Small and medium businesses (SMB) account for 97% of all businesses domestically and employee 68% of Australians. SMBs are usually described as less than 50 employees, with $10Million of annual turnover or less.
This large part of our economy is not well suited for many of the sophisticated cyber attacks that now exist. They usually don’t have any IT employees and instead outsource the IT administration to Managed Service Providers (MSP) or IT consultancies. These same small businesses are the hardest hit by cybersecurity issues with 60% of SMB companies going out of business within 6 months of a cyber attack or data breach. They just don’t have the resources to fight and then contain a cyber event. They’re rarely prepared for the brand damage that will come from it and eventually stop trading. This is particularily true for ransomware attacks as often the important data can never be recovered. Imagine if this is your list of clients? Or your intellectual property? Or if you’re a graphic designer and all your images were suddenly unusable. You can see how this could kill some companies.
I saw this first hand as an IT consultant for many years. Before a breach customers would often say that it wasn’t worth paying the money to address existing security issues. This is common as SMBs typically don’t like paying for cybersecurity but are the hardest hit when it eventually happens. This paradox is not sustainable and we need to find inexpensive ways for SMBs and startups to uplift their cybersecurity.
This is even more important in a post COVID-19 world. Teams were moved to work from home (WFH) quickly and many smaller companies didn’t have time to sufficiently prepare for the cybersecurity challenges that this new world presents. I started writing this several months back, but this is a perfect time for me to publish.
So, here’s my list in a roughly prioritised fashion. The emphasis is on simple security that non-technical people can use. These first eight controls (1-8) are implemented on the employees individual computer, or phone (or both). Numbers 7 and 8 need to happen on employee computers, phones AND any servers (physical or virtual) that the company owns.
1. Multi-Factor Authentication
Before you do anything else install a multi-factor authentication (MFA) app on your smart phone if you don’t have one installed now. Then have all your employees do the same thing. I prefer Authy, but the Google Authenticator application is probably the most common. Being a Michigan boy, I have to mention the Duo Mobile MFA tool can be found here. Microsoft has their own app as well. Authy allows you to do backups and migrate to a new phone and a lot of other housekeeping functions that the others don’t. There is still room for improvement with these apps as I personally would like to see the ability to create folders within the tool to manage similar types of access as well as biometric access to the app. However, the price is right.
Next: Make sure that all important websites you and your teams use have MFA enabled. Banking, Xero, LastPass, Jira, Bitbucket, Github, O365, AWS, Azure, etc. Then once you are done with your web apps, do the same thing on your phone apps: Banking, Rewards accounts and any other apps that are important to you and that you need for work. If it supports MFA, enable it and use your authenticator from #1 above. This function alone can save your ass more than anything else when you are being targeted.
You can check if your bank or other common websites support MFA here: https://twofactorauth.org
Lemme vent about one of my pet peeves here: I don’t know why Australian banks have lagged so far behind on adding support for MFA apps to their web portals. NAB and CommBank both do NOT have MFA apps as an option on their web apps. CommBank will use a “NetCode” which is delivered in their app, but that’s only if you are authorizing a new payment or BillPay. What are you providing CommBank to protect my login to your NetBank and Web portal? CommBank, please up your game and offer support for MFA apps for customers that want to use it!
2. Password Manager
Install a password manager and then configure it to use multi-factor authentication (MFA) using the MFA you installed in #1 above. I personally use LastPass, but I’ve heard good things about both 1password and Dashlane from friends of mine. Whichever tool you use, make sure that the master user and password are protected by MFA. MFA and a password manager are the two best things that a user can do to protect themselves. If you have employees I highly recommend you upgrade to the paid version of whatever tool you choose. You can then give each employee their own set of credentials and delegate required access.
- LastPass: https://www.lastpass.com/
- 1password: https://1password.com/
- Dashlane: https://www.dashlane.com/
3. Security Browser Extensions
Do NOT use the browser that came with your computer and definitely don’t use a browser in its default implementation. Securing the browser means using extensions to protect yourself.
I recently wrote a blog article about the security and privacy browser extensions that I use. And, they’re all FREE! https://securestack.com/blog/BrowserSecurity.html
4. Endpoint Protection (AV/EPP/EDR)
Back in the day I used free anti-virus tools like AVG and MalwareBytes and it was good enough. That’s not the case anymore. I can’t in good conscience suggest people do that in 2020. The threat landscape has changed too much, and for the worse. Instead, I recommend that you invest in a good “Endpoint Protection” (EDR) solution. I am personally using BitDefender myself but am contemplating on changing as BitDefender is refusing to let me pay for an upgrade in subscription. Regardless, most EDR solutions have a central management console that allows you to see and manage all computers you are managing with their platform. This is important as you want to make sure that all employees devices are up to date and have latest virus signatures, etc.
Whatever you do, make sure you get something with some ransomware protection built in. In fact, this probably needs to be another blog post about how to protect yourself from ransomware attacks. Stay tuned…
Cost: Starts at roughly $100 per employee per year.
5. Add Anti-Virus to Your Browser
Now that you have your EDR solutions sorted from #4 above, make sure that you have an antivirus web extension installed and turned on for your browser of choice (or all browsers really). Good products like BitDefender will automatically install this for you.
Cost: FREE (well, comes with paid subscription)
6. Sync Browser Data
This is very helpful but is definitely a potential privacy concern. I’ve wrestled with this dilemma internally and have decided that the security and redundancy that having Google back up my stuff outweighs my personal privacy concerns. You can read about setting up Google sync here.
Setup backups for any important systems. This includes laptops and workstations, not just servers. Many companies think that because most of their business functions happen in SaaS applications that they don’t need to do backups anymore but my question then is, “how long would it take you to setup your laptop again to 100% working?” and “how long would it take to perform 100% of your business functions on a brand new laptop?”
CrashPlan, Carbonite, Backblaze and other online backups have cheap pricing for SMBs. I have personally used CrashPlan for years and have used it several times to restore family, friends and clients data after it was encrypted with ransomware.
One last minute addendum here: If you have a Mac I would recommend you use Time Machine. It’s simple and free but make sure you backup to a separate device at least once a week. Do not rely on a USB drive that’s always plugged in. If all your files are encrypted in a ransomware attack, that USB disk will be encrypted as well. So, pay for a couple 500G or 1TB drives and swap them once or twice a week. This article does a good job of explaining it.
Cost: FREE. Paid backup starts at $10 a month per computer
8. Update Software
Software on your individual computer needs to be updated at least once a month, and preferably much more often. This applies to your desktop computers, mobile devices and any servers that you own or run. This is often a problem for that on-premise server that has been sitting in the corner for years serving up your files. When’s the last time it was patched?
If you aren’t patching, you are leaving yourself open to a host of potential threats and attacks. It’s similar to not getting vaccinated for diseases that you could easily protect yourself from. Set a day at least once a month, when you update and patch all your devices and services. Then block time for all your employees to actually do it.
9. Link Awareness
Be very careful about clicking on any links in an email, PDF, webpage or similar. See those links above? They look harmless, right? If you hover your cursor over them, and wait a second, the link will display what it’s going to. Train your staff to look and read the domain before they click. Clicking on unknown links is the origin of most ransomware and cyber attacks. Even worse, criminals have learned to register copycat domain names like hotrnall.com and office356-us.org which look legit at first glance, but send you to a copycat website. That fake site collects your real credentials and then sends you on the real website where you log in successfully not realizing what’s happened.
Consider applying other controls like endpoint protection or email filtering to limit the possibility of your employees clicking on the wrong link.
Buy a Cynch membership. Cynch is the only cyber fitness platform designed for small business. They take the complicated technical jargon out and replace it with common sense plain language. Cynch helps small business define, quantify and address their cybersecurity related risk. Cynch is as little as $99 a month and it helps your whole team become smarter about cybersecurity while it protects your business.
These guys are friends of mine and are making a great difference here in Australia: https://cynch.com.au/
Cost: Starts at $99 a month
11. Phishing Awareness
If you don’t buy a Cynch membership, then at least buy some phishing training. There are cheap courses online in places like Udemy. I suggest you pay for something decent as phishing is one of the most successful ways that Australian businesses get scammed. The city of Brisbane alone has lost over $600k in multiple schemes this way. The phishing attacks have only grown in sophistication and are now coming from within Australia, so the person on the other end of the phone or email sounds like you and knows the same things that you do because they’ve studied your company and done their research. Potentially FREE, but you get what you pay for?
Cost: Varies, and some resources are FREE
12. Wifi Isolation
If your employees or guests can bring in their own computers, tablets, or connect their smart phones and connect to your company network, this is called “bring your own” or BYO.
Have your IT team create a second wifi network for them called “Guest network”. Next, create complex but understandable passwords for both the guest and “Work” networks and be prepared to rotate them once a month at least. I know this is a pain in the ass but it protects you as all your neighbours will eventually get the password and if you don’t change it they will be living off your internet connection for YEARS. Finally, make sure none of your employees are violating this policy and make sure that all BYO devices are NOT on your work network. Your IT team can use some relatively simple methods to add only work computers to the work wifi (mac addresses bound to DHCP leases is a good example).
Understand that your internet connection is your responsibility. If someone uses it for illegal activity you could be liable.
13. SaaS Management
SMB companies use a lot of SaaS software. SaaS stands for “Software-as-a-Service” and describes software that you use through a browser that doesn’t need to be installed on your computer per se. How many SaaS applications does your company use? Common SaaS apps for SMBs are: Xero, MYOB, QuickBooks Online, Google Mail, Microsoft Office 365, Wix, and SquareSpace. Some common startup SaaS apps are: Mailchimp, Hubspot, Slack, Asana, Github, Bitbucket, Calendly, Basecamp, Airtable, Google Docs, Microsoft Office365, Sketch, Trello, Jira, Canva, and Pipedrive. There are obviously hundreds more that SMB customers use. SMB companies with less than 20 employees average at least 26 different apps in use. Startups often use an average of 100 or more SaaS applications.
Managing the logins, credentials, permissions, etc can be a real headache for people. Especially if you don’t have a dedicated IT person to handle it all. This is a real issue for many companies as they don’t keep track of the logins and credentials and then have to constantly reset the passwords for these SaaS tools. This ongoing behaviour makes it hard to catch a bad guy who does something similar. The email telling you about the password change (by the bad guy) gets lost in all the other legitimate password resets.
It’s important to define the SaaS assets and credentials that your company requires and use separate complex passwords for each SaaS app. Add all those logins to your password management tool from step 2 above and make sure that you protect that master account with a great password and a MFA app from step 1.
Once that’s all done make sure you add more than one person to the master account so if that person leaves or gets hit by a bus you have a backup admin that can retrieve those credentials.
14. Hire a Pro
If you are going to host a web application, interact with customers online, sell online or use the web as a primary means to conduct business, you should hire a pro to make sure that you do all that safely. If the loss of something like email, your website, chat functions or similar would damage you financially, then it’s time to budget for a cyber uplift. It’s surprising to me how undervalued cybersecurity is by many SMBs until they have a security incident and then the reality sets in that maybe they should have done more. Cyber attacks and data breaches are particularly disastrous for SMBs, so take the time to follow the steps above and then hire a pro.
If you need help with managing your on-premise or SaaS applications, we can point you towards one of our MSP partners. If you need help building or designing a web application or functionality in the cloud, we can point you towards one of our solutions provider partners.
If you need help scaling or securing your web application we can help you out: https://securestack.com/sme.html
Cost: Well worth it
I hope you’ve found something useful in this that will make your small business stronger and more resilient. If you think I should add something please hit me up here.