Practical Cybersecurity Basics Every Small Business or Professional Individual Should Follow (Part 2)
This two-part article has been written by Meetig8 member Hani Banayoti, a cybersecurity and information security expert. With over a decade of experience in consulting and corporate roles, Hani now runs his own cyber risk consultancy practice, CyberSolace, assisting organisations of all industry sectors and sizes to manage their cybersecurity/information security functions.
By 2021, cybercrime is estimated to be worth US$ 6 trillion annually; that’s more profitable than the global trade of all major illegal drugs combined.
When it comes to businesses, the 2018 Cybersecurity Breaches Survey estimates that two in five businesses have been subject to some kind of cybercrime in the last 12 months. In 2018 a new study, commissioned by Bromium and presented by Dr. Michael McGuire at RSA, found that the cybercrime economy has grown to US$ 1.5 trillion dollars annually. That’s $1.5 TRILLION US dollars in illicit profits, roughly equivalent to the GDP of Russia.
The significance of the concern about cybersecurity was reflected in the World Economic Forum’s 2019 Global Risks Report, which places cyber-attacks and massive data fraud among the year’s top five risks. The ubiquity of the cyber threat has led to a common mantra among cyber professionals: It’s not if your organisation’s systems will be breached, it’s when.
Following on from our part one article, we’ve got six more top tips to keep you and business safe online.
1. Lock Down Your Wireless Router
Your router is the first line of defence for your small office home office (SoHo) network. You should:
- Change the router’s administrator password to a complex string with a minimum of 12 characters.
- Use the latest WPA (Wi-Fi protected access) security protocol available to you. Currently, WPA2 is more common but WPA3is expected to emerge soon and become the standard secure option (products are likely to become commonly available by the end of 2019).
- Switch on your router’s firewall capability and set it to ‘high’ by default unless it prevents any application you need from working.
- Segment your network by activating a guest zone for lesser trusted devices and appliances. Keep your more private traffic on a separate network zone so that a compromise in any of the lesser trusted devices does not enable an attacker to pivot over to your sensitive traffic zone.
- Change the default WiFi connection password and network name for each network zone. Passwords should be unique to each zone and comprised of a complex string with a minimum of 12 characters.
- Try to limit your WiFi signal to the locality of your target area to minimise the risk of attackers even detecting your WiFi network in the first place.
- Disable all remote management and administration if not required. Where required, ensure it is only activated for the period it is needed for and is supported by complex one-time passwords.
- Review which devices have connected, or are connecting, to your router every so often to ensure no anomalous or unauthorized device is connecting on your network. If possible, limit devices that may connect based on their MAC address.
- Regularly update your router’s firmware to ensure the latest security fixes and updates are applied.
- Avoid using the ‘Wi-Fi Protected Setup’ feature in WPA2 routers if possible as it is known to be susceptible to certain attacks.
2. Never Send Sensitive Information Over Email Unless It’s Encrypted
Sensitive information, such as your bank info, social security number, tax returns or confidential business information, should never be sent over email without encryption. It’s too risky if your email account ever gets compromised.
Always consider encrypting sensitive file attachments with emails or the entire email content. The OpenPGP initiative offers several options, free and fee-based, to help users implement email encryption solutions. An alternative option is never to attach sensitive files or data to email messages; instead, use a secure file sharing mechanism. Some recent free services that are underpinned by privacy and security features include Mozilla’s “FireFox Send”.
3. Safeguard Your Connection When Using Public WiFi
Yes, you really do need to worry about security when using public WiFi. At the very least, it’s better to be safe than sorry. Your best defence will be to use a VPN, or virtual private network. It keeps you safe even in other situations too.
If you’re using a VPN to stay anonymous, that won’t protect you if you’re careless with your identity, but, aside from that, everyone can use a good VPN. That One Privacy Site website provides a massive comparison sheet that outlines and compares a large number of consumer VPN software that you can choose from.
4. Adopt Good Password Hygiene
You’d think we’d be past this point by now, but somehow, users still aren’t securing their accounts properly and when they’re carrying phones that contain both company accounts and personal sign-ins, that can be particularly problematic. Couple that with the ongoing trend of weak/guessable passwords that keep showing up on surveys year-on-year, such as SplashData’s annual survey, and you begin to see the importance of this topic.
A new survey by Google and Harris Poll found that just over half of Americans reuse passwords across multiple accounts. Equally concerning, nearly a third aren’t using two-factor authentication (or don’t even know if they’re using it, which might be a little worse). And only a quarter of people are actively using a password manager, which suggests the vast majority probably don’t have particularly strong passwords in most places, since they’re presumably generating and remembering them on their own.
Things only get worse from there. According to a 2018 LastPass analysis, half of professionals use the same passwords for both work and personal accounts. And if that isn’t enough, an average employee shares about six passwords with a co-worker over the course of his or her employment, the analysis found.
Lest you think this is all much ado about nothing, in 2017, Verizon found that weak or stolen passwords were to blame for more than 80 percent of hacking-related breaches in businesses. From a mobile device in particular—where workers want to sign in quickly to various apps, sites, and services—think about the risk to your organisation’s data if even just one person is sloppily typing in the same password, they use for a company account into a prompt on a random retail site, chat app, or message forum.
You should use unique passwords for each site and service you use, it’s impossible to remember every password but that’s where password managers come in. You always have to weigh security and convenience, though, so just pick one that has the features you need.
5. Use Two-Factor Authentication
Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. Two-factor authentication offers the extra layer of security that protects you in case your password gets stolen. Use TwoFactorAuth to find out all the places you can turn two-factor authentication on. Check out Google’s guide for setting up two-step authentication.
6. Regularly Review Your App Permissions and Security Settings
Finally, it’s not enough to just have all of the above set up, you have to still be vigilant and make sure your software is always up-to-date. We often forget about stuff like updating the router firmware or cleaning up our app permissions. Make this all part of your spring cleaning or perhaps a regular habit. Use a site like MyPermissions to help clean up multiple services, including Google and Facebook.