Search

TEQ Blog

Basic Cyber Security Tips

Some considerations on how to keep your business's IT secure.

Late last century, I was heavily into IT Security. I went deep, even spending time serving on the Standards Australia/Standards New Zealand IT Security Standards Committee, attending and speaking at IT security conferences, and undertaking client engagements in the IT Security space. While this is no longer part of my practice, the topic – updated to be referred to as Cyber Security – has remained something of a fascination.

Behind the scenes, hacking is an every day occurance. Every time I log in to administer this site, I am reminded of that. Every day I have hundreds of fake login attempts. It often feels like the bad guys are winning. Cyber criminals are too numerous to stop, and the potential bounty too great. You are fending off everything from organised crime, to state actors, to opportunist novice hackers (‘script kiddies’), who are relentlessly trying to find ways to steal your data, hold your business to ransom, or hurt your firm’s (or your) reputation.

So, what can you do? 

Top of my list is to periodically engage an IT Security provider to review your systems – and then apply their recommendations. Second, talk to your insurance broker and get a good cyber security policy in place. No matter how good your defences, there is still a high risk of someone getting through them. Third, take regular backups and store them separately.

Disavow yourself of the notion that ‘My business is too small for anyone to care about.’ Hackers don’t know – and typically don’t care – the size of your business. In most cases, they are not actually targetting you. They are targetting everyone!

To follow are some specific things you can do to reduce your risk. Please don’t assume that if you apply these that it makes you safe: you should still get your systems regularly reviewed. There is no exhaustive list that will make you totally safe online any more than there are ways to make you perfectly safe when driving.

These guidelines are a collection of best practices that I apply in my business, and recommend to my clients. I periodically update them in an attempt to keep them current.

Top of the Cliff

Engaging an IT Security provider to review your systems is an example of something you should do proactively. This is what I mean by ‘Top of the Cliff.’ It’s where you erect the safety fence.

 

1.

Passwords

A strong password is an effective password. Strong means long: 16 characters or more.  Your passwords should not be reused on other systems or websites. Some systems require you to create passwords made up of a mix of character types (e.g., letters, cases, numbers, and symbols like *&$}). This mix of character types can be useful, but are generally not essential for good security. Unusual characters and typography tend to make it harder to remember passwords, resulting in them being written down. You can find more on a previous blog here.

  • It is also no longer best practice to require users to change their passwords frequently. If you are adept at using unique passwords, then the only time you should need to change your password is if it is compromised (the in the trade term for your password being disclosed. Also known as your password being in the wild, which I find a more colourful description). Using a passphrase can be particularly effective as it enables the password to be easily remembered, while still not being easy to crack.
  • A passphrase is a natural-word sentence or collection of words that has meaning for you, but would not be easily guessed by others. So it might be ‘Honeymoon Fiji Bitter.’ Even without the spaces, that is 19 letters long (not all password systems allow spaces, so you could string them together as ‘HoneymoonFijiBitter’). You easily remember the long days in the sun in Fiji on your honeymoon, drinking Fiji Bitters. Even if someone knows you very well, unless that is your go-to talking point of your life, they won’t guess it. And automated password cracking systems won’t stumble across it for many, many years.
  • I am often asked about Password Managers – commercial products you download as an app that will keep your passwords encrypted and safe. In principle, they are a good idea, but be aware that you are simply outsourcing the risk to – typically – an unknown third party. How secure is their system? Does it have backdoors (ways the vendor can get into your passwords without your knowledge)? If someone cracks their system, does it give the hacker access to everyone’s passwords? No system is perfect, and vendors aren’t likely to give you a totally honest assessment of the weaknesses of their system. You need to have a lot of trust in the vendor of a password manager. Can you?
  • A password is meant to be a secret. Something only you know, and something others can’t (easily) guess. And not written down.

2.

Enable System Security

Most systems have a range of security features that most users don’t know about or use. Two particularly useful security features to look for are (a) incorrect password lockout, and (b) Two Factor Authentication (2FA). 

Incorrect password lockout disables an account if the password for a particular username is entered incorrectly too many times in a row. Three attempts before lockout is common, and then the account needs to be unlocked by an administrator, or the user needs to wait a set period of time (e.g., an hour or a day). This type of lockout is useful, but not totally effective: we tend not to keep our usernames as secure as passwords, so I can lock you out maliciously by deliberately logging in as you repeatedly with the wrong password. Some systems detect the network ID of the device you are using to log in, and will lock out the device (often as well as the user) after too many retries. While the network ID of a device can be faked (‘spoofed’), this can add an effective extra layer to the system.

Two Factor Authentication (2FA) requires two secrets from two sources to enable a successful login. The most common types of 2FA are a password plus a code from a dedicated ‘dongle,’ or a password and a code sent to your mobile phone. To be effective, the two secrets need to be sourced independently, and each secret sufficiently secure.

  • Ensure the default administrator logins and passwords are disabled on all systems if possible. These are the ones shipped and installed with your system by default, so it may be that all systems from that vendor have the same default passwords.
  • Lock out all accounts of former staff members (or others with login accounts, like auditors or temps) as soon as they leave. You don’t need to delete the account immediately, but you should at least change the password to something secret to prevent them from continuing to have access to your system. Make sure you do go back after a couple of months to delete the account once you are sure you no longer need access to that account.
  • When key users and IT staff (e.g., ‘admins’) leave the company, make sure all system passwords and PINs are changed.
  • Not all systems can be secured. A large number of common network-based IoT devices cannot be adequately secured.  

3.

Encrypt Your Data

If the bad guys can’t read your data, they can’t use it. Critical data should be stored and transmitted in encrypted form. Confidential and sensitive data stored on hard drives, archive systems, and in backups need to be encrypted with strong encryption. 

  • Use strong encryption. Stored data is easily duplicated. Hackers can then attempt to decrypt the stolen data at their leisure – potentially even years later.

4.

Backup Your Data

Ensure you have effective backups of important and critical data across all systems, enabling a recovery of systems.

Hackers might steal your data (with or without your knowledge), delete the data, corrupt it, or encrypt it for ransom. Backups cover you in most of these cases.

  • You need to do backups regularly, and have multiple generations. If your system was hacked last week but you were unaware, and malicious code triggered today, that same code will be on your daily backups for the last week as well. Restoring data from an infected backup will result in the data being compromised again. 
  • Backups need to be secured. They need to be physically secured so they can’t be stolen, and encrypted if they are.
  • You should regularly test the recovery of data from backups. You don’t want to discover after an attack that the backups haven’t been working as expected, or that the backups can’t restore your systems as expected.

5.

Educate Your Staff

You and your staff are usually the weak link in the majority of successful cyberattacks, so ensuring everyone in your team are aware of their security obligations, helping them understand how to recognise bad websites and links, and how to recognise when they’re being manipulated via social or indirect contacts (social engineering), will pay dividends.

  • Security education starts when someone joins the company, even if a temp.
  • Security policies should be documented and available to everyone with access.
  • Regular security training pays dividends.

6.

Enforce Security Policies

Developing the right security policies is necessary, but not sufficient to keep your business safe. They need to be applied and consistently enforced.

  • Effective policies are simple to understand and effect, e.g., all users must log out of the system when they are leaving their device for more than 5 minutes. Ideally the application of policies should be automated where possible.
  • The policies need to be tested. This is often as part of a security review or audit, but needs to be frequent enough to highlight their importance.
  • Consistent means the policy applies to everyone in all applicable situations. Providing exceptions and loopholes provides employees with the wriggle room that exposes the business to attack.

7.

Ensure Appropriate User Account Access

Almost all systems enable the system administrator to create different levels of access, referred to as user classes. Each user class is able to access different parts of the system, and access different sets of data. At the top are the administrators who have complete access to that system and data, often all the way down to guest accounts who have highly limited access rights.

When a user logs into a system, they should be using an account with the apprioriate level of access rights to perform the task they are undertaking. 

  • Administrators need to have more than one login, at different levels of security access. When an administrator is using the system as a normal user, they should be using an account on that system with normal user-level access. They should not be using their administrator account to do day-to-day work.
  • Review the need for guest accounts on each system. If they are not needed, disable or delete them.

8.

Dispose of Old Systems Carefully

Before any system that includes storage is thrown out, you need to ensure all data is erased in a way that makes recovery unlikely. 

  • Storage includes tapes, hard discs, removable discs (remember them?), SSDs, or any inbuilt memory system that stores data in a semi-permanent way. In most cases, the memory (RAM) in your laptops, desktops, and servers does not retain the data once the machine is powered off. Focus on the memory types that retain data without power.
  • There are a variety of apps that can perform a low-level delete on these sorts of memory systems.
  • Extreme physical damage can also be quick and effective. This could be as simple as dismantling, physically destroying or drilling multiple holes through the casing and disks, or using a high-powered magnet. One place I worked used a shotgun on their disk drives.

9.

Patch Your Systems

Ensure all of your systems are patched and up-to-date. Vendors will release updates to their systems to address known security issues that make your systems vulnerable. These updates are referred to as patches.

  • Many systems allow you to automate the downloading and installation of patches. Where available, this can be a good idea.
  • When a vendor stops making patches available for your system, you should look to upgrade or replace the system. A lack of patches doesn’t mean there are no new risks, just that the vendor is no longer fixing them.
  • There is no such thing as a ‘hacker-proof’ system. There will be weaknesses in any system. Once they are discovered by the bad guys, your system is at risk.
  • Cloud systems are no more or less susceptable to attack, and these systems also need to be patched.

10.

Don't Forget about Physical Security

Securing the front door while leaving the back door open is not an effective approach to security. Similarly, only focusing on Cyber Security while ignoring physical security of your site, systems, or devices leaves you exposed.

  • Lock and physically secure core onsite parts of your system away. This includes onsite servers, storage systems, and network devices (such as WiFi hubs). You can be sure your Cloud providers have added a significant level of physical security to their data centers and operations facilities.
  • Control access to secure areas of your business.
  • How are you ensuring that portable and mobile devices that leave your premises are secured against theft?

11.

Remove Apps You Are Not Using

Unused apps that sit on your systems are potential ways you will be hacked. If you aren’t regularly using – and patching – apps, they can easily become weaknesses.

  • This is a key risk on mobile devices like smartphones. If you can easily download an app again and you don’t need the data on tap, delete the app! 

12.

Lock Systems Down to Their Task

Consider locking systems in your business down to particular tasks based on purpose.

  • This can result in frustrations for some users. Devices are meant to be ‘personal,’ and configured the way a particular user wants for their efficiency. There is a balance that is needed here.
  • A desktop at the reception desk, for example, might only be able to run a small number of applications specific to the front-desk role, and not be able to use USB devices.
  • Discuss application whitelisting with your IT provider and consider whether it would make sense in your business.

13.

Secure the Edge and Each Device

Ensure you have secured your network from unauthorised access, and also that each device on your network is appropriately secured.

  • You are likely to have or allow a lot of devices on your network. This will include mobile and portable devices connecting via WiFi, numerous wired devices (e.g., desktops, copiers, and printers), and newer IoT platforms (like cameras and building automation systems).
  • Make sure everything is password secured, and default access is disabled or deleted.
  • Run anti-malware software (e.g., anti-virus) on all devices where possible. This is not possible on all devices.
  • If you can’t secure it, don’t connect it!

14.

Enable Logging and Log Analysis Where Available

Many systems will keep track of all activity that takes place, and tools to analyse this activity log when there has been an issue. Where available, enabling this logging is a good idea.

  • Ensure logs are set to overwrite after a set period of time (e.g., 3 months) to ensure the storage doesn’t unexpectedly fill up with logs causing the system to stop.
  • Make sure logs are secure and encrypted, and the access to the anaysis tools is controlled. 
  • Have the logs periodically reviewed to unexpected access and activities.

Bottom of the Cliff

If you have been the victim of an attack, there are also some things you need to do after the fact.

 

1.

Have a Plan

The most effective way to deal with an attack is to have a prepared plan of action so you don’t forget key steps, or spend unnecessary time working out your plan after the fact. 

A good plan will include the following:

  • Key responsibilities – who does what
  • Communication – to staff, customers, and regulators as appropriate. This is not about spin, but ensuring those that need to know are quickly informed.
  • Steps to keep the business operating until core systems are available (e.g., a disaster recovery plan or business continuity plan)
  • How to restore systems and data if they have been corrupted.

2.

Attack Review

Whenever you discover you have been hacked or otherwise compromised, undertake a review of what happened and look at what needs to be done to prevent subsequent attacks.

  • Review and amend policies, including you Plan (above)
  • Modify education to address identified weaknesses
  • Undertake additional monitoring
  • Review system logs

Any questions?

contact us

If you would like to discuss your business and how we can help, click on the button and complete our contact form.

Callback Request

If you’d like to have a no-obligation chat about your business and how we can help, complete this form. We aim to reply within one business day.