UPDATED: October 6, 2022

Small businesses are a huge part of our economy

Small and medium businesses (SMB) account for 97% of all businesses domestically and employs 68% of Australians. SMBs are usually described as less than 50 employees, with $10Million of annual turnover or less.

This large part of our economy is not well suited for many of the sophisticated cyber attacks that now exist. They usually don’t have any IT employees and instead outsource the IT administration to Managed Service Providers (MSP) or IT consultancies. These same small businesses are the hardest hit by cybersecurity issues with 60% of SMB companies going out of business within 6 months of a cyber attack or data breach. Small businesses just don’t have the resources to fight and then contain a cyber event and they’re rarely prepared for the brand damage that will come from it and eventually stop trading. This is particularly true for ransomware attacks as often the important data can never be recovered. Imagine if this is your list of clients? Or your intellectual property? Or if you’re a graphic designer and all your images were suddenly unusable. You can see how this could kill some companies.

“If I knew then, what I know now…”

I saw this first hand as an IT consultant for many years. Before a breach customers would often say that it wasn’t worth paying the money to address existing security issues. This is common as SMBs typically don’t like paying for cybersecurity but are the hardest hit when it eventually happens. This paradox is not sustainable and we need to find inexpensive ways for SMBs and startups to uplift their cybersecurity.

This is even more important in a post COVID-19 world. Teams were moved to work from home (WFH) quickly and many smaller companies didn’t have time to sufficiently prepare for the cybersecurity challenges that this new world presents. I started writing this several months back, but this is a perfect time for me to publish.

13 tips for your small business

So, here’s my list in a roughly prioritized fashion. The emphasis is on simple security that non-technical people can use. These first eight controls (1-8) are implemented on the employee’s individual computer, or phone (or both). Numbers 7 and 8 need to happen on employee computers, phones AND any servers (physical or virtual) that the company owns.

1. Multi-Factor Authentication

The most important thing you can do

Before you do anything else install a multi-factor authentication (MFA) app on your smartphone if you don’t have one installed now. Then have all your employees do the same thing. I prefer Authy, but the Google Authenticator application is probably the most common. Being a Michigan boy, I have to mention the Duo Mobile MFA tool can be found here. Microsoft has their own app as well. Authy allows you to do backups and migrate to a new phone and a lot of other housekeeping functions that the others don’t. There is still room for improvement with these apps as I personally would like to see the ability to create folders within the tool to manage similar types of access as well as biometric access to the app. However, the price is right.

Add MFA to all your apps

Next: Make sure that all-important websites you and your teams use have MFA enabled. Banking, Xero, LastPass, Jira, Bitbucket, Github, O365, AWS, Azure, etc. Then once you are done with your web apps, do the same thing on your phone apps: Banking, Rewards accounts and any other apps that are important to you and that you need for work. If it supports MFA, enable it and use your authenticator from #1 above. This function alone can save your ass more than anything else when you are being targeted.

You can check if your bank or other common websites support MFA here: https://twofactorauth.org

Banks are not doing enough!

Lemme vent about one of my pet peeves here: I don’t know why Australian banks have lagged so far behind on adding support for MFA apps to their web portals. NAB and CommBank both do NOT have MFA apps as an option on their web apps. CommBank will use a “NetCode” which is delivered in their app, but that’s only if you are authorizing a new payment or BillPay. What are you providing CommBank to protect my login to your NetBank and Web portal? CommBank, please up your game and offer support for MFA apps for customers that want to use it!

Cost: FREE

2. Password Manager

Install a password manager and then configure it to use multi-factor authentication (MFA) using the MFA you installed in #1 above. I personally use BitWarden, but I’ve heard good things about both 1password and Dashlane from friends of mine. Whichever tool you use, make sure that the master user and password are protected by MFA. MFA and a password manager are the two best things that a user can do to protect themselves. If you have employees I highly recommend you upgrade to the paid version of whatever tool you choose. You can then give each employee their own set of credentials and delegate required access.

1. Bitwarden: https://bitwarden.com/
2. 1password: https://1password.com/
3. Dashlane: https://www.dashlane.com/

Cost: FREE

3. Endpoint Protection (AV/EPP/EDR)

Free tools used to be enough

Back in the day, I used free anti-virus tools like AVG and Malwarebytes and it was good enough. That’s not the case anymore. I can’t in good conscience suggest people do that in 2022. The threat landscape has changed too much, and for the worse. Instead, I recommend that you invest in a good “Endpoint Protection” (EDR) solution. 

What is EDR?

EDR stands for “endpoint detection and response” and is the “next gen” version of anti-virus scanning technology and often leverages artificial intelligence to detect attacks.  Most EDR solutions will provide a number of features for their platform including threat intelligence, and many of them now offer some form of ransomware protection for example.  I am personally using CrowdStrike myself but we looked at several others including Cylance and SentinelOne. Most EDR solutions have a central management console that allows you to see and manage all computers you are managing with their platform. This is important as you want to make sure that all employees devices are up to date and have latest virus signatures, etc.

Whatever you do, make sure you get something with some ransomware protection built in. In fact, this probably needs to be another blog post about how to protect yourself from ransomware attacks. Stay tuned…

Cost: Starts at roughly $100 per employee per year.

4. Add Anti-Virus to Your Browser

Some EDR or anti-virus solutions require that you add a browser extension to your browser.  A good example is BitDefender.  Make sure that if your solution requires this extension, you have it installed.  Otherwise, you might not be as protected as you think you are.

Cost: FREE (well, comes with paid subscription)

5. Sync Browser Data

Chrome:

This is very helpful but is definitely a potential privacy concern. I’ve wrestled with this dilemma internally and have decided that the security and redundancy that having Google back up my stuff outweighs my personal privacy concerns. You can read about setting up Google sync here.

Cost: FREE

6. Backups

Backups are still the most important thing to have if you’ve been attacked

Setup backups for any important systems. This includes laptops and workstations, not just servers. Many companies think that because most of their business functions happen in SaaS applications that they don’t need to do backups anymore but my question then is, “how long would it take you to setup your laptop again to 100% working?” and “how long would it take to perform 100% of your business functions on a brand new laptop?”

Some helpful tools

CrashPlan, Carbonite, Backblaze and other online backups have cheap pricing for SMBs. I have personally used CrashPlan for years and have used it several times to restore family, friends and clients data after it was encrypted with ransomware.

If you are on a mac

One last minute addendum here: If you have a Mac I would recommend you use Time Machine. It’s simple and free but make sure you backup to a separate device at least once a week. Do not rely on a USB drive that’s always plugged in. If all your files are encrypted in a ransomware attack, that USB disk will be encrypted as well. So, pay for a couple 500G or 1TB drives and swap them once or twice a week. This article does a good job of explaining it.

Cost: FREE. Paid backup starts at $10 a month per computer

7. Update Software

Software on your individual computer needs to be updated at least once a month, and preferably much more often. This applies to your desktop computers, mobile devices and any servers that you own or run. This is often a problem for that on-premise server that has been sitting in the corner for years serving up your files. When’s the last time it was patched?

If you aren’t patching, you are leaving yourself open to a host of potential threats and attacks. It’s similar to not getting vaccinated for diseases that you could easily protect yourself from. Set a day at least once a month, when you update and patch all your devices and services. Then block time for all your employees to actually do it.

Cost: FREE

8. Link Awareness

https://facebook.com

https://www.ato.gov.au

Be very careful about clicking on any links in an email, PDF, webpage or similar. See those links above? They look harmless, right? If you hover your cursor over them, and wait a second, the link will display what it’s going to. Train your staff to look and read the domain before they click. Clicking on unknown links is the origin of most ransomware and cyber attacks. Even worse, criminals have learned to register copycat domain names like hotrnall.com and office356-us.org which look legit at first glance, but send you to a copycat website. That fake site collects your real credentials and then sends you on the real website where you log in successfully not realizing what’s happened.

Consider applying other controls like endpoint protection or email filtering to limit the possibility of your employees clicking on the wrong link.

Cost: FREE

9. Security Awareness Training

Buy a Cynch membership. Cynch is the only cyber fitness platform designed for small business. They take the complicated technical jargon out and replace it with common sense plain language. Cynch helps small business define, quantify and address their cybersecurity related risk. Cynch is as little as $99 a month and it helps your whole team become smarter about cybersecurity while it protects your business.

These guys are friends of mine and are making a great difference here in Australia: https://cynch.com.au/

Cost: Starts at $99 a month

10. Phishing Awareness

If you don’t buy a Cynch membership, then at least buy some phishing training. There are cheap courses online in places like Udemy. I suggest you pay for something decent as phishing is one of the most successful ways that Australian businesses get scammed. The city of Brisbane alone has lost over $600k in multiple schemes this way. The phishing attacks have only grown in sophistication and are now coming from within Australia, so the person on the other end of the phone or email sounds like you and knows the same things that you do because they’ve studied your company and done their research. Potentially FREE, but you get what you pay for?

Cost: Varies, and some resources are FREE

11. Wifi Isolation

If your employees or guests can bring in their own computers, tablets, or connect their smart phones and connect to your company network, this is called “bring your own” or BYO.

Here’s what you can do to protect your wifi network

Have your IT team create a second wifi network for them called “Guest network”. Next, create complex but understandable passwords for both the guest and “Work” networks and be prepared to rotate them once a month at least. I know this is a pain in the ass but it protects you as all your neighbours will eventually get the password and if you don’t change it they will be living off your internet connection for YEARS. Finally, make sure none of your employees are violating this policy and make sure that all BYO devices are NOT on your work network. Your IT team can use some relatively simple methods to add only work computers to the work wifi (mac addresses bound to DHCP leases is a good example).

Understand that your internet connection is your responsibility. If someone uses it for illegal activity you could be liable.

Cost: FREE

12. SaaS Management

SMB companies use a lot of SaaS software. SaaS stands for “Software-as-a-Service” and describes software that you use through a browser that doesn’t need to be installed on your computer per se. How many SaaS applications does your company use? Common SaaS apps for SMBs are: Xero, MYOB, QuickBooks Online, Google Mail, Microsoft Office 365, Wix, and SquareSpace. Some common startup SaaS apps are: Mailchimp, Hubspot, Slack, Asana, Github, Bitbucket, Calendly, Basecamp, Airtable, Google Docs, Microsoft Office365, Sketch, Trello, Jira, Canva, and Pipedrive. There are obviously hundreds more that SMB customers use. SMB companies with less than 20 employees average at least 26 different apps in use. Startups often use an average of 100 or more SaaS applications.

Criminals are targeting the SaaS tools you use

Managing the logins, credentials, permissions, etc can be a real headache for people. Especially if you don’t have a dedicated IT person to handle it all. This is a real issue for many companies as they don’t keep track of the logins and credentials and then have to constantly reset the passwords for these SaaS tools. This ongoing behaviour makes it hard to catch a bad guy who does something similar. The email telling you about the password change (by the bad guy) gets lost in all the other legitimate password resets.

It’s important to define the SaaS assets and credentials that your company requires and use separate complex passwords for each SaaS app. Add all those logins to your password management tool from step 2 above and make sure that you protect that master account with a great password and a MFA app from step 1.

Once that’s all done make sure you add more than one person to the master account so if that person leaves or gets hit by a bus you have a backup admin that can retrieve those credentials.

Cost: FREE

13. Protect your intellectual property

Many businesses now have a new form of intellectual property that they need to protect.  This is often in the form of custom software that they’ve had custom-built or modified for their use.  If your company is SaaS-based, then this custom software is the heart and soul of your business and without it, you probably wouldn’t be able to function.  But many “standard” types of businesses like real estate sales, or child care facilities, require software that has been modified to meet their requirements.  In this case, unlike SaaS-based businesses they would probably still be able to function, but their business model would suffer without the software functioning.

This new class of intellectual property needs to be protected as it is often the target of very sophisticated attacks.

If you are going to host a web application, interact with customers online, sell online or use the web as a primary means to conduct business, you should take precautions to protect your digital intellectual property. SecureStack helps startups and scale-ups protect their software with our platform.  It’s super easy to implement and you can be up and running in less than 20 minutes.  Feel free to reach out by clicking on the button below.

Cost: Well worth it

Paul McCarty

Founder of SecureStack

DevSecOps evangelist, entrepreneur, father of 3 and snowboarder

Forbes Top 20 Cyber Startups to Watch in 2021!

 Mentioned in KuppingerCole's Leadership Compass for Software Supply Chain Security!

When one of the most advanced cybersecurity outfits in the world AND the US Government get owned, what chance do YOUR apps stand against hackers?

The US Government has issued an emergency directive to power down SolarWinds Orion IT management tools after identifying a major security breach where infected updates have been used to compromise the networks of multiple private and public organisations. SolarWinds’ products and services monitor the health and IT networks and are used by more than 300,000 customers worldwide, including military, Fortune 500 companies, government agencies, and education institutions.

When I watch one of my friends of family members use their computer I usually see them using the default browser like Safari or Internet Explorer/Edge on their computers. When I ask if they’ve customized or secured their browser I get blank looks. This is also true on their phones with most people just using Safari on their iPhones or the built in Chromium on their Android device. That’s not necessarily a problem but running a browser with its default settings in place means you aren’t being protected from the many malicious and accidental issues on the net. This becomes an even more important thing as we start to use our own devices for work. Checking email is one thing, but using our phones to pay bills, pay employees, order supplies and the other million things we use the net for means we need to do more to make those devices secure.

So in an effort to help out my friends, family and also the wider SMB environment I put together this list of the extensions that I personally use to make me more secure AND to guard my privacy while online. I use a lot more extensions than these in my day to day browsing but we will concentrate on privacy and security extensions today.

Security & Privacy Extensions for Chrome & Firefox

Here’s my curated list of security and privacy browser extensions listed in preference of use.

LastPass: Start with Lastpass or a similar extension from Dashlane or 1Password. This extension will let you store your passwords and accounts and give you access to them in your browser. If you were to install only one extension, make it a password manager and make sure you enable multi-factor authentication (MFA)!

Technical Skill: Easy

Link: https://chrome.google.com/webstore/detail/lastpass-free-password-ma/hdokiejnpimakedhajhdlcegeplioahd?hl=en

Technical Skill: Medium

Link: https://www.torproject.org/

Anti-virus: You should have an anti-virus or endpoint protection solution in place, which should also include a browser extension that protects your browsing experience in real time. Some examples are Avast, Symantec, Trend Micro, Kaspersky, Norton, McAfee, ESET, Sophos, AVG, F-Secure, Avira and Webroot. I use BitDefender on my Mac and Windows machines and it comes with an extension called TrafficLight. Regardless of what solution you’ve bought, make sure the browser extension is installed and enabled. This can provide a lot of protection especially for less technical employees who don’t necessarily understand how to verify URLs and websites are legit.

Technical Skill: Easy

Technical Skill: Easy

Link: https://www.eff.org/https-everywhere

Ghostery: I’ve been using this extension for YEARS. This extension tells you what trackers are running on a website.

Technical Skill: Easy

Link: https://www.ghostery.com/

Ublock Origin: This extension is super powerful. I mean, like wow! It blocks adware, bad domains, tracking software, javascript, plugins and certain types of bad content for you. This one is a no brainer. Install it and you’ll be safer out the box. Do NOT use AdBlock or AdBlock plus, both have been taken over by potentially dubious actors and are now displaying ads.

Technical Skill: Easy

Link: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en

Privacy Badger: This extension learns the behaviour of tracking software across the totality of your web experience and blocks based on that aggregate behaviour. Privacy Badger seems to play nice with other blocking software like Ublock Origin.

Technical Skill: Medium

Link: https://chrome.google.com/webstore/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp

No Coin:This browser extension looks for crypto-jacking websites and blocks them. End of story.

Technical Skill: Easy

Link: https://github.com/keraf/NoCoin

Facebook Container : This extension blocks Facebooks ability to track your browsing habits. Only works on Firefox.

Technical Skill: Easy

Link: https://addons.mozilla.org/en-US/firefox/addon/facebook-container/

Block Site: There’s a certain amount of overlap with this extension and Ublock but I still prefer this one if you want to simply block a website for a limited period of time, or for ever.

Technical Skill: Medium

Link: https://chrome.google.com/webstore/detail/block-site-website-blocke/eiimnmioipafcokbfikbljfdeojpcgbh?hl=en

Hoxx VPN:: This one might cause a stir but I have found this to be useful in certain circumstances. The trick is to understand, and explore, its potential use as it’s not true VPN, but instead more akin to a browser specific encrypted web proxy. This is an extension you install in your browser and you connect to a “VPN Server” in one of 16 countries and your web session with that browser session. Works great for testing web apps from different locations, or more generally when I need my http requests to come from within the US or UK or wherever, I flick this on. Also works as a general privacy overlay, but if you need a real VPN, please build one yourself with WireGuard, OpenVPN or SecureStack. Or install a true VPN client from this list.

Technical Skill: Medium

Link: https://hoxx.com/

Technical Skill: High

Link: https://noscript.net/

uMatrix:(Firefox only) This extension acts like a application aware firewall. You can block any part of a http/https request including sender, request type, header contents, etc. This extension requires some technical understanding so if you are not technical and you install this, all thats gonna happen is that it will block javascript and other components running on the websites you visit, which is of limited value unless you are going to some really dodgy sites. I’ve just started using this extension so I don’t know how much it will supplant Ublock Origin and some of the other extensions I’ve listed above. Because this extension requires technical skillz it will be of limited value to some people who would probably be better served by a bundle of extensions including Ublock, Privacy Badger, etc. Regardless, this extension is on the list because in the right hands it is pretty powerful.

Technical Skill: High

Link: https://addons.mozilla.org/en-US/firefox/addon/umatrix/