In 2019, 43% of data breaches occurred in SMEs, and the average cost of a cyber attack to SMEs was $ 38,000. In 2020 indicating that SMEs often play for cyber security alarm Bitdefender Turkey General Manager Barbaros Akkoyunlu, 4, lists the cybersecurity step for SMEs that want to protect their customers and their business.
With the increase of cyber attacks on SMEs, 2020 seems to be a year that SME and its customers should be protected from preventable threats. The fact that 43% of data breaches in 2019 occurred in SMEs and the average cost of a cyber attack to SMEs is 38 thousand dollars, revealing the size of the attacks against SMEs.
With the increase in connectivity of companies, people, and devices, the risks associated with the vulnerability of systems and users to malware, phishing, ransomware, hackers, viruses, and many other threats also increase.
To help in the management of the internet of small and medium-sized companies, bringing more security on the internet, and also helping in the productivity of employees, we have list 10 updated tips that can serve as a basis for the adoption of a culture of information security in your company in 2020.
1 – USE SECURE PASSWORDS FOR ALL USERS AND DEVICE
Even today, the password is the most important form of authentication for accessing information and computational resources. Increasingly fast computers allow a password to be broken in a short time that a few years ago would have been impossible to crack. Therefore, it is currently necessary to use longer passwords to increase security on the internet.
Strong passwords Company Rule:
- passwords with a minimum length of 8 characters (preferably 12 or more);
- that combine uppercase, lowercase, numbers and symbols; and
- that do not contain obvious information or simple strings.
A survey by PreciseSecurity.com revealed that 30% of ransomware infections occurred due to the use of weak passwords. Another survey, carried out by Google, shows that 2 out of 3 people reuse the same password in different services they access on the internet, with over 50% of people reporting that they use the same “favorite” password on most sites and systems that access.
Also, remember that it is extremely important to change the factory default password for equipment connected to the network. For example, many Wi-Fi routers and surveillance cameras come standard with admin user and default admin password. If you do not change this password, the equipment will be vulnerable and could be harmful to the security of your entire network, including problems with privacy and information leakage. Likewise, “administrator” user accounts and any unused ones must also remain with a strong password or else be blocked.
2 – ENABLE TWO-FACTOR AUTHENTICATION (2FA)
Two-factor authentication is also called two-step verification, or in English, two-factor authentication – the term from which the abbreviation 2FA derives. This technique complements the password and adds a lot of security when accessing systems and resources on the internet.
With two-factor authentication, access will depend on the correct password and also on some other factor, such as a code sent by SMS or a code generated in an application on the smartphone. That way, even if someone finds out the password for the email account, they will not be able to access the account because it will depend on the code that will be sent to the account owner’s smartphone.
It is recommended that it be activated, at least in the most important resources. This list of important resources to be protected certainly enters the email account, because through email it is possible to reset the password of many other services, through functions like “I forgot my password”.
To start using 2FA, we recommend that you enable two-factor authentication in Gmail and WhatsApp. Two-factor authentication is called “two-step verification” by Google and greatly increases the security of Gmail. The same functionality is also called “two-step confirmation” by WhatsApp , and it is highly recommended that it be enabled to make WhatsApp theft or “cloning” more difficult.
Check also in the other important applications in use in the company if they have the functionality of 2FA or two-factor authentication and try to activate this protection.
3 – PROTECT AND CONTROL INTERNET ACCESS
It is recommended to use tools that prevent access to harmful content, such as suspicious websites that often contain viruses or malware. It is common for employees to receive fake emails with links that lead to fraud sites. In addition, often attempting to download mp3 music, or adult content and games can end with a virus installation. Most attacks start from accessing a harmful or malicious website, when access occurs, that website installs a virus in a hidden way on the equipment and with that opens a door on the network for other attacks to occur, generally impairing security on the Internet.
The use of protection mechanisms against access to malicious websites is increasingly important. Through this type of control, it is possible to define which groups of users will have access to which types of sites, thus avoiding the use of sites that are not within the scope of the work and also the access to addresses with harmful content. Through this tool, the manager protects the network against sites used in phishing, malware and ransomware attacks
4 – USE ANTIVIRUS ON ALL COMPUTERS
Especially in computers and servers with Windows operating system, it is essential to use good antivirus software, updated and configured to perform periodic scans. Currently, antivirus cannot be left out or replaced by other solutions, being essential for internet security. In the company, you must choose a paid license and not use pirated software or continue with trial versions. It is important that the antivirus and / or antimalware is always up to date and activated to offer your protection. An outdated antivirus, or with real-time protection disabled, would lose efficiency and leave computers more vulnerable.
Some good antivirus options for small and medium businesses:
- Kaspersky Small Office Security
- Avast Business Antivirus
- Bitdefender Small Office Security
- ESET Endpoint Protection Advanced Cloud
- McAfee Endpoint Security
5 – LIMIT AND RECORD NETWORK TRAFFIC WITH A FIREWALL
The firewall controls the data flow, with which it is possible to filter the traffic, configuring what should pass and what should be discarded. When properly configured on a computer network, the firewall acts as an additional layer of protection against external attacks and increases the company’s security on the Internet, including its information, equipment and systems. Typically, the firewall is one of the main defenses in the perimeter of a private network, being an essential component in protecting against unwanted traffic and intrusion attempts.
Make sure you have an active and well-configured firewall that is protecting and recording the connections between the internet and the equipment on your local network. If possible, keep Internet access to your internal servers blocked, especially the remote desktop service, or remote desktop. This service is a constant target of invasion attempts to implement ransomware with data blocking and hijacking. An alert has already been issued by the FBI regarding the great wave of attacks on the Remote Desktop Protocol (RDP). The alert even mentions the existence on the black market of marketing lists of servers vulnerable to invasion, who have unrestricted access to the standard remote desktop port (3389).
6 – HAVE BACKUP COPIES OF IMPORTANT DATA
It never hurts to remember the importance of having a reliable backup, from which important data can be recovered after any incident. In some types of attacks, such as ransomware, which blocks data until a ransom is paid, the main way to solve the problem is to restore company data from a backup copy. Backup is essential in the security of company information.
The backup strategy must be implemented in such a way that there is a backup copy kept in a location disconnected from the original location of the data. If the backup is made to an additional disk constantly connected to the server or the network where the original data is located, in the specific case of ransomware, it is possible that the backup files will also be blocked at the time of the attack, rendering the backup useless. It is important to have a backup copy in a separate location from the original location where the data is located .
To understand the importance of backing up your company’s data and documents, suddenly imagine your company losing all of its financial spreadsheets, management controls, business data, customer information, the products and services offered and the history of its collaborators. It is very difficult to imagine the depth of the impact of such a situation on a company. The loss will be enormous, and there will be a compromise of all administrative and commercial activities of the company.
To avoid this situation, it is essential to maintain a well-structured backup strategy. The more automated the task of performing the backup, the greater the chance of having it up to date when there is a need for data restoration. It is important to document and periodically test the restoration process: the real use of a backup is not the backup itself, but the successful restoration.
For companies that do not yet have a well-structured backup and want to start with a copy of their important data in the cloud, some service options for simple cloud backup are as follows:
- Google Drive
7 – KEEP SOFTWARE ALWAYS UP TO DATE
Software companies are continually making corrections to their programs to correct defects, improve performance and add functionality. Among these fixes are also solutions against vulnerabilities and security improvements in software packages. It is increasingly important to maintain the operating system and other software packages with automatic updates enabled , at least for those related to information security.
For example, the ransomware known as WannaCry (or WannaCrypt) – which installs on Windows computers, encrypts data and requires rescue – can successfully attack computers that do not have the MS17-010 update. According to Microsoft, “ Security update MS17-010 addresses several vulnerabilities in Windows Server Message Block (SMB) v1. The WannaCrypt ransomware is exploiting one of the vulnerabilities that is part of the MS17-010 update. Computers that do not have MS17-010 installed are at high risk due to various variations of the malware. ”
8 – RESTRICT PERMISSIONS ON SHARED FILES
In many small and medium-sized businesses, it is left out. However, it is relevant to check the level of access that each user or group of users needs in relation to files shared on the network, for example, in the sense of not providing access beyond what is necessary. If a group of users only needs to view certain files, and not modify them, they have read-only access. This segregation of access permissions according to the needs of each group of users is essential for information security . This prevents unauthorized users from, for example, altering the system files used by the company or the financial planning spreadsheets.
You should also avoid widespread use of administrative-level user accounts, such as administrator or root, on computers. In the same way as the care in relation to file access permissions, this measure limits the extent of the damage that a user, even without intention, could cause to the data.
9 – EDUCATE EMPLOYEES ABOUT PHISHING AND SOCIAL ENGINEERING
Phishing is a type of cybercrime that uses social engineering techniques with the aim of deceiving internet users , through falsified messages and websites. The objective is to steal sensitive information , such as passwords and credit card data, in addition to inducing, in some cases, the payment of fraudulent payment slips .
The volume of phishing attacks targeting people and companies in Brazil remains very high: 1 out of 5 Brazilian users, 1 is susceptible to phishing. Brazil is in 3rd place in the ranking of the countries most attacked by phishing scams. A report published by Cisco in 2019 found that 38% of respondents faced problems with phishing in the last year.
The company must make its employees aware of safety behavior on the internet. The guidance of employees is essential for information security in companies.
Phishing employee training
Guidance to employees in relation to phishing should especially address the following aspects:
- Pay attention to what the message is offering or requesting : be wary of emails, SMS or advertisements with product offers at prices much below normal, don’t believe in offers sent at an incredibly low price. Do not believe emails that ask you to reply with your webmail or bank username and password, this is fraud. Messages allegedly sent by the IRS informing of irregularity in the CPF are also fraudulent. Be wary of e-mails supposedly sent by the bank with a link to update the internet banking module. Don’t believe emails with quotes, invoices, or work orders that you never asked for. And pay attention to the text of the message, it is very common that phishing messages contain spelling errors.
- Attention to the sender and the links contained in the messages : pay close attention to the sender’s email address and also the destination address of the links contained in the message. If they look strange, be wary immediately, don’t click.
- Attention to the website address : if you clicked on a link and were directed to a website, a downloadable file or a form requesting data, pay close attention to the address that appears in the browser’s address bar. That tip to check if the site has the HTTPS lock (encryption) is no longer enough, as new phishing sites also use HTTPS. However, it is important to analyze whether the website address is correct. When in doubt, search Google for the name of the company you want to access and check the real address of their website.
10 – IMPLEMENT A POLICY FOR THE USE OF IT RESOURCES
Ideally, the company should be concerned with documenting and informing all employees about a policy of acceptable use of the internet and technology resources, aiming at information security and employee productivity. This policy should describe what can be accessed on the company’s network and what are the penalties for non-compliance with the rules. For legal reasons, the company may require the employee to sign a statement of knowledge of this policy, informing his or her awareness of the rules and penalties.
Employees must be guided by good internet security practices and must be aware of their responsibility to keep company data and information protected.
Create a document to inform and inform employees about the policy of using the internet in the company’s work environment, to ensure the proper use of the internet and technology resources by the employee.
A point to be considered in this policy is the use of personal equipment in the work environment, especially the cell phone – smartphone – the company must make it clear what the rule is.
We believe that care for information security is essential for the success of growing companies. Certainly, small and medium-sized companies that implement, gradually and consistently, the 10 factors covered in this article will certainly have good security on the internet in 2020: secure passwords for all users and equipment; two-factor authentication (2FA); protection and control of internet access; antivirus on all computers; firewall to limit and record network traffic; backup of important data; always updated software; restricted permissions on shared files; educating employees about phishing and social engineering; and a policy for the use of IT resources.