If you’re a small-to-medium business, it’s likely that ‘cybersecurity’ isn’t the most frequently used phrase in the office. Often, cybersecurity takes a back seat in the wild ride that running a business entails. But why is this? Well, this can be attributed to at least two reasons.
First, many SMEs/SMBs make the mistake of assuming that they’re safe from attacks. The cybercrims are only interested in the big guys with the even bigger wallets, right? Wrong! Actually, attackers increasingly have their eyes set on smaller businesses, finding it easier to pounce due to teams and founders typically focusing their resources and energy elsewhere.
Then there’s the problem of businesses treating cybersecurity like an oil change. It’s a job we know needs doing, yet we leave it as long as possible to take the damn car to the garage. In fact, often we leave it until it’s too late. It’s not until the car breaks down whilst on the way to an important work meeting that we even give another thought to that pesky oil change that we should’ve booked in months ago.
The same goes for cybersecurity – it’s often not until a breach or a near-miss happens that many businesses consider the value of good security hygiene. This is typically because the business assumes that having a solid cybersecurity plan is either time-consuming or costly.
But cybersecurity needn’t be a daunting task. There are some easy-to-implement cybersecurity practices that can be done at little to no cost. And what with it coming to the end of Cybersecurity Awareness month and all, we’re going to share those with you!
First up in our list of easy-to-implement recommendations for cybersecurity is multi-factor authentication (MFA).
Multi-factor Authentication is a security measure that goes beyond a single sign-on method to access an application, account, or device. Instead, it requires users to verify their identity via two or more verification methods.
These verification methods include codes sent via SMS, authorisation via telephone calls, One-Time Passcodes (OTP), push-based notifications, key fobs, biometric identification, and more.
Multi-factor authentication is crucial since it makes the process of stealing your information much more difficult for the average criminal. The more barriers to your data, the more likely criminals will look for an easier mark. Today, a treasure trove of more than 15 billion stolen credentials is readily available to cybercriminals due to data breaches. If they have access to yours, they can cause all kinds of damage from taking over your bank account to accessing highly-confidential company information.
Consider Google, for example. Many businesses just have one password to access this. And that one password, if compromised, can give the cybercrime access to email, calendars, a company YouTube account, as well as a host of other web apps.
The good news is that multi-factor authentication is free on most systems. Many cloud-based apps such as Google offer their own two-factor or MFA, helping to add that extra layer of security to your account in the case your password is stolen. This typically takes a few seconds to set up but will be totally worth it in terms of protecting your data.
The costs associated with MFA comes with centralising it – but this doesn’t have to be expensive either. There are many low-cost, high-reward MFA control methods solutions for SMBs to utilise. Three popular options for SMBs include:
An effective MFA protection with unique mobile DNA. It matches an authorised user’s phone when granting access to systems and applications , meaning that any attacker who attempts to access a protected system by cloning a user’s device will be blocked since the DNA would differ.
This Microsoft-owned enterprise identity service provides single sign-on, multifactor authentication and conditional access to guard against cybersecurity attacks. Microsoft invests over US$1 billion annually on cybersecurity research and development, so you can feel confident in knowing solution is research-backed.
CISCO Duo Security
Provides protection to cloud and on-premises applications via easy-to-use two-factor authentication. Free up to 10 users. More enhanced MFA options can be explored with Duo MFA, starting at US$3 per month, per user.
For more help in choosing an MFS solution to best suit your business, check out our “MFA Solution for Dummies” blog.
Next up on our list of easy-to-implement cybersecurity tips for SMBs is the need for complex passwords. It’s such a simple practice which many businesses fail to do, yet its invaluable for batting off the cybercrims! Did you know that over 80 percent of hacking-related breaches are the result of weak or stolen passwords? That’s a lot of cases that could have been avoided with a strong password!
But, what do we even mean by “complex passwords”? Well, it refers to the creation of a strong, uncrackable password designed to be hard for a person, or machine, to guess. It involves using a long combination of letters, symbols and numbers, mixing up the use of lower-case and upper-case. However, overall length is the most important factor here. Ultimately, the longer a password is, the longer it takes for cracking tools to break it.
There are quite a few common mistakes businesses make when creating passwords. Here’s a list, take a look and see if you’re guilty of any…
- Using personal information such as names or birth dates
- Using common passwords
- Using a sequence of numbers such as 1234 or ABC
- A password that’s too short
- A password that’s obvious/ easy to guess
- Making your password easy to find
- Using the same password for everything
Now, let’s take a look at some best practices when it comes to password management for your business!
- Setting a complex password, mixing up letters, numbers, and odd characters
- Using a password manager
- Not using any personal information
- Using 16 characters or more
- Setting a different password for each account
- Implementing MFA, as explained in the above section
Now you might be thinking, “but how the heck am I supposed to remember these complex passwords?”. If like many people you struggle to even remember your mobile number – don’t fret – fortunately, there are a number of options including password managers and generators available today to save the day!
The creation of passphrases is a free option. This refers to essentially creating a short and easy-to-remember sentence instead of a password. Take the phrase ‘ilovestrongcoffee’, this is a long easy to remember password which is stronger that ‘Autom2022!’ for example”.
The other avenue for those of you more comfortable with technology is password managers. These solutions can help you instantly generate passwords so you don’t have to work your brain too hard trying to think of a top-secret-totally-uncrackable combination. Plus, they also provide a way to store them. Password management tools such as LastPass, for example, provide a way for users to keep their information protected from attacks and snooping. No more writing passwords on sticky notes for all to see!
Password managers can also help with Phishing since correctly setup password managers will prompt you that they have credentials stored for the sites you visit based on the sites address. If you’re taken to a login site (from a phishing email say) that the password manager doesn’t recognise, it won’t prompt you that it has credentials – heightening your suspicions about that site.
Last, but certainly not least, is the importance of being security-aware in terms of phishing attacks. As cybercrime continues to rise, so too does the evolution and sophistication of phishing scams. Worryingly, according to research, 1 in every 99 emails is a phishing attack. And last year, 80 percent of IT professionals reported facing a substantial increase in the number of phishing attacks experienced at their organisation.
In a nutshell, phishing is the umbrella word for all types of scams that seek to obtain sensitive information in a fraudulent way. With this type of attack, cybercrims typically try to persuade users to do “the wrong action” such as opening a malicious link or visiting a dubious website.
It covers a range of methods, including email phishing, spear phishing, whaling, clone phishing, catphishing (or catfishing), voice phishing, SMS phishing, and angler phishing. If you’re finding yourself asking what any of those terms mean, you’ll definitely want to check out our handy guide on common phishing types, where we explain everything you need to know!
The level of phishing attacks happening at the moment really is brutal. Even the most tech-savvy and “digitally woke” of us are falling victim to the level of sophistication shown by today’s cyber attackers. As a result, your small-to-medium-sized business must do all it can to protect itself. Following the below advice will help you along the way:
- Think before you click: While clicking on links is fine when you’re on trusted sites, you must be careful when it comes to links in random emails and messages. If in doubt over the authenticity of a link, the best thing to do is to hover over it. Does the website look legit? Does it lead to where it’s supposed to? Also, be sure to check who the email is from. Be wary, as cybercrims will often use emails that look professional and that they’re from a familiar brand or company, but they’re always slightly different if you look carefully. Remember: if you are in doubt about anything, take yourself to the official site via a fresh Google search or look at the back of a business card or a prior invoice received from the company in question. And if you still have doubts, the best thing to do is to simply NOT click. It’s just not worth the risk.
- Avoid answering cold calls: Another sophisticated phishing tactic being used by cyber-criminals is cold calling. In an example case, a fraudulent actor will pretend to be a bank manager ringing about suspected ‘fraudulent’ activity on your account. They will proceed to try to get you to share your bank details so they can “put a stop to the attack”. Once they have succeeded in this, they will waste no time in stealing your money. I know right, the absolute nerve of them! Never hand over personal information over a cold call. If in doubt, put the phone down and ring back the bank (or other company) via their official number and ask them to confirm the problem.
- Be mindful of who you connect with: Social media has become incredibly popular in recent years, proving to be a great way to build your network and boost the brand awareness of your business. But did you know that it can also be a way in for cybercriminals? Some common tactics include using social media to identify victims and steal personal information, posing as a friend in order to trick the victim into sending money or sending confidential data, or following your feed to gather details ready for a highly-targeted attack. With this in mind, it’s so important to be mindful about who you are connecting with.
There we have it – our guide on easy-to-implement cybersecurity fixes for your business. The cybercrime landscape is a scary place right now, but taking the time to implement the above low-cost (and free) practices will help add that extra layer of bubble wrap around your business.
And if you’re looking more for a bullet-proof barrier of security protection, then you might want to check out Select Technology’s enhanced cybersecurity service. Our Prestige IT support includes everything your business needs when it comes to cyber security, from tightening up your anti-virus and malware protection to highly-secure backup and security awareness training. Reach out to our expert cybersecurity team for more information.
And while we’re here, don’t forget to book your car in for that oil change…