Three Quick Things
Several years ago, I was a guest on a local radio show where I spoke about Internet-enabled fraud. The final question asked by the show host was, “what are 'three quick things' that someone can do to protect themselves from cybercrime?”. It was such a simple question but it really caught me off guard. How could I hesitate on this? I just spoke about fraud schemes for the past 30 minutes. I was able to quickly name three things so I didn't look like a complete fool but as I looked back, the three tips that I gave weren't the best. It wasn't that I didn't know the answer, in fact, the complete opposite, I knew too much. The struggle was taking a huge volume of information and distilling it down into three bullet points. The quick and immediate “musts” of your topic.
Since that time, whenever I go speak publicly, I always prepare my “three quick things” answer for the given topic. These prepared responses also come in handy during a regular conversation. It's nice to immediately have a coherent response when friends, family, and colleagues ask for your opinion on a topic where you are recognized as being more knowledgeable than others.
Most small businesses, say less than 100 employees, do not have any dedicated employee for IT services, let alone security. Most time it is a collective effort to keep the Internet on and the printers connected. The lucky ones can afford contract services but for most, security is a wing and a prayer.
“What are some things I can do to keep my business secure?” is the most frequent question I get asked by these small business owners.
Three Quick Things:
1) Provide regular security training for employees as they may be, and probably are, the first and last line of defense. This training can be anything from weekly thirty-minute briefings to a daily email. Full-day security training sessions are great and should be held on a bi-yearly or quarterly basis but the threat landscape changes so fast more frequent training is needed. Companies such as KnowBe4 and Proofpoint offer online training that is customizable to fit the needs and budget of any organization. Government agencies such as the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) offer resources free of charge. And yes, Youtube. There are hundreds of great videos posted on Youtube. I know of one organization that rotates training responsibilities between departments. Each month a different department is responsible for providing training to the rest of the organization.
2) MFA – enable Multi-Factor authentication on all email accounts to stop account takeovers resulting from phishing attacks. Authenticator applications or hardware keys are best, but even the basic pin code sent to a cell phone is a solid start. Stop! – I don't even want to hear about “sim-jacking” and other exploits available for mobile phone 2FA. These tips are intended for businesses without any security posture and a PIN code sent to a user's cell phone is still 100% more secure than using only a password. The security mindset is a slow but steady course not a 0 to 100 sprint. Authenticator apps and hardware tokens are obviously a better option. Google and Microsoft offer free apps for smartphones while companies such as Duo and Authy provide more robust fee-based versions. Companies requiring advanced protection, or who have slightly deeper pockets, may explore hardware keys provided by Yubico or Thetis. Just don't lose the key!
3) Utilize anti-virus and keep all software current. Keep all of your programs updated to the most current version and apply patches immediately. Why do you have a production computer running Windows 7? Why is your website running on WordPress version 3 point something? Anti-Virus software works. Not all of it, some are horrible, but most are OK and some are exceptional. Do the research to find which service best suits the needs of your organization and use it. It only works if it's running!
The “Three Quick Things” list isn't all-inclusive. It is just the starter pack that applies in every situation regardless of the size or scope of the business. The “you can't go wrong” list. And it's fluid depending on the time, place, and current threat landscape.
And for those feeling ambitious – a fourth.
4) Vulnerability assessments – assign someone within your organization to regularly assess your threat surface. This might be the business owner or an intern, but someone needs to be aware of the external threats facing the business. It doesn't have to be a head-to-toe examination every week. Simply spending twenty-minutes a week reading about the threats facing your business vertical is a great starting point. Conduct an Internet search for current frauds, schemes, and exploits, facing your type of organization. If you still accept paper checks, what are the current check fraud schemes? Are they any active exploits being used against your credit card processor? Is there a prevalent phishing email targeting your business sector? Compile a list of the software and technology used by the business so you'll recognize when something pops in the latest security news. Someone in the organization should have been able to make the connection that there is a lot of news about a major exploit of Microsoft exchange servers and your business operates its email service through an on-prem exchange server!