How can a small/medium sized business protect against ransomware and Cyber-attacks? I believe that’s by reducing your exposure through limiting your IT ‘surface area’. Small adjustments to your IT infrastructure can make your systems significantly more secure. No system is completely safe though, so plan for the worst and hope for the best!
A few years ago, malware was usually just an inconvenience, but it now has the ability to cause serious data loss and major business down time
A brief outline of some security considerations:
1. Have a formal business process in place should you receive any communications from a supplier asking you to change bank account details for making payments so that the request can be verified as legitimate
2. Ensure you have a good quality monitored backup solution in place which covers all business data you wouldn’t want to lose
3. Have a disaster recovery plan that has been tested and updated every 6 to 12 months, think business continuity. Ensure responsibilities are clear and that all aspects of your IT/Comms environment are covered
4. Have a documented process in place so that when staff leave the business all their various accounts are disabled/deleted immediately
5. Ask your employees to take extra care, and only use their computers for business usage. Create an internal IT policy which clearly defines acceptable use. Update this document as technology changes
6. Staff opening suspect emails is still a prime route into your PCs. Train staff and consider using a free third-party service like https://www.knowbe4.com/phishing-security-test-offer to see how prone they are to phishing emails
7. Ensure your IT systems are updated often with the latest security patches and firmware
8. Spread your IT risk, use a mixture of cloud services and onsite IT solutions
9. Change over to a firewall with integrated security services, have your existing firewall policies reviewed. Don’t use a normal ISP supplied router which has next to no protection
10. Retire old vulnerable software and hardware from your business
11. Ensure your staff are aware of the risk of inserting an unknown USB drive
12. Implement Mobile Management policy for your company laptops, tablets and mobile devices
13. Upgrade to latest wireless security protocols, get rid of WEP protocols, ensure you separate your wifi networks so that any guest’s devices are completely isolated on a separate network
14. Look at 2 Factor authentication (2FA) for protecting access to critical parts of your IT systems
15. Add additional layers of security to email, even if it already comes with security built in. Standard filtering is often not good enough
16. Change your passwords every couple of months, ensure you use complex passwords and don’t recycle passwords or share them!
17. Would your business benefit from DDoS protection for critical internet connections or websites?
18. Is your data 100% safe in the cloud, think about backing up your cloud services such as Office 365, Dropbox, Google etc
19. Allow only authorised devices on your network using network access controls solutions where appropriate
20. Think about Encryption for laptops, tablets and removable storage devices, consider a Data Loss Protection solution
21. Run Security audits or independent Vulnerability Scans against your computer systems
22. Ensure you have a relationship with a professional IT company that can improve your IT security and help if the unfortunate happens
23. Desktops and Laptops should be protected by anti-malware not just antivirus
24. Did I mention backups?