This featured blog was provided by our partners at ALCiT.
You’ve heard about cybersecurity; you want some and are now sure where to start? This blog is the right place! It explores some of the basic concepts of cybersecurity and provide you actionable steps to become [more] cybersecure quickly, most of the steps below are free and can be done today!
Spoiler alert 1: Cybersecurity is a journey, not a destination.
Spoiler alert 2: The most important thing you can do to be cybersecure is to actually start the process (today).
For this blog we align with Microsoft’s findings from their latest Digital Defense Report 2022 that states doing these 5 things will protect you against 98% of the attacks. That figure might be a bit generous (and one of those 5 can get pretty deep), but this is definitely a good place to start!
A little background before we get started, we like to follow the approach outlined in the Five Functions of NIST. High level, in order to maximize your return and minimize your investment in time and money:
- Know what you are trying to protect (Identify)
- Setup a plan to defend it (Protect)
- Check that your defenses are working (Detect)
- Do something when you see an issue (Respond)
- Have a plan in case it gets bad (Recover)
With all of this covered, let’s get started!
1: Enable Multi Factor Authentication (MFA)
Passwords are pretty weak and often not that hard to obtain through phishing; MFA can help! By not relying only on passwords, you are making it much harder from someone to get into your accounts. If the system can only be accessed from inside your office, it could be considered a factor (since you need to be there and have a password), but MFA should (must!) be turned on for all your cloud services (anything you can access over the internet) and for remote access (VPN, LogMeIn, GoToMyPC…). This is usually included with most services, so it’s free! If the platform you are using does not have it, it might be time to change for a service provider that cares about protecting your data.
2: Apply Zero Trust Principle
This can get pretty deep (more here), but for this blog let’s just focus on good basic principles (all the below require some work, but they should all be free!):
If you don’t need some data, get rid of it: Keeping data you don’t really need “just in case” is good way to increase the impact and complications of a data breach.
Not everyone should have access to everything: People should only be given access things they need to get most of their job done. Exceptions should be treated as such and be temporary (like a special project or covering for someone on vacation). This way, should something happen, you are minimizing the impact (see a trend here?)
Your “normal user” account should not be an administrator (privileged) account: If your account can access everything all the time, then any issues with your account would impact everything right now (third time, I hope the principles are starting to make sense).
3: Use modern anti-malware
The term you will see get thrown here the most often is Next Generation Anti Virus (NGAV) which are part of End Point Protection (EPP). The reason we are specifying “modern” or “Next Generation” is that malware (viruses, trojan, ransomware…) are evolving fast and your anti-malware should too. What is this usually mean is relying less on file signature and more on behavior (for example, the pdf invoice you just opened is trying to run some commands on your computer, not something an invoice should do, aka bad behavior). Since the Anti-Malware is your last line of defense and can make the difference between an attack being successful or not, this is not a place to try saving a little money (a word of caution on “free” anti-malware: nothing is ever free, make sure you understand how they make money). Most important part here: allow the tools to do their work, most of these tools can act as and Endpoint Detection and Remediation (EDR), turn on automatic remediation and containment, yes this may create an issue at some point, but the benefits of near instantaneous response in case of an attack outweigh the risk by multiple order of magnitudes. Some resources to check to find some good anti-malware vendors are the Gartner Magic Quadrant for End Point Protection Platform (just be aware the that Microsoft one in it is not the free Defender that comes with Windows) or the MITRE Engenuity ATT&CK. ALCiT is a SentinelOne partner, so that is the one we recommend by default.
4: Keep up to date
The world is constantly evolving, and new software defects and issues (bugs) are discovered regularly. Software vendors issue patches to fix these bugs (usually for free), but you must install them (or turn on auto-update). Many successful attacks from the last couple of years were leveraging vulnerabilities for which patches had been issued for weeks or months. Since manual patching can be quite time consuming and error prone, for this 101 level we are recommending automatic patching, it will be your best friend: turn it on and just forget about it. Should a patch break something, you can usually uninstall it. Lastly, if your excuse not to patch is pretending that “if it ain’t broken don’t fix it”, just know that you are wrong: if a patch was issued, it is because it is broken.
5: Protect data
This is the one place where there are no free options. There are cheaper options, but they usually require more work, but if you have the time and the meticulousness to follow your plan all the time no matter what, it could work. First, why: this is your get out of jail free card, should everything else fail, this is how you get to live another day. Your backup strategy must meet the following 3 criteria:
Have one copy “elsewhere”: this way should something catastrophic happen to the building (fire, flood…) you will still have data.
Make sure one copy is “air gapped”, what we mean by this is not accessible over your network. So should a virus or person try to wipe it, they can’t.
Make sure it’s encrypted: You are backing up that data because it is precious, make sure it also stays private by using encryption. It should be encrypted “in transit” (while it travels on the network and/or the internet) and “at rest” once saved on the (disk/vault/tape).
Notes about passwords:
- Change all default passwords on all devices: default passwords are well known (you can just google them!) so they should never be left in place.
- Use unique passwords: passwords should never be used in multiple places, should one of those system become compromised, they would gain access to those other system that use the same password (Expert tip: use a business grade password manager).
- There you have it. There is a lot of things you can do today for basically free to start your cybersecurity journey. Do them today and sleep better tonight.
If you are a Canadian Small and Medium Business, you may also be eligible for CDAP (Canadian Digital Adoption Program). The program will cover 90% of the assessment cost and provide you with a plan of action. Once you register, you will see ALCiT listed in the marketplace for advisors. We can also help you get registered if you are facing issues with the process (some good tips here ).
As always, please reach out to us if you have any questions!
(If you represent a group of businesses (like a chamber or an association) and you would like us to present this content to your member at an event or via a lunch and learn, give us a call, we might even pay for lunch!)