There’s no magic bullet for cyberattacks. But with the range of tactics outlined in our playbook, hackers will struggle to take advantage of your business.
Gone are the days when you could install an antivirus program and then just forget about cyberattacks. As the internet, digital media and automation have evolved – so has the cybercriminal’s toolkit for accessing, exposing and destroying your data.
To protect your business, you need to understand and then eliminate your vulnerabilities. Think of this article as your defensive playbook. Each section is dedicated to a separate tactic. Taking into consideration the nature of your business, you might focus on some more than others, but it’s best to cover them all.
With good backups, you can always boot up again
While backing up your data won’t prevent cyberattacks, it is one of the most cost-effective ways of ensuring that your valuable business information isn’t irretrievably lost due to technical issues or cybercrime.
As such, you need to take this cornerstone of data security seriously. That means backing up to more than one location, such as cloud storage and portable devices.
But redundancy alone is not enough. Those copies also need to be protected. So, be sure not to leave external drives connected to computers where they could become infected along with the rest of your system and store them off-site.
With cloud storage, it’s best to use strong encryption and multifactor authentication to keep your data under lock and key.
How often you back up data is just as important as the location.
If your backups are outdated, recovery after a cybercrime is that much harder. If you stick to the schedule below, you should be able to restore your data at any time.
- Daily: At the end of each workday, back up incrementally to a portable device and/or cloud storage
- Weekly: At the end of the work week, back up servers
- Quarterly: Back up servers at end of each quarter
- Annually: Perform yearly server back-ups
Just remember to regularly check that you can restore your data from your backups.
Don’t neglect the human factor – train your staff
The best software and hardware security systems can’t ward off cyberattacks if your staff open risky attachments or share credentials with scammers.
Think of your employees as your most important line of defence and foster a security culture in your company.
Training new hires and getting them to sign your cybersecurity policy is a good start but it isn’t enough to ensure the issue remains top of mind day in, day out.
To instil a security mindset, you need to conduct refresher courses on identifying, avoiding and managing threats as well us updating the team about new forms of cyberattacks. Here are some of the things every employee needs to know:
- How to use emails and the internet safely for business and personal purposes
- What practices ensure business information remains secure at the office and home
- Where to store devices when not in use
- How USB sticks and portable hard drives can spread viruses from home to the business
- How to respond in the event of a cybercrime
Weak passwords are easy to bypass
Since employees create their own passwords, they deserve a special mention in your employee training. Just as burglars know to look under the doormat for your front door key, criminals crack passwords with a quick look at Facebook for pets’ or loved ones’ names.
By that logic, it’s also not a great idea to use the same password for everything. Then criminals only need to learn one password to access all your accounts.
Ideally, you should implement multifactor authentication (MFA). This system requires that you verify your identity in two different ways before you can access your account. In addition to your password, for instance, a code may be sent to your phone. This second layer of security puts an extra stumbling block in a hacker’s path.
The fewer people with admin privileges the better
Administrative privileges give a user the power to make major, sensitive changes to your system, including installing software and creating new accounts. Unsurprisingly, hackers are eager to gain that kind of access to your systems and take greater control of your business.
That’s reason enough to restrict these privileges to the smallest possible number of people. But it also makes sense to do so in order to limit the chance for human error. All employees, even those with admin privileges, should use standard user accounts on a day-to-day basis.
For safety’s sake, enforce a strict policy prohibiting the reading of emails or surfing the internet whenever anyone logs on to an account with administrative privileges.
Fight fire with firewalls and more – technology to block cyberattacks
There are a number of solutions that create a perimeter around your business. Much as with walls around your actual premises, there are always people willing to climb them, but they are a deterrent and keep many criminals out.
Available in both hardware and software form, firewalls set up roadblocks to incoming and outgoing traffic. In this way, they block malicious software and intruders from accessing your network.
To be effective, they need to be patched regularly and should be installed on portable devices, remote workers’ systems and office computers. Well-maintained firewalls can prevent cybercriminals from accessing your business and employees from visiting inappropriate websites.
Some firewalls include virus-scanning functions, but if yours doesn’t, you should install antivirus software to identify and remove any malware that penetrates your firewall. As an added benefit, the programs provide an alert that can help you track the source of a breach.
Intrusion detection/prevention systems
Usually positioned directly behind a firewall, intrusion detection monitors and analyses the traffic that passes through the firewall. It identifies attempts to exploit device or software vulnerabilities so that intrusion protection can block them.
Of course, if employees don’t keep an eye on detection tools, no amount of alerts will prevent a cybercrime. Even if your system is compromised, the sooner you take action, the more successfully you’ll be able to contain a breach.
Secure Wi-Fi networks
Weak Wi-Fi security is a gift to criminals who can easily install malware and harvest sensitive data from these connections without users realising. This is practically putting out the welcome mat for hackers.
Ensure you follow these best practices in securing your wireless network:
- Change default passwords on new routers
- Disable your network’s service set identifier (SSID) so criminals can’t see your network or identify the make of router
- Choose Wi-Fi Protected Access 3 (WPA-3), which offers the strongest encryption to date
- Create separate Wi-Fi networks for employees and guests or visitors
Simply put, encryption scrambles data so that it’s impossible to read unless you have the key to decode it. Since the encrypted data is useless, this process reduces the risk of theft, destruction or tampering.
There are two main encryption methods: At-rest encryption, such as full-disk encryption, encodes data locally on a device. In-transit encryption is a similar process for data transferred between recipients. You can activate it in your router’s settings or when creating a virtual private network (VPN). Both are important.
Just remember that you’ll need to provide recipients of encrypted emails with the key. But never do so in the same email. Rather convey it over the phone or by some other method. By the same token, never store the key for at-rest encryption in the same place as your backups.
Spam filters weed out many of the spam and phishing emails your business receives. The fewer clogging inboxes, the smaller the chance that someone is lured into opening them and infecting your system with viruses and malware or revealing confidential information. Train your employees to delete them immediately.
Web browser filters prevent your employees from visiting a predefined list of websites, such as pornography and social media. Explain that this is not about censorship but rather preventing them from inadvertently downloading malware while browsing these high-risk sites.
Update software without delay
Operating system and software updates often include improved security features. If you put off installing them, you leave yourself open to cyberattacks by hackers who exploit the vulnerability. For this reason, enable automatic updates and never disregard prompts to download new versions of your software.
Bear in mind that software vendors stop providing security updates on products they no longer support. For instance, Microsoft will end support for Windows 8.1 in January 2023. This is why it’s important to upgrade.
Guarding one of your business’ greatest assets – customer data
Keeping your customers’ information under lock and key is not just essential because many countries have legislation to impose fines on those who are careless. Your reputation is also on the line.
The Payment Card Industry Security Standards Council offers a data security evaluation tool to help you assess how safe your payment processes are.
Out with the old, in with the new? Not so fast.
Just as you shred sensitive, old documents to ensure they don’t fall into the wrong hands, you need to do the same with your digital information. That means wiping all data from hard drives and portable media before donating, recycling or destroying them.
As already mentioned, you need to update and upgrade the software. But don’t leave old or unused applications on your business network, as they can act as a backdoor for hackers.
The same policy should apply to people. Whenever anyone leaves the company or changes their role, delete their old accounts and passwords as diligently as you collect ID badges and office keys.
Expect the best, prepare for the worst with an incident response plan
No cybersecurity system is impregnable. It pays to take every precautionary measure, and your incident response plan shouldn’t be the least of them. When you face cyberattacks or data breaches, time is of the essence. With a good incident response plan, everyone will know their roles and have rehearsed what to do.
Our article about what to do when you discover your business is a victim of cybercrime will help you ensure you cover all your bases in designing your plan. You can also customise one with the help of the U.S. Federal Communications Commission’s cyber planner for small-business owners.
Take (out) cover – get cyber insurance
Cyber insurance will cushion you against business losses due to cyberattacks and can also provide for the costs of legal counsel, investigators and PR teams. Look out for a program that will send those professionals to assist you in managing the response and recovery process.
The right policy will even cover claims by groups or individuals who have suffered losses because of your business’ action or inaction.
Don’t go it on your own
Cybersecurity has to evolve continually to stay one step ahead of hackers. It’s not a one-time DIY fix. That’s why you need a partner to help you tailor solutions to your company’s needs and ensure they keep pace with increasingly sophisticated cyberattacks and your business’ growth.
Browse Digimune’s services to learn more about how we can help you repel cybercrime.