Safeguarding against cyberattacks isn’t just a big company problem anymore … it’s not even just an IT problem anymore. The onus is on every single one of us — small or large organizations, end users, and company leadership alike — to take measures to protect our organizations against attack, and the truth is our vulnerabilities are many. Here are some of the basic signs we look for as IT consultants on where to begin improving someone’s cybersecurity strategy:
The Wi-Fi is Open
If Creepy Joe in your parking lot can get onto your Wi-Fi, you’re at risk not only for data breach, but for malicious misuse of your resources. We’ve had clients receive puzzling calls from law enforcement about investigating criminal activity executed on their internet connection, and it all came from someone freeloading off their Wi-Fi.
Limit access to your Wi-Fi by creating a guest network that requires at least a password and create a corporate network for employees only. Some Wi-Fi providers have scheduling features, meaning your Wi-Fi is only on during the business hours you designate. This will also help limit bad actors from doing crazy things on your internet when you’re not there.
No Access Restriction Anywhere on Your Network
Let’s say that Sally works in HR. She has little understanding of IT or the threats that we’re facing today. She gets an email asking her to click a link, so she does, and unbeknownst to her, ransomware starts downloading onto her machine.
And then it spreads unchecked, because Sally’s IT team didn’t limit her access on the network to just the necessities. So, not only do all the HR folders get encrypted, but her engineering team’s AutoCAD drawings are now unusable, and her network’s critical programs get locked up and no one can log in, let alone work on their projects.
Don’t be like them. Use permissions to keep company secrets secret, but also to curtail the spread of malware.
People Share Accounts and/or Passwords
There are several reasons why you should require every single user to have a unique login, beginning with password sharing – you’re defeating the purpose of the password. If a password is common knowledge around the office and living on Post-Its stuck to monitors, basically anyone who comes in can log in, not just employees.
Additionally, you’re depriving yourself of the all-important audit trails and changelogs you may need to know who accessed what or who deleted something. You are also unable to set varying permissions per user. Are your sensitive accounting or intellectual property files accessible to everyone and vulnerable to deletion or being shared?
One Password for Everything (Bonus Points If It’s “Admin”)
When I said, “bonus points,” I really meant bonus negative points. Again, if a bad actor can find out your password for one account, they will try to use it to hack other accounts. Use a password generator – most password management tools offer it – or you could set up a pattern to tweak each password enough by login site so you can remember the variations.
No Complex Passwords
A complex password these days should be about 12 characters with a random smattering of symbols and numbers. This is because password cracking software continues to become more sophisticated and faster. Noncomplex passwords can be cracked in a matter of minutes.
There Aren’t Account Lockout Limits
This goes hand in hand with the above. Those password cracking tools I mentioned? They brute force access to your computers or servers by trying random password combinations over and over again, thousands of times per minute. If you have a lockout limit, you can prevent these types of attacks.
No Multi-Factor Authentication (MFA)
We cover how all this works and why it’s important in the second half of this article, but here’s the basic idea: an unscrupulous person may get access to your password but would be stopped by MFA because it requires a second action to log in. On top of a password, you would be asked to key in an ever-changing code from an authentication app or to use a biometric variable like your fingerprint.
We’ve had clients whose email accounts have been compromised by someone in Russia who was requesting bank wire transfers unchecked. Thousands of dollars lost. If these victims had MFA in place, the hacker wouldn’t have been able to log in with just the password and this would all have been avoided.
Everyone Has Administrator-Level Permissions
Yes, it is annoying that you have to ask IT to allow you to install a program like Spotify or Adobe Creative Cloud. Or a font. And yes, as IT, it is annoying to have to go help an end user install something they can install themselves. However, when you have administrative privileges over your workstation or in your network, it gives malware further reach into your organization’s network.
There Isn’t Any Cyber Security Training
We jump into bigger detail in this post, but the idea here is that even non-technical personnel need to stay up to date on cybersecurity threats and trends and be empowered to recognize bad actors. Your end users also should feel comfortable speaking up if they think they clicked on something they shouldn’t have. One way to accomplish this is ongoing security training.
So go on, buy them lunch and play a game trying to recognize a phishing scheme from a regular email. Savvy end users goes a long way.
No Acceptable Use Policy
Your employees should sign a policy every year about what they should be doing to protect your organization against these types of threats, along with what activities are acceptable on your business-provided technology. The policy should be easy to understand and informative so that it helps end users understand how they can take an active role in protecting against attacks, but it should also be in place from a legal standpoint to protect your organization should anything less than ideal occur.
The “Firewall” Comes from A Big Box Store
This security equipment is not robust enough to continually fight against evolving malware threats. True enterprise-grade firewalls will receive regular updates on new malware signatures and better connect into your network to help you block malicious traffic and quarantine affected machines.
End Points Are Not Encrypted
People lose laptops with alarming frequency. Laptops get stolen frequently, too. Using a program like Bitlocker allows you to remotely encrypt the device to prevent someone from using the stolen computer to access your files or sensitive information.
There Isn’t Antivirus
Please put antivirus on your computers and servers. It’s stopped ransomware in its tracks several times with our clients in the past month. Today’s antivirus solutions should not only be updated with signatures to recognize the malicious files, but also be trained to recognize unusual behavior (like contacting sites hosted in certain countries or encrypting when it never should) and quarantine the offending machine accordingly.
Backups Are Connected to the Network
Your backup is your last effort to recover from a ransomware attack, so it’s really important that you keep your backups from getting ransomware’d too. In order to keep your backups safe from malicious encryption, you have to keep them separated from the rest of your network.