Cyber hygiene

Cyber criminals target small Australian businesses because they believe them to have weak cyber security. According to a 2016 report by cybersecurity firm Symantec, 43 percent of spearphising attacks in 2015 were targeted against small businesses.

Here are things you can do to protect your small or medium enterprise (SME).

Make someone responsible for cyber security

Cyber security requires ongoing discipline and attention. Someone senior in your business needs to be responsible for cyber security. They need to manage the decisions related to cyber security and provide the management push to keep it on the agenda.

In an SME, this person should be either the owner/operator of the business or someone who reports to them.

The Australian Small Business and Family Enterprise Ombudsman has more information.

Patch your software

Keeping your software up to date is one of the simplest and most effective ways to protect your business.

For small businesses, the easiest option is to let software update itself. For medium businesses, consider having your own patch management system.

Patching is not just for operating systems; make sure that applications like web browsers (Chrome, Firefox, Internet Explorer/Edge, Safari), email, office productivity and PDF document readers are kept up to date.

Don’t forget to include systems which aren’t in the office when you consider patching. Speak to your IT provider about things like your email server, web server and mobile devices.

Make sure your staff know to:

  • allow patches to be applied when prompted (such as java update popups)
  • reboot their systems when prompted after updates.

Backup critical data

Backups are still a cornerstone of system security. Malware and ransomware can encrypt or destroy the data stored on your systems. Once infected, it is often too late to save your data. If everything else goes wrong, reliable, well-protected backups will be the last resort to restore your business’ digital infrastructure. With a little bit of attention and care, a backup system can be configured that can enable you to recover your business if the worst happens.

Cloud storage that syncs with local storage, such as OneDrive or GoogleDrive, should not be seen as backup. If a ransomware attack locks local files, these changes will be synchronised to the cloud drive.

Also, if you are restoring after a ransomware attack, take a copy of your backup before attempting to restore. If you try to restore data and haven’t fully fixed the ransomware infection, your backup may be destroyed or encrypted. Take another copy before plugging in a USB drive or connecting to your backup service to mitigate this possibility.

Further information on backups is at Stay Smart Online.

Require strong passwords

Strong passwords are another cheap and effective control. Make sure your staff choose strong passwords (including using technical controls to force complexity and length where available).

You should also make use of two-factor authentication where it is available to you.

Use cloud services to improve security

Public cloud services provide cost-effective access to considerable scales of economy. Cloud will typically deliver services which are more secure than an SME could afford to run itself, provided it is correctly configured. Look to the cloud for services such as email, web hosting, office productivity and storage.

It is important to understand the cloud provider’s shared responsibility model, and consider things like who owns the data you store in the service and what country the data is stored in.

Have your email scanned

Although cybercriminals have branched out into other channels including phone, SMS and social media, email remains one of their favourites attack methods because it is cheap and effective.

In the past, some businesses have relied on the strength of their desktop anti-virus products to protect information systems. However, this is no longer sufficient, and it is important to have multiple layers of scanning on high-risk interfaces such as email.

There are two methods to scan emails, depending on your email hosting arrangements:

  • Provider hosted or onsite email: Speak with your provider or IT staff to make sure all emails you receive are scanned with a high-quality commercial product. Also ask them to implement attachment type filtering to prevent common malicious attachment types like executables and scripts.
  • Cloud-hosted email: If you have your email hosted with a cloud provider, make sure you have reviewed and enabled the security options. In most cases these services are very effective. Additionally, many cloud providers allow you to use an extra scanning product, either as an add-on service, or from a different vendor.

Run anti-virus

Run anti-virus on your computers, phones and tablets. Modern anti-virus not only provides protection from traditional viruses but also from modern threats which target web browsers and other applications.

Although free anti-virus can often have good detection rates, your business will be better protected by the advanced features in paid versions of products.

Choosing the anti-virus can seem complex. This site offers practical and down to earth advice.

Implement disk encryption on laptops and mobile devices

Many businesses find themselves in the unenviable position of reporting a data breach because of the loss or theft of a laptop, tablet or mobile phone.

All modern laptops, tablets and mobile phones include disk encryption. Encrypting disks, along with strong passwords and screen saver locks, turns the loss of a piece of equipment from a potentially catastrophic event into a frustrating, but relatively minor, economic loss.

Advice on encrypting devices:

Develop an incident response plan

A basic incident response plan will help your business understand how to prepare for, and respond to, an incident.

At its simplest, an incident response plan will be contact numbers and responsibilities of people that who need to be involved if a cyber security incident occurs. More comprehensive incident response plans can consider scenarios, business continuity strategies and more.

Staff

Make staff aware of cyber security

Many cyber security incidents can be avoided if staff are aware of the danger and know how to practice good cyber hygiene.

Cyber security awareness is best done as an ongoing program in your business. Using staff member’s cyber security needs at home to increase relevance can be a useful technique.

Give staff unique logons and review activity

Ensuring that staff have unique logons, and reviewing what they do with business systems, will help build a culture of accountability in your business. Done well, this will help to reduce the risk of someone inside your business doing the wrong thing whether on purpose or accidentally

Having unique logons also allows your IT staff to more easily identify where cyber security events are coming from.

Restrict access

Restricting access to information can help prevent data leaks. However, this needs to be balanced against allowing enough access to ensure all your staff can access the information they need in a timely manner.

Allowing staff access, but ensuring it is audited (and reviewed) can provide a reasonable compromise.

Restrict administrative privileges

Systems administrators (also known as admins, super users and root users) all have high levels of system access that allow them to bypass restrictions and auditing.

There are two key things to remember: * Anyone who has administrative privilege in your business needs to have your full confidence. * Administrative privilege is exactly the sort of access that cybercriminals seek if they break you’re your business electronically.

Restricting the number of administrative users helps to protect the business from insider threats and from external cyber criminals.

Managing Wifi security

Wifi networks are very convenient. They are especially convenient for cyber criminals when they contain important resources and aren’t secured with a strong password.

There are two approaches to dealing with Wifi security.

Secure the Wifi

Set a strong Wifi password for any networks that have your business systems and information on them. Wifi passwords only need to be setup once per device.

Change the password when someone that knows it leaves the business. If that’s not practical due to turnover, change it at least every three months, or better, use a system where staff individually log on to the wireless network so you can remove this access when they finish up.

If you provide a guest Wifi network for visitors and customers, make sure this network isn’t connected to your business systems, but goes direct to the internet. Your service provider or IT person should be able to help.

Treat the Wifi network as the Internet

If you don’t have any local systems or services on the network,you can simply treat the Wifi network as untrusted.

For example, if all your laptops use cloud services and there is no local IT resources,you don’t need to worry so much about changing the Wifi password. It still doesn’t hurt to set a decent password, if only to stop people stealing your internet access and running up big downloads.