Written by FBNZ member, Simplify Security
You don’t have to go wait too long these days to see another cyber attack in the news headlines. With the crushing ransomware attack on the Waikato District Health Board and the JBS attack which halted 47 sites across Australia, cyber security is on the radar of most business owners lately.
While the headlines can make it look all doom and gloom, the truth is that many of these attacks could have been prevented by implementing some basic cyber security hygiene. Just as you automatically perform some basic activities for personal hygiene like brushing your teeth and taking a shower, the same is true of cyber security. To keep your business in shape, you need to address some basics.
This article will focus on simple, affordable solutions to implement a cyber security hygiene regime.
Get on top of your password habits
Passwords are a simple, free way of securing access to your laptops and phone so make sure they are enabled on your devices. Sadly, 123456 is still the most common password out there which is about as secure as keeping your front door closed but unlocked. Choose a long, strong password, something that couldn’t be guessed by someone who knows you well or is on your social media (yes, cyber criminals will check your social media to compromise your systems). CertNZ has a great video here explaining the use of ‘passphrases’; 4 or 5 unrelated words strung together to make a password.
Make sure you use a unique password for every device and application and change it as soon as you receive any notification that it has been breached.
It can be difficult to remember several passwords and it’s not advisable to write them down, so we recommend the use of a password manager. There are several options on the market and when used, you only need to remember your one master password to open the application where the other passwords are stored.
Use a secondary ‘lock’ to secure your accounts
For your accounts like banking and email, one of the simplest yet effective methods of protecting your account is to put in a secondary lock. This lock is known as ‘multi-factor authentication (MFA) or ‘two-factor authentication (2FA). When enabled, you need your normal password and a secondary method to access the account. It’s like locking your front door with 2 locks that have 2 different keys kept on different keyrings. The secondary lock can be via a code held on your phone through an authentication application such as ‘Authenticator’ or from sending an SMS code to your phone. Setting up MFA is simple; you will normally find the option to enable MFA or 2FA under settings on most applications.
Filter out the bad stuff
Advanced antivirus protection can protect you from malicious content from websites and emails and should be deployed on all devices. Whilst the free products on the market do offer some level of protection, they are based on technology that searches for known viruses but will not help if you are hit with a never-seen-before virus. Advanced antivirus technologies offer much more protection as they look at the behaviour of the virus so can block unknown threats. There are several technologies on the market, and they are not as expensive as you think, starting at around $5 per month per user.
Ensure that your email platform, whether if it is Office 365 or Gmail, is blocking commonly known malicious file attachment extensions. Cybercriminals send attachments with extensions that most businesses do not block to gain access to systems and infect them with ransomware, so make sure this is in place. Talk to your IT or Security provider so that .ps1, .bat and other file extensions are blocked if these files are not part of your normal business interactions.
Be prepared for the worst
While backing up your data won’t prevent a cyberattack, it certainly puts you in a much better position if one happens. Even if you pay up over a ransomware attack to get your data back, the latest research shows that only 65% of data will be restored.
Ransomware attacks now also target backups so make sure your backups are not connected to your normal network or are kept offline. It’s also important to test that you can restore your systems and data from the backups held.
Just as you wouldn’t wait till the building was on fire to discuss fire escape routes and who the fire wardens are; you shouldn’t wait till a cyber attack hits to plan your response. Start thinking about key responsibilities and who would take these on, the people you’d need to keep informed and how you would go about doing that. If you don’t have internal IT capabilities with security experience, who would assist you to recover systems? How will you keep business-critical systems running? These types of things and more should go in your ‘Incidence Response Plan’. New Zealand’s cyber security agency CertNZ gives more information on Incidence Response Plans here: Creating an incident response plan | CERT NZ.
If you do experience a cyber attack, you’ll want to be able to investigate it so you can determine how the attackers got into your systems so you can in turn rectify the weaknesses. For a thorough investigation, you’ll need to configure your network devices to keep logs. The logs will keep a record of all events so a forensic investigation can take place. If your business uses a server, we recommend you talk to your IT provider to ensure you have logging enabled.
Know the signs of a phishing attack
Your staff are your first line of defence and while it’s unrealistic to expect that they will all be able to recognise 100% of attacks, it’s still a worthwhile endeavour to do some training in how to recognise phishing attacks and staying vigilant to social engineering. Email and text attacks (known as phishing and mishing) are getting more sophisticated and have moved on from the days of the Nigerian Prince asking you for Western Union banking details. There are still tell-tale signs though and there are some great free resources out there from government agencies such as CertNZ which will help you recognise them.
If you really want to get serious about educating your staff, try an education and testing platform where you can test your employees by sending fake phishing emails to see who falls for it. Doing so will give you visibility into how exposed your business is to a phishing attack and allow you to ramp up your education and training if necessary.
Keep your devices happy and healthy
System and software vulnerabilities are continuously coming to light by researchers. Cybercriminals are very fast to exploit these known security gaps in software and systems to deliver malware; you need to beat them to it by updating to the latest versions of software as soon as you hear about them. This process is known as patching. You can make your life easier by configuring automatic updates. Make sure you do a complete system reboot too as sometimes the full update doesn’t take place until you reboot.
The tips shared here are fairly simple to implement but if you’d like further support, please get in touch. We are happy to offer a free consultation to all family business members.
About Simplify Security
Simplify Security is a family business that was founded by Ray Dussan and his wife Louise Ardern after working several years in large enterprises. Ray saw the need to help New Zealand businesses dramatically improve their cyber security posture when he arrived from the United Kingdom and worked for an IT provider. He was concerned about how New Zealand businesses were doing poorly in security, and his desire to see a more resilient and safer New Zealand grew.
Simplify Security is a Security as a Service organisation that helps businesses transform their cyber security posture and become more resilient. They specialise in simplifying a complex subject and providing practical and affordable services with a personalised approach. Simplify Security offers several subscription-based services, including Cyber Essentials and Penetration Testing as a Service (PTaaS). With PTaaS, friendly hackers (aka ethical hackers) work with your business to close the security gaps before the criminal hackers take advantage of them.
Simplify Security provides security services to organisations across New Zealand, the US, the UK, Australia and Switzerland. They work with internal IT teams and IT providers to enable secure digitalisation of businesses and ensure that data and systems are protected.