With the increased connectivity of companies, people, and devices, the risks associated with the vulnerability of systems and users to malware, phishing, ransomware, hackers, viruses, and many other threats also increase. To help manage the internet for small and medium-sized businesses, bringing more security to the internet and also assisting in the productivity of employees, we have listed 10 updated tips that can serve as a basis for adopting an information security culture in your company in 2020.
- Use strong passwords for all users and devices
- Enable two-factor authentication (2FA)
- Protect and control internet access
- Use antivirus software on all computers.
- Limit and log network traffic with a firewall.
- Have backup copies of important data
- Keep software always up to date
- Restrict permissions on shared files
- Educate employees about phishing and social engineering
- Implement an IT resource usage policy
Use strong passwords for all users and devices
Even today, passwords remain the most important form of authentication for accessing information and computing resources. Increasingly faster computers allow for the rapid cracking of passwords that would have been impossible to break a few years ago. Therefore, it is now necessary to use longer passwords to increase security on the internet.
Make it a company rule to use strong passwords:
- passwords with a minimum length of 8 characters (preferably 12 or more);
- that combine uppercase letters, lowercase letters, numbers, and symbols; and
- that do not contain obvious information or simple sequences.
More information about password security can be found in the article with recommendations and tips for creating strong and secure passwords and in the guide for creating and managing user accounts and secure passwords .
A study by PreciseSecurity.com revealed that 30% of ransomware infections occurred due to the use of weak passwords . Another study, conducted by Google, shows that 2 out of 3 people reuse the same password across different online services, with more than 50% reporting that they use the same "favorite" password for most of the websites and systems they access.
Don't forget that it's extremely important to change the default factory password of devices connected to the network . For example, many Wi-Fi routers and surveillance cameras come from the factory with the username "admin" and the default password "admin". If you don't change this password, the equipment will be vulnerable and could be detrimental to the security of your entire network, including privacy issues and information leaks. Similarly, "administrator" user accounts and any other unused accounts should also remain password-protected or locked.
Enable two-factor authentication (2FA)
Two-factor authentication is also called two-step verification, or in English, two-factor authentication – a term from which the abbreviation 2FA derives. This technique complements the password and adds significant security to accessing systems and resources on the internet.
With two-factor authentication, access will depend on the correct password and also on another factor, such as a code sent via SMS or a code generated in a smartphone app. Therefore, even if someone discovers the email account password, they will not be able to access the account because it will depend on the code sent to the account owner's smartphone.
It is recommended that it be activated, at least for the most important features. Among these important features to be protected is certainly the email account, since it is possible to reset the password for many other services through email, using functions such as "Forgot my password".
To start using 2FA, we recommend enabling two-factor authentication in Gmail and WhatsApp . Two-factor authentication is called "two-step verification" by Google and significantly increases Gmail security. The same feature is also called "two-step verification" by WhatsApp , and it is highly recommended to have it enabled to make it more difficult to steal or "clone" your WhatsApp account.
Also check if other important applications used in the company have 2FA or two-factor authentication functionality and look into enabling this protection.
Protect and control internet access
It is recommended to use tools that prevent access to harmful content, such as suspicious websites that often contain viruses or malware. It is common for employees to receive fake emails with links that redirect to fraudulent websites. Furthermore, attempts to download MP3 music, adult content, and games can often result in the installation of a virus. Most attacks begin with access to a harmful or malicious website; upon access, this site secretly installs a virus on the device, opening a backdoor in the network for other attacks and generally compromising internet security.
The use of protection mechanisms against access to malicious websites is increasingly important. Through this type of control, it is possible to define which user groups will have access to which types of websites, thus preventing the use of websites inappropriate to the scope of work and also access to addresses with harmful content. Through this tool, the manager protects the network against websites used in phishing attacks, malware propagation, and ransomware.
How to control browsing and block access to harmful websites? See the article on internet access management and control for small and medium-sized businesses . A good solution for protecting and controlling internet access in small and medium-sized businesses is Lumiun , which protects browsing against malicious websites and generates access reports, increasing information security and employee productivity. It is an easy-to-implement and manage solution, requiring low investment.
Use antivirus software on all computers.
Especially on computers and servers running the Windows operating system, the use of good, up-to-date antivirus software, configured to perform periodic scans, is essential. Currently, antivirus software cannot be ignored or replaced by other solutions; it is crucial for internet security. Companies should opt for a paid license and avoid using pirated software or trial versions. It is important that the antivirus and/or antimalware is always updated and activated to provide protection. An outdated antivirus, or one with real-time protection disabled, would lose efficiency and leave computers more vulnerable.
Here are some good antivirus options for small and medium-sized businesses:
- Kaspersky Small Office Security
- Avast Business Antivirus
- Bitdefender Small Office Security
- ESET Endpoint Protection Advanced Cloud
- McAfee Endpoint Security
Limit and log network traffic with a firewall.
The firewall controls the flow of data, allowing you to filter traffic by configuring what should pass and what should be discarded. When correctly configured on a computer network, the firewall acts as an additional layer of protection against external attacks and increases the company's security on the internet, including its information, equipment, and systems. Typically, the firewall is one of the main defenses at the perimeter of a private network, being an essential component in protecting against unwanted traffic and intrusion attempts.
Check if you have an active and well-configured firewall that is protecting and logging connections between the internet and the equipment on your local network. If possible, block internet access to your internal servers in the firewall, especially the Remote Desktop service. This service is a constant target of ransomware attacks that block and hijack data. The FBI has already issued an alert regarding the large wave of attacks on the Remote Desktop Protocol (RDP). The alert even mentions the existence on the black market of lists of servers vulnerable to intrusion, which have unrestricted access to the standard Remote Desktop port (3389).
Among good network firewall solutions for small and medium-sized businesses, we can mention FortiGate, SonicWall, Lumiun, Sophos, and pfSense. Read more about this in the article " Firewall: Does your network need this protection? "
Have backup copies of important data
It's always important to emphasize the importance of having a reliable backup, from which important data can be recovered after any incident. In some types of attacks, such as ransomware, which locks data until a ransom is paid , the primary solution is to restore company data from a backup. Backups are essential for the security of company information.
The backup strategy should be implemented in such a way that a backup copy is kept in a location disconnected from the original data location. If the backup copy is made on an additional disk constantly connected to the server or network where the original data is located, in the specific case of ransomware, it is possible that the backup files will also be locked at the time of the attack, rendering the backup useless. It is important to have a backup copy in a location separate from the original data location .
To understand the importance of backing up your company's data and documents, imagine suddenly losing all of your financial spreadsheets, management controls, business data, customer information, product and service offerings, and employee histories. It's difficult to imagine the profound impact of such a situation on a company. The damage will be enormous, and all administrative and commercial activities will be compromised.
To avoid this situation, it is essential to maintain a well-structured backup strategy. The more automated the backup task is, the greater the chance of having it up-to-date when a data restoration is needed. It is important to document and periodically test the restoration process: the real usefulness of a backup is not the backup itself, but the successful restoration.
For companies that don't yet have a well-structured backup system and want to start by copying their important data in the cloud, some options for simple cloud backup services are as follows:
Keep software always up to date
Software companies are constantly making corrections to their programs to fix bugs, improve performance, and add features. These corrections also include solutions to vulnerabilities and security improvements in software packages. It is increasingly important to keep the operating system and other software packages with automatic updates enabled , at least for those related to information security.
For example, the ransomware known as WannaCry (or WannaCrypt) – which installs itself on Windows computers, encrypts data, and demands a ransom – can successfully attack computers that do not have the MS17-010 update. According to Microsoft, “ the MS17-010 security update resolves several vulnerabilities in Windows Server Message Block (SMB) v1. The WannaCrypt ransomware is exploiting one of the vulnerabilities that is part of the MS17-010 update. Computers that do not have MS17-010 installed are at high risk due to the various variations of the malware. ” How to check if MS17-010 is installed
Restrict permissions on shared files
In many small and medium-sized businesses, this is an overlooked item. However, it's important to check the level of access each user or group of users needs to shared files on the network, for example, to avoid granting access beyond what is necessary. If a group of users only needs to view certain files and not modify them, they should have read-only access. This segregation of access permissions according to the needs of each user group is essential for information security . This prevents unauthorized users from, for example, altering files in the company's system or financial planning spreadsheets.
The widespread use of administrative-level user accounts, such as administrator or root, on computers should also be avoided. Similar to the care taken with file access permissions, this measure limits the extent of damage that a user, even unintentionally, could cause to data.
Phishing is a type of cybercrime that uses social engineering techniques to deceive internet users through fake messages and websites. The goal is to steal confidential information , such as passwords and credit card details, and in some cases, to induce the payment of fraudulent bills .
The volume of phishing attacks targeting individuals and businesses in Brazil remains very high: 1 in 5 Brazilian users is susceptible to phishing. Brazil ranks 3rd in the list of countries most attacked by phishing scams . A report published by Cisco in 2019 indicated that 38% of respondents had experienced problems with phishing in the past year.
The company should raise awareness among its employees about safe online behavior.
Training employees on phishing.
Training for employees regarding phishing should especially address the following aspects:
- Pay attention to what the message is offering or requesting : be suspicious of emails, SMS messages, or advertisements offering products at prices far below normal; don't believe offers sent with incredibly low prices. Don't believe emails that ask you to reply with your webmail or bank username and password; this is fraud. Messages supposedly sent by the Federal Revenue Service informing about irregularities in your CPF (Brazilian taxpayer ID) are also fraudulent. Be suspicious of emails supposedly sent by your bank with a link to update your internet banking module. Don't believe emails with quotes, invoices, or service orders that you never requested. And pay attention to the text of the message; it's very common for phishing messages to contain spelling errors.
- Pay attention to the sender and the links in the messages : carefully observe the sender's email address and also the destination address of the links contained in the message. If they seem strange, be immediately suspicious and do not click.
- Pay attention to the website address : if you clicked on a link and were directed to a website, a downloadable file, or a form requesting data, pay close attention to the address that appears in your browser's address bar. The tip about checking if the site has the HTTPS padlock (encryption) is no longer sufficient, as newer phishing sites also use HTTPS. However, it's important to check if the website address is correct. If in doubt, search Google for the name of the company you want to access and verify its actual website address.
For more information, including examples of phishing and protection techniques, see the article Phishing: how to protect yourself and avoid falling for the scam .
Implement an IT resource usage policy
Ideally, the company should document and inform all employees about a policy on acceptable internet and technology use, aiming to ensure information security and employee productivity. This policy should describe what can be accessed on the company network and what the penalties are for non-compliance. For legal reasons, the company may require employees to sign a statement acknowledging this policy, stating their understanding of the rules and penalties.
Employees should be instructed on best practices for internet security and should be aware of their responsibility to protect company data and information.
We provide a template document on internet usage policy in companies . You can use it to inform and educate employees about the company's internet usage policy in the workplace, ensuring the appropriate use of the internet and technology resources by employees.
One point to consider in this policy is the use of personal equipment in the workplace, especially cell phones – smartphones – the company should make the rules clear. To facilitate the creation of a specific policy on cell phone use in the company, aiming at the proper use of equipment without harming focus and productivity, see the document template on cell phone use policy in companies .
To conclude
We believe that attention to information security is essential for the success of growing companies. Those small and medium-sized enterprises that gradually and consistently implement the 10 factors discussed in this article will certainly have good internet security in 2020: strong passwords for all users and devices; two-factor authentication (2FA); protection and control of internet access ; antivirus software on all computers; firewalls to limit and log network traffic; backup of important data; always up-to-date software; restricted permissions on shared files; employee education on phishing and social engineering; and a policy for the use of IT resources.
Was this article helpful to you? Do you have any questions? You can leave a comment or contact me directly at heini@lumiun.com
10 comments
Comments closed