Over the years, cyber-attacks have become smarter and more frequent. Worse still, many attacks are automated, probing for weaknesses 24×7, 365 days a year. Every business is a target today, no matter how small it is.
This increase in cyber threats means it’s imperative to secure your operations. At the very least, as a business leader or IT professional, you need to prevent spam and phishing attacks on your SMB or organisation, and ensure it is protected against viruses and malware and that you also have Microsoft 365 data protection and compliance measures.
Much has been written about cyber security, but in this article, we outline the most important basic computer security tips you should follow to reduce the risks on your business. With that said, don’t wait until you have been breached to start reinforcing your security posture. Cyber security management should always be at the top of your list!
Computer security or cyber security covers the safeguards to defend your IT environment from malicious threats. Good cyber security should protect:
Essentially, anything that connects to or uses a network needs to be secured against cyber threats.
Given there are so many moving parts in your IT environment, all susceptible to different types of threats, it is no surprise there are different ways to secure them. The most common cyber security features are:
Firewall: A firewall filters data traffic between your computer(s) and the outside world according to set policies. Only data meeting those policies will be able to enter and leave your network. By controlling what’s allowed, a firewall protects your computers and network from malicious or unnecessary network traffic.
Endpoint security: This is anti-virus software on endpoints such as desktops, laptops and servers. Endpoint security is designed to protect applications and operating systems, and will scan for threats according to known threat signatures on its database. The best antivirus and ransomware protection also uses a more sophisticated method – known as heuristic analysis – to scan for unusual file behaviour. This means it can identify a new threat that is not yet on its database. Once identified, the threat is quarantined.
Endpoint security software will not only defend against viruses, but it also usually includes anti-spyware and anti-malware functions.
Mobile endpoint security: As mobile phones are increasingly used for business, securing them is crucial – especially since they often access data on unsecured networks. Mobile security apps are available for both iOS and Android. Capabilities vary from basic device locate, to more advanced features such as lock and wipe.
Data security: With data security, measures are put in place to control access to information. You can define levels of access privilege to ensure only authorised people are allowed to access your data. Identity verification such as passwords and multi-factor authentication (MFA) play a key role in confirming your users are who they say they are.
User education: Education and training are not a formal component of cyber security, but at IT Smart Solutions, we think it is one of the most important. Cyber security training for your staff, to be aware of threats, and mindful when accessing company devices and data, can significantly reduce the risk profile of your business.
As Steve Ranson, CEO at IT Smart Solutions points out: “Employee training should be a fundamental part of your security strategy. It’s interesting to note that 95% of cyber security incidents are caused by human errors.”
As a business leader or an employee using technology for their day-to-day, there is a fair chance you already know of many types of cyber threats. Some of the most common include:
Phishing, spear phishing and CEO Fraud. As the name suggests, phishing is when a cyber-criminal casts a line hoping to hook the unwary. There are three main types:
1. A general phishing attack poses as a legitimate email, SMS, Instant Message, or website to steal private information
2. Spear phishing is a more targeted attack aimed at a specific organisation or person
3. CEO Fraud is a spear phishing email – supposedly from your CEO – asking for sensitive information or to transfer money, usually under the guise of an urgent situation.
Ransomware. A ransomware attack means computers are already compromised. Ransomware will either lock your computer to stop you using it, or threaten to publicise sensitive information, with a promise to unlock your system when the ransom is paid.
Viruses. A virus is malicious code that replicates itself and spreads to other computers when activated. The action of the virus depends on the aim of the hacker – whether to delete data, steal passwords, spam your contacts or lock documents.
Spyware. Spyware is a common threat from internet use. Once installed on your computer, spyware tries to steal information like passwords, credit card numbers, banking details and web and email addresses.
Trojans. Similar to spyware, a Trojan Horse is malware disguised as a bona fide application or file. It doesn’t replicate but creates a backdoor so hackers can control your computer for malicious intent.
Rootkit. A rootkit is another program in camouflage. It allows hackers to control files and change system configurations, but its main purpose is to hide other malware like spyware and viruses on your computer.
Zero-day exploit. This is a new loophole discovered by hackers. Security vendors may be unaware of it, or have just detected it, but haven’t yet plugged the gap. There’s no knowing what damage the vulnerability can cause until it is detected.
In a nutshell, the very existence of your business may depend on it. Financial loss for you and your customers is bad enough, but that may only be a short-term impact.
The damage to your reputation may last even longer, with the loss of existing customers, and an uphill struggle to get new ones. If your organisation has an annual turnover of more than $3 million dollars, you may be required to report any data breaches as part of the Notifiable Data Breach legislation. This can cause a huge reputational risk to your professional services business.
Loss of business data and/or financial details may be the hardest blow to recover from. If you haven’t backed up your data, your business or organisation may not be able to continue to trade.
“There are many methods to improve computer security. Having said that, a good starting point is to work with an acknowledged security framework,” says Steve Ranson.
The Australian Cyber Security Centre (ACSC) Essential 8 is a great framework to improve your security. These are eight essential actions every business should take as a minimum to secure their data. You can see more about the ACSC Essential 8 here https://itsmartsolutions.com.au/blog/acsc-essential-8/
Ongoing business security processes
It goes without saying that it is critical to have good security measures in place – and that these are consistently being followed by all staff. The truth is, good computer security can’t be a part time activity, it must be central to your business.
Implement a security framework such as the ACSC Essential 8
Adhere to a reputable framework like the ACSC Essential 8. The most effective way to implement this framework is to start with the simple ones first, such as turning on Multi Factor Authentication and automating processes. Implementing some of the eight pillars is better than none. Constantly working towards fulfilling all eight pillars should form part of your ongoing business security processes.
Implementing Multi Factor Authentication (MFA)
Utilising MFA in your business is essential. MFA requires the use of two or more authentication methods to log in to systems. This might be a password along with an authentication code provided by an app on your phone. MFA is the single best way to stop unauthorised access – the entryway to a host of malware.
Automate security updates
You should also automate security updates for both your operating systems and applications, so security is constantly up to date. This is an easy task to forget or put off until you have more time. But by automating this process you can rest assured that your business is operating with the latest updates preventing cyber-attacks.
Back up your data, Back up your data, Back up your data!
We can’t stress enough about the importance of backing up your data. Without a data back up and recovery process, it is unlikely you will be able to retrieve your lost files in the event of a breach. Have a company policy so all corporate data is safely stored, whether on site or in the cloud. Remember, neither Microsoft nor Google back up data under their standard packages, so if they lose it, you lose it. Backups should occur automatically and should be tested regularly to ensure its integrity.
If you don’t have the time, resources or skills in house to manage security, consider computer security outsourcing services.
For example, IT Smart Solutions bring enterprise level support to SMBs and NFPs across all aspects of IT. This includes cyber security such as Microsoft 365 data protection and compliance, preventing spam, phishing, antivirus and ransomware.
“Many of our customers use our Smart Security package which is based on the Essential 8 framework to secure their data. This is a bespoke combination of both Microsoft and third-party licensing that enables us to fulfil the Essential 8 framework for our customers,” says Steve Ranson.
We also offer our clients automated training materials that are sent out on a regular basis to their staff to help mitigate the risk from human error.
In an age of escalating security threats and dire consequences from a breach, you must protect your business in the most effective way possible. Our Smart Security package helps you identify risks and proactively protect your business, no matter how small or big you are.
Not sure how secure your organisation is? Take our free Cyber security assessment and get a tailored report that tells you where you stand. It’s completely obligation free.
