Every SMB organisation has information that it wants to protect from Cyber attacks, whether it’s financial records or customer data, but it isn’t always clear which is the best way to do this. At Nostra, we take security very seriously, working closely with our customers to deliver and support secure solutions to businesses large and small. And so, we wanted to share some top security tips that will help you stay current and take the necessary precautions to keep your data safe.
Survey’s show that 85% of small business owners believe that their sites are safe from cyber attacks, data breaches, and other security threats. This false sense of security stems from the assumption that small businesses are rarely targeted, but typically hackers don’t aim for a specific target, they’re merely looking for the easiest target. Symantec found that 40% of cyber attacks happen to organisations that have less than 500 employees, potentially due to the fact that small organisations have this false sense of security.
Regardless of the size of your organisation, your focus should be around protecting information wherever it goes. And so with the protection of your data in mind, the question for you is, do you have a strategy for protecting and managing sensitive information? Do you know where your sensitive data resides? This seems like a very simple question but it is a complex issue for most organisations of any size, trying to understand: “where is all of our sensitive information?”.
Secondly, do you have control of your data as it travels both inside and outside of your organisation? When it gets shared with customers and partners via email or SharePoint sites or other online services, when it goes out on someone’s mobile device?
And lastly, are you using multiple solutions to classify, label, and protect sensitive data? We find that many organisations are, and that it’s a disjointed set of solutions that don’t work together for a common solution.
Well if you don’t have all the answers, don’t worry! We’re going to bring you through some of the best ways to give your organisation greater data protection:
1. Educate Your Users. Security is, of course, a major concern for all companies, but there’s a misconception that threats only come from the outside. But it turns out that employees are one of the biggest security threats, due to their risky habits and poor security knowledge. Train your team to avoid risky behaviour, such as downloading music or videos, and to be suspicious of any communications requesting personal information or inviting you to click a link. Once employees understand that they are each responsible for the organisation’s data, their thinking changes in ways that will enhance the security of your business. And of course, encourage your employees to share anything suspicious with IT straight away. The more that your team starts to share, the more confident you can be that they are being vigilant and thoughtful in their daily online movements.
2. Understand what data you have and classify it. You cannot secure information from cyber attacks if you do not know that it exists, where it is stored, how it is used, how it is backed up, and how it is decommissioned. If your goal is to protect your sensitive data throughout its entire lifecycle – across devices, apps, cloud services and on-premises, then you need to ensure that you know the details of your sensitive information. Additionally consider that not all data is equally sensitive, so make sure to classify data according to its level of importance.
3. Embrace The Cloud. Following the classification of sensitive data, you should next consider moving that sensitive information and systems to the cloud. Unless you have an adequate information security team, the odds are pretty good that a major cloud provider will do a better job than you at securing your system and information against various risks. Use a cloud-based office suite that provides your organisation with all the basic office functions, such as secure email communication, document creation and sharing, and a safe place to store information. Cloud-based system providers, like Microsoft and Google, have advanced protection programmes which leverage their global networks to provide extra security against targeted cyber attacks like phishing, which will better support and secure your organisation than any servers you could set-up with your own team.
4. Carefully Manage Access & Identity. It is essential for any organisation, big or small, to have strong identity and access management processes in place. Create policies governing who has access, physical or virtual, to which systems and data, and implement procedures, policies, and controls to ensure secure access management throughout your organisation. Authorise individuals to access the systems or data that they need in order to do their jobs, but do not provide them with access to other areas that they do not require access to. For example, it is crucial that you create separate accounts for administrators and users, and closely restrict and monitor access to administrator accounts. This will reduce the likelihood that an administrator account can be compromised, which would provide access to the entire network in the event of a breach.
5. Ensure Proper Password Management. One of the simplest things to achieve in security, but most overlooked is good password management. Everyone in an organisation should use proper passwords to access systems and data, but often this is commonly overlooked, as people like to use easy-to-remember passwords like “1234”. If you haven’t already, introduce password management policies and implement technical solutions to ensure that those policies are followed. Ensure that no systems are using default usernames or passwords, and require that strong passwords are created. Current computing capabilities can crack a seven-character password in milliseconds, but a 20 or 30-character password would take much longer and so better secures your accounts. Setting up a self-service password reset tool or application enables individuals to safely manage their own passwords, which can prevent passwords being incorrectly shared or accounts being compromised by a bad actor claiming to be a member of staff. Additionally, using a password manager is a great way to reduce the risk of cyber attack. They allow you to generate and store long passwords that you don’t have to memorise.
6. Set-Up Multi-Factor Authentication. Setting up strong passwords is the first step in protecting your accounts, next you should require two-factor or multi-factor authentication on all systems and applications, especially systems containing sensitive information. Use a mobile app or physical key for your second factor, not text messaging as attackers can easily clone a phone number and get access to your messages. There are many multi-factor authentication solutions / apps that work well, such as Google Authenticator, Microsoft Authenticator, and Duo Mobile.
7. Encrypt Your Data. Encryption scrambles the data, dramatically reducing the likelihood that someone can read your messages, even if they intercept the data. There are many tools “stringray” machines that can intercept data, so you need to ensure you encrypt sensitive data when storing it or transmitting it. There are a number of solutions available to do this, with some operating systems even have encryption capabilities built-in. The rule of thumb is if you are not sure if something should be encrypted, then encrypt it.
8. Backup! Backup! Backup! Backing up your data and systems is one of the easiest things people and businesses can do but do not, and many people do not realise the danger of their mistake until it is too late. This should be a crucial part of a security strategy for any organisation. Having secure backups in place means that you can recover from everything from accidental file deletion to a complete system breach and lockdown. Backup data should always be stored in a secure, remote location away from your primary place of business – away from locations where there might be a chance of flooding or natural disasters occurring.
9. Ensure Your Software is Kept Up-To-Date. One of the easiest ways to keep your estate safe from cyber attacks is to ensure your security software is up to date, install patches to servers, operating systems and software. Many major vendors, such as Microsoft, have automatic update services, which can automate the patching process and make it easier than ever to secure your systems. Keeping your systems and applications patched and updated, is the best way to ensure that they are adequately protected. Your security applications are only as good as their most recent update, so keep them as up to date as possible for the best security positioning. Cyber Attackers are constantly adapting to exploit weaknesses in early software versions, so it is recommended to update applications regularly to keep ahead of attackers and malicious software.
10. Be Prepared. Finally, you should always be prepared for the worst. Ensure that your organisation has an incident response plan in place so that you are prepared for a breach should one take place. Often, how you respond to an incident has more to do with the outcome than what was initially compromised. It is important your team knows who to contact for technical support, which stakeholders need to be notified, what are your legal obligations and what communications need to be distributed in the event of a breach or incident.
While there are no guarantees when it comes to information security, it is clear that by following the above recommendations, you can greatly improve your organisation’s odds of fending off cyber attacks by hackers who seek to steal its confidential information. If you are a small or medium-size organisation looking to implement some of the above measures, Microsoft’s business plans may be a good start in increasing the security of your organisation. Microsoft 365 Business Premium combines Office 365 productivity tools with a comprehensive security solution that protects your business against advanced cyberthreats. At Nostra, we work hard and fast to deliver and support Microsoft 365 to businesses large and small, both in Ireland and across the world. For more information on our security offerings, please contact us.