined to inform your decision as to which solution is best suited in your case: i) total cost of ownership; ii) skill level required to deploy, operate and maintain the product; iii) test of protective effectiveness in your unique use-case; and iv) the rights set of features for your unique requirements.