The Basics Of Cyber Security [10-minute guide]
What is cybersecurity and why is it important?
To put it simply, cybersecurity is the way you prepare for an attack on your business network. It is the actions, systems, and processes you implement to become more defensible in the face of a “cyber event.”
A cyber event typically refers to a digital cyber attack in some capacity.
Cybersecurity is so important because cyber attacks pose an extreme business risk. A ransomware event could permanently close your doors in a matter of days. Not only are cyber-attacks dangerous, but they are also becoming increasingly common (and sophisticated). In 2022, you have to treat cybersecurity as a business risk and adjust your budgets and operations as such. Being the proverbial “low-hanging fruit” is like asking the thieves to walk in your front door and steal your stuff.
If you really need convincing here are a couple of stats that might change your mind:
- The average ransomware payment in 2021 was $220,298
- There was a 424% increase in new small business cyber breaches last year
Stopping cyber attacks from happening entirely is a fruitless pursuit. The best you can do is to greatly reduce your risk by following best practices and working with cybersecurity professionals.
The basics of cybersecurity. Protecting your business, facility, plant, practice, etc.
Protect your files and devices:
- Update your software automatically and consistently
- Consistently updating your software can help to close open holes. Often analysts will discover a hole/entry point in a 3rd party software that may expose your business network. The owner of that software will then patch it, closing the hole. For you to be protected you have to install the new version. Outdated software (and hardware) is a common problem in many businesses because of vendor complexity. These outdated pieces of software could be leaving glaring gaps in your cybersecurity.
- Older devices may be unable to update. As of 2020, Windows 7, Microsoft Office 2010, and Windows Server 2008 have reached the end of support and are no longer considered secure. If your business is still using these, it’s time to upgrade.
- Be sure to update your antivirus software as well
- Encrypt your devices
- Any device that carries sensitive information, whether that be client information or personal information (bank accounts, personal records, etc.) should be encrypted. This includes any device that may have access to that data such as:
- Laptops
- Tablets
- Smartphones
- Removable drives
- Backup tapes
- Cloud storage solutions
- Work desktops
- Industry-specific hardware
- Any device that carries sensitive information, whether that be client information or personal information (bank accounts, personal records, etc.) should be encrypted. This includes any device that may have access to that data such as:
- Secure your files
- Back up your important files offline and separate them from your primary network. Backing up your files on a hard drive or in the cloud is the way to go. If you have large amounts of information that is constantly changing, a dedicated backup solution would be a much better option. Not sure how to configure a custom backup solution? Our technicians can help. Reach out to us and we will get someone on your case asap.
- Backing up your data means you have a recovery method if you experience a ransomware event. It is a precautionary measure that is necessary in the modern world. If your business is attacked and you don’t have any backups (or they get encrypted as well) you are at the mercy of the attacker. This is a worst-case scenario.
- Store your paper files securely too.
- Use multi-factor authentication
- You should require multi-factor authentication (MFA) to access areas of your network that may contain sensitive information, especially on accounts with administrative access.
- Often threat actors will get access to a business network and sit on the network for weeks, sometimes even months to years in an attempt to elevate their privileges. This means administrative accounts are especially lucrative to attackers. Focus on getting MFA on those accounts first and work your way down.
- You should prioritize financial and email accounts when setting up MFA.
- MFA is a good standard for personal apps as well. It is considerably more difficult for would-be attackers to access your personal information with MFA in place. We generally recommend it for everything.
- You should require multi-factor authentication (MFA) to access areas of your network that may contain sensitive information, especially on accounts with administrative access.
Tip: MFA is almost always a requirement to get or renew a cyber insurance policy in 2022.
Protect your wireless network:
- Secure your router
- Change your router’s default name and password.
- Your routers come with default login credentials so you can configure them. Many people leave these defaults without much thought. The problem is that attackers know these default credentials and can easily get access to your network.
- Turn off remote management.
- Log out as the administrator once the router is configured.
- Use WPA2 encryption or better.
- Most modern routers offer solid encryption. Ensure if you are using an older piece of hardware that is properly encrypted.
- Encryption protects the information sent over your network.
- Change your router’s default name and password.
Operate with a security-first mentality:
- Require strong passwords at an organizational level. This means that every device connected to your network should have passwords that are:
- A minimum of 12 characters in length
- A mix of numbers, letters, and symbols (phrases can work well too and can be easier to remember)
- Unique and are not reused anywhere else.
- This is more of a problem now that working from home is so common. Your employees may bring their own devices to work with shared passwords between their personal accounts and work accounts. Not only does this open up a vulnerability in your business network, but this also leaves your employee’s personal information vulnerable in case of an attack.
- Cybercriminals know that re-used passwords are common. They can often gain access to multiple accounts just by getting a single set of login credentials. They will likely target your financial accounts first. They will also target private information that they can use to blackmail you.
- Passwords should never be shared via email, text, phone, Slack, on a video call, etc.
- Investing in a password manager is a must for any security-focused organization. These password managers allow you to securely distribute login credentials.
- No software is 100% secure, there have been instances of password managers being hacked. You are still better off using one rather than not but it is important to recognize that nothing is ever 100% secure.
- Investing in a password manager is a must for any security-focused organization. These password managers allow you to securely distribute login credentials.
Tip: If you ever working with a vendor/cybersecurity provider and they claim they can make you “completely secure” they are either lying or are ignorant.
- Consistently train your staff on best security practices.
- Training your staff will likely be the thing that makes or breaks your cybersecurity policies. You can have the biggest, baddest lock on your front door but it doesn’t do much if someone unlocks it from the inside.
- Cultivate a culture of security and awareness. Don’t ridicule employees who make mistakes or click on things they shouldn’t have. An honest environment is a necessity. If your employee keeps a mistake they made private in fear of repercussions, that potential vulnerability will likely go undetected.
- Share real-world examples of scam messages and how they look for training purposes.
Develop a response plan:
- Consider how you are going to recover your data
- How are you going to begin operations again following a cyber incident?
- What information are you going to disclose to your employees and clients?
- When are you going to disclose that information?
- Develop a dedicated incident response plan.
Important: Don’t say anything until you have spoken with an attorney. Speak with your cyber insurance agent as soon as possible. Your insurance agency will likely get you in contact with a breach coach. A breach coach will help guide you through the process of returning to operations and helping you to pay a ransom (if need be).
You may have a legal obligation to disclose information related to a breach. If this is the case, follow the law. We (Techfive and its constituents) are not legal experts and this is not legal advice.
Control who can access different items within your network:
Commonly known as “access control”. Access control allows you to granularly control who has access to which parts of your network/which hardware they can access. Access control is designed help protect your business both from internal threats and external threat actors by making it more difficult to move laterally within your business systems.
Staff & external providers typically do not need full access to all of your business data and accounts. You should restrict access whenever possible.
- Internal threats are real and are a fairly common cause of breaches. A common way this occurs is an external threat actor will offer one of your employees a cut of a ransom if they help them to gain access to your business’s network. This form of malicious access can be very difficult to prevent, the best way to do so is to limit access where possible. Think of it as isolating a fire to a small area rather than letting it run rampant.
You should give users the bare minimum permissions and work from there rather than the opposite. Your employees rarely need administrative access and distributing it freely will leave your business more vulnerable.
Remember to delete accounts when employees leave (especially if the exit is particularly nasty) or if you change providers. Most companies we work with find that they still have active accounts of employees that have been gone for quite some time.
Protect your data offline
Always follow standard security practices. Remember that a threat actor can get access to your business network in person as well.
Don’t write your passwords on sticky notes, don’t let random people access your network, keep your server room locked, etc. You get the picture, use common sense and avoid costly and easy to avoid mistakes.
Get your employees on board
Your employees are both your biggest asset and your biggest cyber liability. Training them to follow best practices can provide immense value and prevent cyber events from ever occurring. Here is our practical 11 step process to helping your employees significantly improve their cyber hygiene (and subsequently, your businesses as well).
- Avoid unknown email, links, and pop-ups
- Avoid clicking on anything. Adopt a zero-trust mentality towards any unknown links. If you are unsure, always ask!
- Never enter crucial personal or business information in unknown emails, websites, etc.
- Don’t plug in that USB you found
- Seriously, this is one of the oldest (and easiest to avoid) ways of injecting malware onto your device. Have your IT team double-check any USB before you plug it in.
- Protect your cell phone
- Your mobile device has access to tons of sensitive data, especially in the work-from-home era. If your cell phone is compromised or lost, that could mean free access to all of that important data. Make sure to keep track of your devices, especially those of you with administrative access.
- Use strong passwords every time
- Luckily most signups force this now but that wasn’t always the case. Always use complex passwords with special characters, numbers, and letters.
- Create unique passwords for each login.
- Tip: you can use a password manager to manage your unique password so you don’t have to remember them all.
- Verify software is legitimate before you download it
- Not everything you download is safe. Your antivirus software should protect you from threats but nothing is foolproof.
- It never hurts to ask your IT provider if something is legitimate.
- Understand that cybercriminals will try to manipulate you
- Social engineering is the name of the game in 2021. Threat actors are intentionally attempting to manipulate by preying on your goodwill. If something seems fishy, it probably is. Always verify first.
- Use a reputable antivirus software
- If you use Windows devices, the default Windows Defender is a solid pick. Your IT provider may install different types of antivirus on your device as well.
- Backup your data
- This is valuable for both cybersecurity and just general peace of mind. Having backups means that in the case that something goes wrong, you have that backup to restore from.
- Be wary of emails & texts from executives, CEO’s, or higher-ups
- Compromised emails are becoming increasingly common. You may receive an email from your CEO saying you need to urgently buy gift cards, or enter sensitive information, or download an infected link, etc. These types of emails are difficult for spam filters to detect so they may often land in your inbox. Always verify these are legitimate before taking any action.
- Use multi-factor authentication
- MFA is the way to go to protect your personal and business assets. Use an authenticator app on your mobile device whenever possible. There have been instances where cyber-criminals had backdoor access to text messages. Those types of MFA may not be secure.
- Adopt a “zero-trust” mentality
- Zero trust basically means that you always verify the legitimacy of an email, text, website, etc. before you commit to any actions related to that thing. The zero trust mentality means that you consider that everything could potentially be a threat. Your IT provider can help you implement systems that can assist with zero-trust if you choose to go in this direction.
Insider Insight: Most ransomware events start as a result of human error. Making sure your team are aware and are actively training around the best cybersecurity practices is a necessity to consider your organization cyber-secure.
In conclusion
Protecting your business from cyber threats is vital in 2022. The risk is greater than ever and it’s not showing any signs of slowing down. It’s time to get ahead of the curve and improve your organization’s cybersecurity posture. If you need help with this process, be sure to reach out to us. We would love to get you up and running, it’s what we do for our clients every day.
Thanks for reading!
WRITTEN BY
Marketing Manager @ Techfive | Working to make B2B brands more personable & human.
Let's upgrade your tech game
Get great tips, answers to big questions, and expert advice right to your inbox 2x a month.
Up Next
At Techfive, we are all-in-one strategic partners for cyber-aware companies. We offload time-consuming tech management and help our partners become more cyber aware and secure.
5.0
"Always prompt on response whether in person or by phone! Very nice and friendly employees and very helpful!"
Ashley Harrison