Newsletter
Latest articles
10 Internet Security Tips in 2020 for SMEs

10 Internet Security Tips in 2020 for SMEs

by Heini Thomas Geib
January 22, 2020
11 minutes of reading

With increasing connectivity of companies, people and devices, the risks associated with the vulnerability of systems and users with malware, phishing, ransomware, hackers, viruses and so many other threats. To help with the management of the Internet of small and medium enterprises, bringing more security on the internet and also helping with employees productivity, we list 10 updated tips that can serve as the basis for adopting an information security culture in your company in 2020.

  1. Use safe passwords for all users and equipment
  2. Activate the authentication of two factors (2FA)
  3. Protect and control internet access
  4. Use antiviruses on all computers
  5. Limit and record network traffic with a firewall
  6. Have backup copies of the important data
  7. Keep software always updated
  8. Restrict permissions in shared files
  9. Educate employees about phishing and social engineering
  10. Implement a policy of using IT resources

Use safe passwords for all users and equipment

Even today the password is the most important form of authentication for access to information and computational resources. Increasingly fast computers allow you to break a password in a short time that would be impossible for a few years to be broken. Therefore, it is currently necessary to use longer passwords to increase internet security.

Adopt as a rule in the company the use of strong passwords:

  • passwords with a minimum length of 8 characters (preferably 12 or more);
  • that combine uppercase, lowercase, numbers and symbols; and
  • that do not contain obvious information or simple sequences.

More information about password security you will find in the article with recommendations and tips for creating strong and secure passwords and the User Accounts and Safe Accounts Management Guide .

A search from Precisesecurity.com revealed that 30% of ransomware infections occurred due to the use of weak passwords . Another search, done by Google, shows that 2 out of 3 people reuse the same password in different services that access the internet, and more than 50% of people reported that they use the same “favorite” password on most of the access sites and systems they access.

Also forget that it is extremely important to change the standard factory password of equipment connected to the network . For example, many Wi-Fi routers and surveillance cameras come from ADMIN USER Factory and Admin standard password. If you do not change this password, the equipment will be vulnerable and may be harmful to the security of your entire network, including privacy problems and information leakage. Similarly, “administrator” user accounts and any other unused should also remain with a strong or blocked password.

Activate the authentication of two factors (2FA)

The authentication of two factors is also called two-step verification, or, in English, of Two-Factor Authentication -term from which the abbreviation derives 2fa. This technique complements the password and adds a lot of security to access to systems and resources on the internet.

With the authentication of two factors, access will depend on the correct password and also some other factor, such as a code sent by SMS or a code generated in an application on the smartphone. Thus, even if someone finds the email account password, they will not be able to access the account because it will depend on the code that will be sent to the account owner smartphone.

It is recommended that it be activated, at least in the most important features. In this list of important features to be protected, it certainly comes in the email account, because through email you can redefine the password of many other services, through “I forgot my password” functions.

To start using 2FA, we recommend that two factors are enabled in Gmail and WhatsApp . The authentication of two factors is called “two -step check” by Google and greatly increases the safety of Gmail. The same functionality is also called “two -step confirmation” by WhatsApp , and it is highly recommended that it is enabled to make WhatsApp's theft or “cloning” more difficult.

Also check in the other important applications in use in the company if they have a 2FA functionality or authentication of two factors and seek to activate this protection.

Protect and control internet access

It is recommended to use tools that avoid access to harmful content, such as suspicious sites that often contain viruses or malware. It is common for employees to receive fake emails with links that direct to fraud sites. In addition, the attempt to download MP3 music, or adult content and games can end with a virus installation. Most attacks start from access to a harmful or malicious site, when accessing this site installs a virus hiddenly on the equipment and thus opens a door to the network so that other attacks occur, generally damaging the Internet safety.

The use of protection mechanisms against access to malicious websites is increasingly important. Through this type of control, it is possible to define which user groups will have access to which types of websites, thus avoiding the use of undue sites to the scope of work and also access to addresses with harmful content. Through this tool, the manager protects the network against sites used in phishing, malware and ransomware propagation.

How to control navigation and block access to harmful websites? See the article on internet access management and control for small and medium enterprises . A good solution for protection and control of internet access in small and medium enterprises is Lumiun , which protects navigation against malicious sites and generates access reports, increasing the security of information and employee productivity. It is a solution of easy implementation and management, demanding low investment.

 

Use antiviruses on all computers

Especially in Windows operating system computers and servers, it is essential to use good antivirus software, updated and configured to perform periodic scans. Currently antivirus cannot be overlooked or replaced by other solutions, being essential for internet security. In the company you should choose a paid license and do not use pirate software or continue with evaluation versions. It is important that antivirus and/or antimalware is always up to date and activated to offer its protection. An outdated antivirus, or with deactivated real -time protection, would lose efficiency and make computers more vulnerable.

Some good antivirus options for small and medium businesses:

Limit and record network traffic with a firewall

Firewall controls the data flow, with it you can filter traffic, setting what should pass and what should be discarded. When configured correctly on a computer network, Firewall acts as an additional layer of external attack protection and increases the company's safety on the Internet, including its information, equipment and systems. Normally firewall is one of the main defenses in the perimeter of a private network, being an essential component in protecting unwanted traffic and invasion attempts.

Make sure you have an active and well -configured Firewall that is protecting and recording the connections between the internet and your local network equipment. If possible, keep the Internet's access to your internal servers in the firewall, especially the remote desktop service, or Remote Desktop. This service is a constant target of invasion attempts to deploy ransomware with blocking and data kidnapping. A warning has already been issued by the FBI regarding the large wave of attacks on the remote desk protocol (RDP). The alert even cites existence in the black market for marketing lists of vulnerable to invasion, which have unrestricted access to the standard door of the remote working area (3389).

Among good network firewall solutions for small and medium enterprises we can mention Fortigate, Sonicwall, Lumiun, Sophos and PFSENSE. Read more about this in the article “ Firewall: Does your network need this protection?

Have backup copies of the important data

It is never enough to remember the importance of having a reliable backup, from which important data can be recovered after any incident. In some types of attack, such as ransomware, which locks data until a ransom is paid , the main way to solve the problem is to restore company data from a backup copy. Backup is essential for the security of company information.

The backup strategy should be implemented so that there is a security copy kept in a uncovered location from the original data site. If the safety copy is done on an additional disk constantly connected to the server or network where the original data are, in the specific case of ransomware, it is possible that the backup files are also blocked at the time of attack, making backup useless. It is important to have a security copy in a separate place from the original location where the data is .

To understand the importance of making a backup copy of your company's data and documents, imagine, suddenly, your company losing all of its financial spreadsheets, management controls, commercial data, customer information, products and services offered and history of its collaborators. It is very difficult to imagine the depth of the impact of such a situation on a company. The loss will be enormous, and all administrative and commercial activities of the company will be compromised.

To avoid this situation, it is essential to maintain a well -structured backup strategy. The more automated the task of backing up, the greater the chance to have it up to date when there is a need for data restoration. It is important to document and periodically test the restoration process: the real use of a backup is not the backup itself, but the restoration successfully.

For companies that do not yet have well -structured backup and want to start with a copy of their important cloud data, some simple cloud backup service options are as follows:

Keep software always updated

Companies that produce software are continually making corrections to their programs to correct defects, improve performance and add features. These corrections also include solutions against vulnerabilities and safety improvements in software packages. It is increasingly important to maintain the operating system and other software packages with activated automatic updates , at least for those related to information security.

Exemplifying, the ransomware known as Wannacry (or Wannacrypt)-which settles on Windows computers, encrypts data and requires rescue-can successfully attack computers that do not have the MS17-010 update. According to Microsoft, “ MS17-010 Safety Update resolves several vulnerabilities in Windows Server Message Block (SMB) v1. Wannacrypt ransomware is exploring one of the vulnerabilities that are part of the MS17-010 update. malware.How to check if MS17-010

Restrict permissions in shared files

In many small and medium enterprises, it is an item left aside. However, it is relevant to check the level of access that each user or user group needs in relation to the file shared files, for example, in the sense that it does not provide access beyond the necessary. If a user group only needs to view certain files, and not modify, which has access only reading. This segregation of access permissions according to the needs of each user group is essential for information security . This prevents unauthorized users from changing, for example, changing the system files used by the company or the financial planning spreadsheets.

The widespread use of administrative level user accounts, such as administrator or root, on computers, should also be avoided. Just as care for file access permissions, this measure limits the extent of the damage that a user, even without intention, could cause data.

Educate employees about phishing and social engineering

Phishing is a type of cyber crime that uses social engineering techniques to fool internet users through counterfeit messages and websites. The goal is to steal confidential information , such as access passwords and credit card data, as well as induce, in some cases, to pay fraudulent slips .

The volume of phishing attacks targets people and companies in Brazil is still very high: out of 5 Brazilian users, 1 is susceptible to phishing. Brazil is in the 3rd position of the ranking of the most attacked countries by phishing blows . A report published by Cisco in 2019 pointed out that 38% of respondents faced problems with phishing last year.

The company must make its employees aware of internet security behavior.

Employee Training on Phishing

Employee guidance on phishing should especially include the following aspects:

  • Please note what the message is offering or requesting : Be wary of emails, SMS or ads with product offers at prices far below normal, do not believe in offers sent with incredibly low price. Do not believe in emails that ask you to respond with your user and password from webmail or bank, this is fraud. Messages allegedly sent by the IRS informing about irregularity in the CPF are also fraudulent. Be wary of emails allegedly sent by the bank with link to update the Banking Internet module. Do not believe in e-mails with budgets, invoices or service orders you have never requested. And pay attention to the text of the message, it is very common for phishing messages to contain spelling errors.
  • Attention to the sender and the links contained in the messages : Observe carefully at the sender's email address and also the destination address of the links contained in the message. If they look strange, be wary immediately, don't click.
  • Attention to the website address : If you clicked on a link and has been directed to a site, a download file or a form requesting data, pay close attention to the address that appears in the browser address bar. That tip to check if the site has the https (encryption) lock is no longer enough, as new phishing sites also use https. However, it is important to analyze whether the site address is correct. When in doubt, search Google the name of the company you want to access and check the real address of her site.

For more information, including examples of phishing and protection techniques, see the phishing article: how to protect yourself and not fall into the blow .

Implement a policy of using IT resources

Ideally, the company should be concerned with documenting and informing all employees about an acceptable use of the Internet and technology resources, aiming at information security and employee productivity. This policy must describe what can be accessed on the company's network and what penalties are not complied with in the event of non -compliance with the rules. For legal reasons, the company may require the employee to sign a term of knowledge of this policy, informing his science as the rules and penalties.

Employees should be oriented to good internet security practices and should be aware of their responsibility to keep company data and information protected.

We provide a document model on internet use policy in companies . You can use it to inform and make employees aware of the Internet use policy in the company's work environment to ensure the proper use of the Internet and technology resources by the employee.

One point to be contemplated in this policy is the use of personal equipment in the workplace, especially mobile phone - smartphone - the company should make it clear what the rule is. To facilitate the creation of a specific policy on mobile phone use in the company, aiming at the proper use of equipment without harming focus and productivity, see the document model on mobile phone use policy in companies .

To finish

We believe that care for information security is essential to the success of growing companies. Certainly will have good internet security by 2020 those small and medium -sized companies that gradually and consistently implement the 10 factors covered in this article: Safe passwords for all users and equipment; Authentication of two factors (2FA); Protection and control of internet access ; antivirus on all computers; Firewall to limit and record network traffic; Backup of the important data; always updated software; restricted permissions in shared files; Employee Education on Phishing and Social Engineering; and a policy of using IT resources.

Was this article useful for you? Got any questions? You can write a comment or contact me directly at heini@lumiun.com

Lumiun DNS Mikrotik
Lumiun DNS integration with pfsense software
Lumiun DNS Free Trial
Author
Heini Thomas Geib
Co-founder of Lumiun Tecnologia. Graduated in IT, specialist in Computer Networks (UFRGS), MBA in Business Management (FGV). Working for over 15 years in the Networks area.
10 Comments
  1. Pingback: Information Security Week - Edition No. 1 | Lumiun's Blog
  2. Pingback: Advantages of Private Virtual Network (VPN) for companies | Lumiun's Blog
  3. Pingback: How to reduce your team's procrastination and increase productivity | Lumiun's Blog
  4. Pingback: How to control internet use in a company with branches | Lumiun's blog
  5. Pingback: How important is IT in small and medium-sized companies?
  6. Pingback: File Storage: tips and 8 tools for companies!
  7. Pingback: 10 negative habits that compromise professional productivity and the impact on companies | Lumiun's blog
  8. Pingback: Information Security in Business: Network Protection, Updated Systems and User Education | Lumiun's Blog
  9. Pingback: How to deal with the misuse of the internet in the workplace |
  10. Pingback: Internet access control in companies: what to block and what to release? | Lumiun's blog

Comments closed

Related Posts