Strategies for protecting your business from cyber attack

We will forever edit this how-to in an ever changing landscape of cyber security. No one strategy will protect you from hacking or ransomware, and even with all strategies in place you may still become victim as an attacker only has to be successful once. The best way to approach the problem is a layered approach, like an onion, if one layer is breached, there is another behind it.

Let’s just get straight into it. We’ll list the strategies and have some links to more information.

Create and maintain an inventory of IT assets. Why? You can’t protect what you don’t know you have. A list of your IT assets and systems will make it easier to ensure your security measures are applied to all systems. Best make sure it’s continuously updated.

Cyber security awareness training and culture. Why? It’s estimated 95% of breaches originate from human error, or could have been stopped by an educated user. No matter how good your technology or process defences are, if the human can be tricked into clicking a malicious link, or handing over confidential information, these defences can be undermined.

2-Factor Authentication on externally facing services. Why? It will protect you in 99.9% of instances of account compromise. Account compromise is happening to individuals and companies every day.

What is an externally facing service? Anything that can be accessed directly from an internet connection. Your email, social media, bank accounts, Google Docs, OneDrive, Dropbox, remote access to the workplace. Don’t delay, set it up immediately.

Remove or change default accounts. Those default logins for you router, Windows, phone system, whatever. Remove them or change the password. On Windows systems disable the “administrator” account. An attacker can attempt password guesses on this account without any account lockout restrictions.

Keep systems updated. One of the biggest security holes in networks are unpatched systems. The Equifax breach in 2017 could have been avoided if internal processes ensured patches were routinely applied. Attackers took advantage of a vulnerability in the website customer complaint portal. Keep those Windows updates happening, update NAS systems, phone systems, everything that sits on or connects to your network.

Don’t store usernames and passwords in documents. Usernames and passwords need to be stored in a secure, encrypted format. Use a password manager like LastPass or 1Password, with a strong master password and 2-factor. If you must, write the credentials on a notepad and lock it away. An online attacker can use these credentials to progress further into your network.

Have a separate account for admin tasks. By default in a standalone configuration users have administrative permissions on their PCs. Good practice is to create a separate account with admin privelege and remove the admin privelege from your account. When you attempt to install programs or modify system settings you will be prompted for the admin account. Why? A big issue on business networks is initial compromise onto staff PCs which can then be used as a pivot point to attack further systems. When an attacker accesses a system logged in as an admin user, they have a huge advantage over a system logged in as a standard user.

Use a reputable antivirus & firewall solution on computers.

Use strong, lengthy passwords. Why? They are difficult to guess, and most importantly they are difficult for a computer to guess. Password hashes can be put through computer programs these day that attempt password guessing at a rate of millions per second. Check out this chart which compares password length and complexity to cracking times. If you can’t think of a long password, use pass phrases, like “idontlikelongpasswords”. It’s estimated a computer would take 10 trillion years to crack this pass phrase of 22 characters.

Backup, backup, backup! The 3-2-1 backup rule is a good guidline,
3: Keep a primary backup and also 2 copies
2: Save your backups to atleast 2 different types of media.
1: Keep atleast 1 backup offsite and offline.

Let me know if more information is required or you have any suggestions!