With the exponential increase of electronic devices over the last decades, and the pervasiveness of the internet in our lives and work, e-safety has become a major concern for individuals as well as for companies. I often see avoidable issues occurring in my clients’ companies and I decided I could share a few tips.
This guide is not aiming towards comprehensiveness but will try to provide you with the basic knowledge to avoid the most common tiny mistakes that lead to major disasters. It is intended to be read by small business owners who have no particular knowledge in Cyber Security. If you are an IT professional, you probably already know all of this and you are clearly not the targeted audience.
This article will be divided into 3 episodes to be published over the next weeks. Each of them will address a different issue that often end up causing security problems in companies:
- Users misinformation and inappropriate behaviours
- Vulnerabilities and exposures
- Inadequate infrastructures and processes
- Lack of qualified resources
As an appetizer let’s start with a few numbers. Yum! In 2018, according to Symantec:
- 55% of all email traffic was spam
- 246 Millions of new malware variants were detected
- 1 in 10 URLs were identified as malicious
- 1.3 Million web attacks were blocked every day
One major evolution in the world of cyber security over the last decade was the boom of underground marketplaces where everything has a price: scanned passports, electricity bills, email accounts,malware etc…
One doesn’t have to be a specialist anymore to be a cyber criminal. A custom phishing page service can be bought for as low as USD3 and complex attacks such as DDoS start at USD5.
So what are the first basic steps that I can take, as an individual or as a small business owner, to protect myself, secure my data, and avoid common mistakes?
Users misinformation and inappropriate behaviours
According to Verizon’s 2019 data breach investigation report 34% of the attacks in 2018 involved internal actors and 33% included social attacks.
It doesn’t necessarily means that the employees involved had bad intentions, but were very often poorly informed on basic security measures. Common sense and a minimum of discipline can dramatically reduce the risk of potentially destructive security breaches.
Never open unexpected / suspicious emails.
If you are unsure, always try to contact your correspondent by other means of communication (ie: phone, instant messaging etc.) to confirm that he/she is the real sender.
You can ask a professional to setup some tools to help you filter ill-intentioned messages. They are not a bulletproof solution though and do not replace common sense, but they could help to get rid of a huge part of the daily garbage.
Don’t fall for incredible offers.
(ie: 70% off on the new Iphone). If it’s too good to be true, then it’s probably not true.
Conservatively, avoid filling any sensitive data in a web form on which you landed through a link in an e-mail.
Especially if it pretends to come from your bank. No serious financial institutions will ever ask you sensitive details through a casual e-mail! Some tools such as antiviruses can help you detect those scams, and if you are in doubt verify the authenticity of the message directly by phone with the company.
Don’t give information to people you can’t verify the identity.
Hackers will sometimes try to impersonate a colleague, a superior or a member of the IT team or vendor to trick the user into giving sensitive info. Most common techniques are very similar to “real life” scams and include rushing the target, pretending that the request comes from an authority, convincing the victim that he/she is the last one in the company not willing to give a crucial information etc.
Browse safely.
Stay away from websites which propose illegal content, adult dating, techniques to become a billionaire, incredible opportunities on expensive goods etc. A lot of antiviruses on the market have a web filtering / web reputation module to help you avoid digital death traps.
Use strong passwords.
Passwords like 123456 or qwerty make hackers life so easy that they are like a godsend for cyber criminals.
Of course, we have to deal with dozens of passwords in our everyday life and it is not easy to remember all of them. The temptation to re-use the same easy password again and again is huge. The problem is that it offers nearly the same level of protection than no password at all!
Ok then. How about noting all your passwords on sticky notes an putting them on your desk? Terrible idea! About as smart as leaving you apartment keys on the door.
What’s the solution then? Well, any of these could work:
- A good memory
- A password trick such as this one
- A password manager. This little piece of software, if used wisely, will help you manage your passwords like a boss. There are many of them on the market. They can be locally installed on your device or cloud based, free or paid. Why not giving them a try?
Don’t share your credentials with others.
Another piece of advice about passwords: don’t share your login details with your colleagues! First of all, if your username is used in a security breach, you might take the blame. Plus people come and go, and terminated employees (for example) are sometimes resentful and tempted to take revenge on the company…
Be cautious with shadow IT.
Sorry, what? Mysterious name, down to earth explanation: it’s the fact for standard users to install their own software, bring their own devices, subscribe their own cloud services or work on IT projects without the consent or knowledge of the IT department.
Work environment has changed. Mobility, globalization, consumerization of IT services, self-confidence of users, high quality cloud services are some of the reasons why more and more companies host shadow IT.
This situation has some advantages, the first obviously being the cost, but also the flexibility to use services or applications without having to get through a formal validation process.
But this doesn’t go without risks for the company:
- Unpatched/unmaintained applications have vulnerabilities that can by exploited by hackers
- Potential legal liability of the company for the use of unlicensed software
- Illegally downloaded programs often contain malware (ie viruses)
- Etc.
Let’s say you host a party and send invitations to your friends and family. On the D day you will not just open the door and let any random bypasser enjoy your wonderful fruit punch, right?
Same rules apply here, unwanted software and services must be restricted in your company’s network and only white listed apps and computers should be authorized.
It’s up to you to decide if you authorize users to bring their own devices but there should be a clear policy of dos and don’ts and the means to enforce it. There are actually a few tools on the market that can help you inventory and monitor your IT assets, do not hesitate to ask a professional for advice.
Don’t ignore update messages! 
No matter what is your favorite operating system (Windows, MAC OS,Android, Linux etc.) you surely have ignored the “update pending” message once in your life and clicked on “Remind me later” repeatedly for weeks.
Well, I know this message always pops up at the wrong time, when you have something important to finish. Plus if you do the update immediately, it will slow down your device for several minutes, maybe even reboot it, figure!!! I feel you. Really.
But these updates are here for a good reason, they protect you from threats. There are many stories of unpatched devices that led to major disasters over the past years.
Take this example: in 2018, a computer running a version of Microsoft Outlook which was not properly updated, allowed cyber criminals to have access to the personal details of 1.5 Million of SingHealth’s (Singapore Health Services) patients, including Prime Minister Lee Hsien Loong.
So just do the update when you have the message! And make sure your colleagues do it too! There are some tools on the market that can monitor the software installed on all the devices in your company and help you keep them up to date.
Be careful with public networks.
Free Wi-Fi! How nice these 3 words sound together! The promise of the sweet relief of entertainment in an empty airport during an endless nightly stopover. The possibility to finally send an urgent email from the hotel lobby… We have all used shared Wi-Fi at some point, for professional or personal purpose.
There is something you may not know, though. Free public Wi-Fi hotspots are a great place for cyber criminals, even beginner ones, to “eavesdrop” and steal sensitive data. Easy, believe me! If you are curious, you can find many tutorials on how to achieve that on YouTube.
It’s avoidable though with a few simple tips:
- Refrain from using sensitive websites when browsing through a public Wi-Fi connection (bank etc.)
- Prefer https websites that encrypt the connection (the little locker next to the URL in your web browser)
- Use a VPN. A VPN is a tool that creates an encrypted tunnel between your device and a trusted remote server. It prevents the attackers from “seeing” what you are doing on the internet. There are many commercial VPNs on the market. For even more security, you can create a VPN that connects your device directly to your office and allow you to access your network as if you were in the premises. But stay away from free VPN solutions, most of the time they are not safe, and they even put your e-security and privacy at risk.
That’s it for now! These are some of the few measures that you can put in place with no or very little knowledge about IT.
If you are thinking about other security tips or measures that concern the users or if you want to discuss further on the subject, do not hesitate to post a comment below or contact me privately via the contact form.
In the next episode of this article dedicated to the cyber security basics for non IT-professionals, we will talk about vulnerabilities and exposures and how to avoid them. It should be released within 2 weeks.
Sources: Verizon,Symantec, Gemalto, Wikipedia, CNN, Cisco, Zdnet, Cnet, Kaspersky, Techradar