“Be sure you’re always talking to your IT support provider about the best ways to keep your company’s information secure,” he advised. Use modern hardware and software for starters, Bremner said, be sure to only use modern hardware and software that’s designed for business, and diligently apply patches EVERYTIME the vendor releases them.
People sometimes think that software upgrades are just about money, making things faster or adding features, and that hardware just needs to be replaced before it falls apart. The reality, however, according to Bremner, is that competition is forcing continuous improvement in the capabilities of the hardware and software we use. Makers of these products have to keep improving them, or they’ll be left behind. So, companies must draw a line when it comes to supporting their old products. It doesn’t pay to support the older stuff, and it makes more sense for them and for you, to upgrade to the latest.
Install those security patches
All systems have bugs that the “bad guys” can use to exploit your information. It’s the vendors’ job to patch those bugs and it is your job, as an owner or manager of a system, to install those patches.
One recent Windows patch, for instance, issued by Microsoft in March, 2017, prevents vulnerability to the EternalBlue method of spreading ransomware. But unfortunately, many businesses (and individuals) are slow to install security patches. In May 2017 that slowness had a high cost as the WannaCrypt ranomware outbreak (spread using EternalBlue among unpatched systems) caused up to $1 billion in damages worldwide, according to some estimates.
On your home devices, run updates regularly when they become available. And stop using old, unsupported software like Windows XP and older browsers like Internet Explorer versions 6-10.
“That sounds simple, but it continues to astound me how often this advice is ignored, with disastrous consequences – just think Equifax!” Bremner says.
Only use systems designed for business
Don’t run your business on consumer grade and “home” versions of products.
Business-focused vendors are more on top of fixing the security-related bugs that they become aware of than the consumer-focused ones. They know their customers are protecting valuable information, and rely on these products to meet industry compliance requirements. Better security is one of the reasons such systems cost more.
Hardware and software firewalls and filters are baseline now. It’s expected that if you’re running a business, you’ll have a high quality, up-to-date firewall/security appliance, preferably with web content filtering and in-line malware scanning. And it’s expected that you’ll have some anti-malware software on your computer and a decent spam filter on your inbound email. And if it’s doing its job and being kept up-to-date, it’s likely fine.
Identity is the key to everything
Securityin the modern workplace revolves around your identity, Bremner states. The principle of knowing and proving who you are is the key to granting you access to resources and data for which you have appropriate permissions. Mot times that job falls to a password, which is usually too easy to crack, he says. So make sure you use strong passwords, don’t re-use them on multiple sites and don’t write them down or save them in a document on your PC.
But as we all get more and more accounts to keep track of, it’s nearly impossible to follow these three rules, he cautioned. Our memories just weren’t built for it. The answer is a password manager.
A good password manager will let you follow all the above rules with very little inconvenience. It will generate long, random passwords for you, it will remember them and keep them encrypted, and it will auto-fill them in for you as you browse. You remember only one password, the one for the password manager, and it unlocks the rest.
“For business use, I recommend something like LastPass Enterprise or IPassword for Teams,” Bremner said.
Protect against ransomware
Ransomware typically runs under the user account of the person who accidentally launched it, and has all the same permissions as that person. If the user has access to a mapped drive to a server, then the ransomware can encrypt those server files, too, not just the local PC that got infected. This is one reason Bremner strongly recommends that companies only give employees access to the files and folders they need to do their jobs.
“Opening up permissions to everything for everyone, even if you trust them, increases your vulnerability in the event someone’s PC is compromised,” Bremner said. “Even managers and IT administrators should not have administrative privileges on their regular user accounts. They should run as ‘regular’ users, and have a separate account with escalated privileges that they log into only when needed for a specific task.”
Protecting against malware is a constant effort that requires a multi-layer approach. No “silver bullet” will guarantee absolute protection, but the best defense if you are affected by ransomware is to have a solid backup strategy, he added.
“A strategy that includes onsite and offsite backups, including continuous backups of changed files to the cloud, is best. This two-pronged backup strategy has allowed us to get clients back up and running quickly with little-to-no loss of data, and without paying any ransom,” he said. “It is never recommended to pay a ransom. You’re dealing with anonymous, dishonest criminals, and there’s no guarantee that they’ll give you anything after you pay them.”
Social Engineering
“Today’s reality is that you are more likely to be hacked by social engineering, or by someone guessing or hacking your password. A simple email, a website or maybe even a phone call, could trick you into revealing something, downloading spyware, or granting access to someone. Then your fancy firewall has been rendered useless,” he noted.
Phishing is a specific type of social engineering using an email that appears legitimate, to deceive you into revealing sensitive information. With any email you receive, Bremner suggests you follow these security tips:
- Beware clicking links in emails – hover over the link to see the ACTUAL destination, which might be different than the hyperlinked text would lead you to believe.
- Is it really from who it says it’s from? A common tactic is to impersonate someone you know. The email address might be different even if the name is someone familiar. Is your contact referencing an actual conversation you had, or a shared interest you’ve discussed, or is it very generic? If it is generic, don’t click the link.
- The IRS won’t email you. Delivery companies won’t email PDFs or ZIP files that you’d need to open to get a package delivered to you. Your bank won’t ask for your password through email.
- Microsoft will never call you to tell you they found a problem on your computer and that they need to connect remotely to fix it.
- If it seems like it’s from a legitimate business, but you’re not sure, open your browser and go to that business’s site manually instead of clicking the link.
Other tips
- A significant part of computer security consists of safe computing practices by end-users, i.e. don’t open attachments you don’t recognize or weren’t expecting, don’t visit unsafe websites, etc. Be especially wary of documents sent by email that you weren’t expecting.
- Purchase a Meraki security appliance to constantly scan all inbound traffic and block any network traffic that appears to be a virus/malware. It is also helpful to block certain web sites that have the potential to spread malware.
- Use up-to-date antivirus software as an important layer of protection.
- Enable 2-factor/multi-factor authentication for important accounts whenever available. Most commonly this consists of entering a password, then getting a text or call and entering the code they send you. You’re verified by something you know (password) and something you have (phone). Even if a thief gets your password, without your phone he still doesn’t get access.
- Lock your screen when you walk away from your computer.
- Password protect your mobile devices.
- Don’t email sensitive information unencrypted. Regular email isn’t secure. Unless you are using a secure email system, consider sharing sensitive files through a secure cloud storage platform (like OneDrive for Business), or encrypting the file before sending it.
- Avoid clicking on ads and if something randomly pops up that says it found 17 urgent problems on your computer, don’t click on it.
- Install AdBlock Plus or similar ad blocker in your browsers.
- Update your operating system and software with available patches. With. Software developers, generally speaking, will update their latest versions with old software, you’re vulnerable to known security holes that have already been fixed in the newer updates.
What else can we do?
Security is not an exact science, and there is always more that can be done, according to Bremner. It’s a balancing act between increasing security and avoiding disruptions and frustrations for users.
“Businesses need to strike a good balance between “safe within reason” while still maintaining ease of use on the one hand, and being “locked down” but making things more inconvenient for users on the other,” he explains. “Part of that balance is assessing the likelihood of an attack, and the impact it would have, versus the loss of productivity caused by overly restrictive policies.”
Dan Bremner started Castema Technology Services, Inc. (www.castema.com) in 2002 to provide businesses with information technology advantages previously only available to larger and higher budget organizations. He can be reached at (847) 749-1350.