At Inspire Cloud, we meet many clients who have concerns or challenges around IT security, and this week a local coffee shop that I visit, posted a message on social media, simply stating ‘We have been hacked. Do not open any of our messages’, which is a little more sobering than their strong coffee!
It made me then think, whether some small businesses consider themselves immune from IT security, as in this example, a small coffee shop is surely not a target for malicious attempts on their systems, and what would they have to lose too?
Well, in some ways you may not think it’s a high value target – they sell coffee, they are a small business and don’t hold much in terms of value. However, if we think of it another way, a small business regardless of what they sell hold a lot of value, you have a business bank account, order and supplier information, personal data, and contact information of other businesses.
What’s the impact of an IT Security breach?
So, what could a malicious person do if they gained access to all the above? Sadly, we see these scenarios reported and they include can the following outcomes:
- Contacting customers and advising them of new account details to send payment for existing invoices
- Holding systems and data to ransom for a significant amount of money, paid with Bitcoin
- Impersonating members of staff to contact suppliers and customers for illicit means and destroying key relationships with abusive messages
- Sending mass e-mails from the reputable company to thousands of people to spread malware
- Accessing personal data held for customers and making it available to other malicious users for gain
How can small businesses improve thier IT security?
So, now we have covered some of the real concerns, I would assume you are keen to know how you get improve the security of your systems and data, and we are happy to provide you some of our top areas to consider.
Firstly, before we cover our top areas, our recommendations will align to the UK ‘Cyber Essentials’ standard which is an important audit of your IT security, to align you to industry guidelines to help secure your data and systems. Inspire Cloud has achieved this security certification, so we have experience of the audit and the implementation steps too, so we can give you some key insights into improvements you can make too.
Our Top 8 Changes to improve IT Security
A simple but effective measure is simply to use complex passwords, use passwords that are not commonly used like ‘P455w0rd’ and be aware that your Social Media profiles if not private, can tell a malicious user a lot about you, without them ever meeting you. Therefore, be careful if you are using passwords based on your child’s name, which you mention quite a lot on social media, as this can be an easy way to guess your passwords.
If you are wondering how to generate a complex password, you can use third party services like the ‘LastPass Password Generator’ to generate a secure password built on a phrase of random words, which is much more effective and harder to break.
Now, I am going to contradict our section above on the use of complex passwords, because passwords are easy to break. This is because you may have the most complex password in the world, but it’s used on all of your social media, bank account, and online shopping accounts.
This is a problem, as there have been many high-profile events where large corporates have effectively had your personal data stolen, including your e-mail addresses and passwords, and this data can be purchased easily from a range of websites.
If you are curious if your password and personal details are available, review ‘Have I been Pwned’ and you can see if your details have been subject to compromise.
Regardless of if your details are compromised or not, we are effectively stating that a complex password is not enough to secure your data, and instead we should use another method of verification to confirm who you say you are.
This is exactly as a summary what ‘Multi-Factor Authentication’ is and nearly all online services will offer it in some form, whether it’s a code delivered to your e-mail address, or a text message delivered to your mobile phone.
Microsoft also recently stated that simply enabling Multi-Factor Authentication will make your account 99.9% less vulnerable to be maliciously accessed, so it’s a simple change which will make the world of difference to the security of your accounts – so if you haven’t already, enable multi-factor authentication today!
Review your IT accounts and access priviledge
We are all busy and of course we have people both join and leave our companies, and this can become a problem if it’s not managed. For example, if someone has left your company and you are unsure if their account has been disabled for login or un-sure what the process is, then you should check that pretty quicky.
The reason is that if we have accounts available to be logged In, especially from leavers we increase the threat to your data, based on:
- The account could be accessed by a third-party using credentials identified in a data breach
- The leaver may not be a good leaver, allowing them to continue to access your data and become a threat to your business and intellectual property
In addition, this problem is not always associated to the number of accounts, but also, we need to consider what the accounts can access in terms of the rights they have.
Let’s put this in another perspective, as company CEOs has their information on websites which is easy to review and find contact details like e-mail addresses. CEO’s also like to have access to lots of data and services and over time have accrued access to systems, they don’t really need, other than for convenience six months ago for a customer report.
Therefore, what happens if we had a malicious user access the CEO account, not only would be handing our most VIP account across, but also access and potentially administrator access to the malicious user, providing full control of your companies IT systems.
So, if you haven’t already, review the accounts that are active and allowed to be logged in, alongside what level of access those accounts have and if they are not required to have access to increased privilege systems, then remove it.
Remove that software you don’t need
We live in a world of App’s, we have pretty much an App for everything now, whether it’s ordering food to our door, or an App which controls our TV and therefore we are spoilt for choice.
So, in this world of Apps, we do need to consider that the software developers that build these applications are just as vulnerable as my local coffee shop, with being at risk at introducing a concern around IT security.
Therefore, a simple but effective change is simply looking at the Apps you have on your mobile, tablet, PC or Mac and removing the App’s that you don’t need. That will ensure you reduce the attack surface on your device and reduce the risk of an App having a security hole, which could compromise your data.
Run that Anti-Virus
Anti-Virus software has been around for as long as I remember, and I do remember using Windows 3.1 on an old IBM Machine, so this is hardly a new recommendation, right?
However, it’s the simplest thing that people do not consider and turn off, because it’s slowing down your computer or getting in the way of your day or putting off that anti-virus upgrade because you don’t have the time.
Therefore, a set of simple and effective improvements will be:
- Ensure you have an anti-virus enabled on your computer or device
- Ensure your anti-virus is up to date with most recent threat file downloaded
- Run a full upgrade if you haven’t in a while, and ensure you have smart scanning also enabled to check any files you download
Implement a Firewall
Firewalls are a useful application on your PC or device, which will block certain applications accessing resources and prevent external connections having access to your device, through commonly used ports on your computer.
We can think of ports, as the unique entry points in your device which allow both data to be delivered to your applications or data to be sent out of your device, to another resource.
Therefore, protecting those ports provide a useful way of increasing your device security, and have a Firewall installed to both monitor the data being sent on ports, the applications sending data and blocking common ports used for malicious purposes.
Secure your e-mail
This is a topic which we could write a whole blog post on, but we will focus on how you can improve the security of your e-mail and a common way used by malicious users to gain access to your data and systems.
The first thing to note is that e-mail is commonly used to both share malware, but more importantly is being used to deliver ‘Phishing’ e-mails, and you haven’t heard of that term before, here’s the Oxford Language definition:
“The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
This practise has been increasing recently and largely because we as people, are very trusting of other people and at times do not want to question an e-mail, which provides a huge opportunity for Phishing.
Let’s use a common example, where an e-mail is sent to you, purporting to be from the CEO, advising you to release funds for an un-paid invoice, but specifically stating do not reply or message the CEO, as they are in an important meeting and they will speak later, but run the transfer of money immediately.
This sounds silly right, but the number of companies falling for this tactic is unbelievable and most companies being hit by this, will not be able to recover the funds and the business could then fail.
You can protect yourself from this type of attack by making a selection of changes:
- If you do receive an e-mail of this type, check with the person requesting the information or transfer by contacting them by phone, as do not take instructions on e-mail solely
- Review the sender of the e-mail, by expanding the e-mail address and checking the senders e-mail address, as senders can easily ‘Spoof’ (impersonate) a sender
- Add a warning in your IT system to mark all external e-mails as being sent from an external party, so you know the e-mail prorupting to be an internal person is being sent by an external party
- Implement additional e-mail security to prevent malware files and impersonation of your internal accounts with third-party software
Manage your devices
This is a more difficult and complex topic but is worth nothing to conform to the Cyber Essentials requirements. This is because we have many devices in our companies, such as laptops, PC’s, mobiles, and tablets, all have different operating systems, different patches and different applications and we may not have any control of them.
This is where having an application or process to manage your devices, can improve your IT Security through ensuring that specific systems have a latest operating system or patch, or preventing iPhones that have specific apps installed on them, which have IT concerns.
Therefore, it’s worth considering how you manage your devices in your business, and how you can enforce the device security and prevent un-necessary breaches due to an employee not running the latest updates.
So, what next?
In summary, just doing a few of the areas as we covered above, should help your business become more secure, meaning next time we can all enjoy that coffee at the coffee shop, without wondering if our customer data is secure.
If you do need help in configuring some of these areas in your IT setup or would like to find out more, we are happy to help and feel free to get in touch with us.