At Seirim we know SME's are often overworked and lacking resources. Something as obscure as cybersecurity may not be on your management's radar as a high priority, but it should be.
Taking a look at recent headlines like the massive SolarWinds and US government hack hopefully gets your attention, but at the same time it might give you a false sense that these attacks only occur at the high levels of major corps, security-related companies and governments. That's false, they just get the biggest headlines.
Unfortunately, everyone from individuals to small companies to even now hospitals and medical research institutes are under increasing attack. Ransomware, for example, can lock up and cripple your company's operations in an instant. Don't succumb to complacency - it's too easy to take for granted the wide array of digital infrastructure your company depends on daily.
"People are the weakest link" is the cliche wisdom in cybersecurity. It's true in that it's the easiest place to go wrong. Better security starts with creating better habits and awareness.
It's not a comprehensive solution, but using a respectable VPN goes far to help encrypt and protect for data in transfer from your device to the VPN's exit points. Take note you are trusting your VPN provider with a lot of access to your meta data, but it does cut down on the number of prying eyes on your traffic across the internet and local attackers.
Malicious hackers use publically accessible info to glean info which in aggregate can give them critical insight to penetrate your infrastructure. Just like it's unwise to announce you're going to vacation for two weeks, just after posting pics of your fancy new stereo system, take it a step further and know that hackers can put together seemingly much more innocuous info like where you work, where you went to school, your hobbies, pets, family members' names and birthdays and so on to profile you and zero in their hacking attempts. So, try to dial back what and how much you share.
Use VPN regularly or when accessing your company's data or any senstive data at any time, but especially when on public or untrusted WiFi, it's best to be suspicious. Some recommended VPN's can be found here.
If you can't get your VPN to work in the airport or coffee shop WiFi and get https access to the site you're visting, just hold off on accessing your most sensitive accounts and activities until later. Hackers purposefully use these environments, and prey on the fact that users might be working in a rush and let down their guard, to stage attacks. The risk is real that the WiFi you're connecting to is completely false and set up by them, they have established a man in the middle attack on the network, they are sniffing packets on it, and more.
Sketchy, low quality or worse pirated software is a favored vehicle by hackers to load malware onto your devices. Stay away. it's not worth it.
Make sure to set your computer to lock when you are away for more than just a few minutes. Even better is to do it manually every time you step away from it. In Windows, can quickly lock your computer by hitting "Windows key + 'L'", on a Mac press "Control + Command + Q".
Much like the social media savviness mentioned above, you also want to lessen your public exposure not just a researching hacker but the "higher level up" powers that be. You may not be in their crosshairs for attack now, but even if just by algorithmic methods or if they themselves get hacked or those in control change their tune, (or who is control changes) all the meta data on you is a vulnerability. So, don't show all your cards, and not to any one company, country or group. Consider using alternates to common gateways, like DuckDuckGo for search, for example, or ProtonMail for email, use privacy browsers like Brave or the Tor onion network and so on.
You never know when a service might go out of business, they get hacked or your account does, or they change their terms and conditions or any other in a long list of things that can go wrong. So, if you have valuable info, chats, emails and attachments in online accounts, make sure to get your own copy of it now for safekeeping.
Don't use an account anymore? Then it is just an extra attack vector holding information of yours or about you, or a password you might have used more than once. It's just a matter of time that any service can be breached, and the more accounts you have languishing on the web the more you are exposed.
Sure, with your most trusted loved one or partner, but in that case make sure they follow security protocols as strictly as you do. It does no good if your password is super safe with you, but your partner has it in clear text in a word file on their machine or phone. Beyond, limit sharing your account access info with anyone else as much as possible (ideally to zero) Not because you don't trust them per se, but because it just widens your exposure.
Did you overshare in the past? Did you need to give so much access to these services? Sign in and check how much info they have on you, the less info the better.
Here is a frustrasting story of someone who went to great lenghs to remove their physical home address from every online source they could for greater privacy, only for their address to still be the top result for their name in Bing. No matter what they've done, they can't get that one result to persist, and despite their strong requests they won't remove the result. Why not fight fire with fire? For accounts where it doesn't matter, where they are asking for more info than they should, why not feed them some obscure data to throw off the trail? Take care though with accounts where it matters, if you forgot the randomly wrong brthday you entered you could have trouble accessing an account, for example.
The #1 attack vector is through people and their weaknesses. Busy, tired, and using so much internet and online activity we're clicking and opening things moment after moment. Bad actors take advantage and target individuals with phishing emails, attempting to get extract info or actions or to get them to click on a virus, malware, or spyware trojan horse. Stay wise with a series of precautions and preventions.
Does something look off? Contact the sender via phone and ask them by voice if the email and its attachments are as intended.
Don't blindly click on anything, not even links in this article. Hover over them, right click on them, inspect carefully where they are going. When in doubt, if must open them, do so in an incognito browser.
Do not rely on senders' names or the shown email address. If your email client doesn't show it readily, drill further down to click on it and see the email's properties to see who it actually really came from as sender names and emails can be spoofed.
Refrain from using any unknown or untrusted media. If you must use media from someone, ensure they have anti-virus and malware scanned on their side first.
This is a main point, the vehicle for many attacks is the attachment in the phishing email. Be very skeptical of attachments, and if any doubt at all sdo not download or click on them (they'll execute) without verifying their integrity with the sender first. When downloaded, scan attachments with anti-malware software first.
Email is at the center of our digital lives. It's stable relative to chat and social media applications, but it's also an older internet technology, and might be a weakness and vulnerability in your digital sphere.
In important accounts like your email, make sure you have secondary and backup contact information (phone and email addresses), so you can be alerted in multiple channels of any suspicious activity in your account, and have more ways to regain your account in case it is hacked. Of course, be mindful of the provacy implications of what you are entering here, and the risk of this info also being used against you in the wrong hands. On the whole, though, the benefit to multi-channels to prove ownership of your most important accounts is compelling.
It's mighty convenient to be able to just open up your phone or laptop browser and just immediately check your email, accounts, social media apps - all the things we use daily - at just the bump of a thumb or opening a bookmark. But with just a little bit of access, so can an attacker. So do not leave all the apps so open and ready, but require signing in and hopefully also 2FA for sensitive accounts every time you use them. You might even have an old phone sitting a drawer that can still connect to your email, for example, and that's an unnecessarily exposed risk.
Seems convenient to enable signing in to that service using Facebook, Gmail or similar connection, right? Too convenient, if an attacker has access to one then they can access every service like that that you have connected. Use unique sign-in credentials for every service.
Over time, many services we try and use get approval to check our contact lists and email account, even to send messages on our behalf and more. Check for these such connections in your email settings and remove everything not absolutely necessary. Generally, refrain from giving apps such access at all.
Just like you look at your credit card statement or credit report, check your accounts recent history periodically to monitor for any access that wasn't by you or expected.
Really, your main email account(s) need to be under serious lock and key and 2FA is a huge help. Use it whenever possible.
yourname2000@gmail.com works, but what if Google's algorithm (because let's face it they don't have any accessible customer service) changes its mood on you and locks your account? You lost control of a very important service in your life. Now, you can still use Gmail, for example, but invest in your own domain so if you get blocked you can move your email address you own control of, like me@MyOwnURL.com so you can maintain your email by pointing your domain to a new email provider if necessary.
Don't rely on only one email address, have backup email(s) which can act as backup contact information for your main email address. Also consider a lowest tier of email address in your system as the catchall for the "least desirable" services you have to use an email for, as well.
Many email and similar systems ask for answers to personal questions for account and password recovery. Do use this feature, but make sure your answers are not "easily researchable or discoverable" by an attacker (for example, your high school's name, or your mother's maiden name can be found out for many people pretty readily). Indeed, these answers are like passwords and you can treat them as such, and make sure you record your answers in a password manager as carefully as you do your passwords.
Services like Gmail have their own Security Checkup features in Settings to check for issues and vulnerabilities. Use it but also rely on your own decisions, in addition.
Passwords remain at the center of digital security. Despite being augmented with Two Factor Authentication (2FA) in the forms of apps, devices or methods like fingerprint recognition it seems passwords, depsite being too often a major weakness, are hard to do without in digital security and access. Passwords are a critical element to get right with good habits, systems, and best practices.
Firstly, take account of your history of exposure. You may well already have accounts that have been breached or can have easily been done so. Check your email addresses at the trusted have i been pwned website to know your exposure and start any necessary damage control.
Make sure every password is unique for every service. When any account get hacked, hackers check the same passwords at other services to get access to every account they can. Minimize the potential damage with a unique password for every account. Make your passwords complex, with many characters, no words in the dictionary or proper nouns and mixing upppercase and lowercase letters, symbols and numbers. At least 8 digits long, aim for up to 15 greater security.
Make sure the password manager is resilient, and you have multiple contact methods. And that your password to the password manager also secure and saved physically, safely.
What if your main password manager were to go down, you lose access, its file gets corrupted, or some major error were to occur? Take note that the password manager itself is a point of attack and potential weakness, and if it's breached "all may be lost" and by having more than one, you're doubling that risk. Weigh that carefully, though, with the single point of failure risk... So, a backup password manager, carefully guarded, maybe used for just the most important accounts (so it's less burdening of your time and actually gets used) Don't plainly store the password for one manager in the other, or either one getting breached results in the other also getting breached.
Whether the Google Authenticator app, a USB security key device, fingerprint detection or otherwise, 2FA is always a good idea. Make sure to backup the initialization keys given to you when creating such additions in your password manager.
Sure, you've done your job well of making sure your passwords are unique, complex and well stored - but what if the service where you use it is hacked? Or any hole in your system. So as a matter of course, change your passwords after some periods of time. Opinioins vary on how often, maybe every 6 months is ok. Of course if there is evidence of any breach, change potentially affected passwords immediately.
It shouldn't be common for services to do so now, as it isn't a good practice, but if any service sends you a password by email or message, only use that password temporarily and change it to your own-created and stored password as soon as possible. That password residing in a chat or email application isn't secure and is discoverable and usable by attackers.
Like passwords and email, browsers are at the center of our digital worlds as the portal to so many services and web applications that we use. This dynamic environment is therefore a main target for malicious actors and a critical place to employ best practices.
Browsers are a main focus of malicious hackers, and your passwords residing in them is an unnecessary risk for important accounts, at least.
Plugins are a definite attack vector. Only add very trusted and well regarded plugins to your browsers that you absolutely need.
And if you arent using them, get rid of them as they are increasing your exposure.
It's worth a thought, remember the "all eggs in one basket dilemna". Firefox, Brave and other projects are worth considering for better privacy and security. At least can alternate between them to obfuscate your online fingerprint somewhat.
Always allow updates, and check to make sure automatic updating is set to on.
In Internet Explorer and Microsoft Edge, because it connects to your PC and Java's functions - too powerful and not worth it.
JavaScript is heavily used across so many websites to power their features, but it's also unfortunately a likely attack vector. If your risk profile is high, consider disabling it overall, and just whitelisting trusted sites.
Not just for "mature" browsing needs, using incognito browser sessions helps cut back on privacy intrusive tracking and cookies, but it's no cure all.
This creates a buffer for you to see anything being downloaded and saved to your computer from the browser, and the chance to stop it from happening if it wasn't intended.
There's no benefit to being tracked, so...
Websites have their own cookies to manage your session with them, that's understandable, though they can of course go overboard. But did you know many websites load other websites cookies and tracking to generate extra info on you? Very rarely a benefit in this for you, block them.
These settings can change over time, but for example in Chrome settings now the options are "Standard" or "Enhanced" with Enhanced being the stronger and better choice. Idea here is to look through the settings periodically (in case somehow settings get changed or shift) and re-align them with strong security preferences.
Require that you give permission before doing so (and then only so reluctantly)
This is "extra password" of sorts within your Google account to encrypt data syncing to other browser or app instances. If a hacker gets your main Google login access, they still can't replicate your account on another machine, and then use that to pull up all your 'saved in the browser and Google' passwords, search history, bookmarks etc. without this passphrase to decrypt it.
If you had to sign in to your email, financial or sensitive accounts on a public wifi connection, when done makes sure to log out of the accounts immediately, and clear your browser's cache and history to clear out all cookies, tokens and info that can be used to probe your accounts.
Whether it's entropy degrading your data in situ, a power surge, user errors, a malicious employee or a ransomware attack, the best defense for your data is to have it regularly backed up, redundantly and very securely. And not just once - multiple copies using multiple strategies in multiple locations increases your ability to bounce back from any issue.
Backups need to occur as frequently as possible so if ever in case of an issue you lose only the work and data since the last backup. Make your backups include automatic procedures so it isn't forgotten and requires less work, which helps it get done.
Backup to multiple backup types and locations - the "3-2-1" concept is often repeated, meaning you keep at least 3 copies of your data, on at least 2 different storage medium (devices) and with at least 1 offsite location in case anything occurs at your main location. For important data, we'd recommend even more, if feasible, including 2 offsite locations: with one being paid cloud storage, and the other internally controlled (a server you own and manage) if possible. If not, 2 offsite redundant backup cloud storage providers is a good idea in case one fails. Can see an article here on the topic which we agree with.
Locally, we recommend having a Network Attached Storage (NAS) solution. There are fancy commercial options but you can now make cheaper versions for home office use with a newer more powerful Raspberry Pi and SSD hard drives, for example, using open source software and backup programs like TrueNAS, OpenMediaVault, Rsync, Rclone, and BorgBackup.
In addition to local storage, whether it be NAS or simpler external hard drives, you also want to be making backups "offsite" and these days that very often means the cloud. There is a range of "backup to the cloud" solutions that range from mirroring everything on your computer to the cloud, to allowing you to choose only the folders and files you want to back up, like our favorite solution SpiderOak, and then very simple storage like BackBlaze B2 Cloud storage or Rsync.net which offer very simple storage areas that you'll need to know how to manage.
SpiderOak is our preferred backup solution for individual computers, as their ability to selectively choose folders, the fact that they allow the presrvation of files in the cloud even if you remove them from your local computer, the abiltity to backup external hard drives, and their encryption-on-your-device before it exports from your computer to the cloud are all top-notch features that work well. We are also fans of their business solutions.
So, it might feel like overkill, but what if your local area has a fire, and your offsite cloud solution ended up not working? So, to be extra sure, add another backup solution that is different from the others and complements any of their weaknesses well. Consider another different location, backed up in a different way. An addtional cloud provider, that works differently than your first, and so on. Here are some good resources for researching more providers and solutions: Cloud backup services reviewed and Best free backup software reviewed.
These multiple backups are each a risk exposure, you cannot trust the places where they are stored, so use very strong encryption on your side encrypting the data before it leaves you. Guard encryption keys very carefully.
Be careful not to export any viruses or malware with your backups.
Go through a fire drill scenario. If you did actaully lose your primary data, are these backups going to work? Access the backup files, restore to a machine, unencrypt them, and make sure they are whole, and no important documents have been errantly left out.
Make sure your system is detailed, explained and securely and confidentially shared with others in case anything happens to the person who knows how it was put together their successors can takeover and use the system.
Programmers know the value of being able to "wind back the clock" after making some changes and maybe mistakes, and version control systems like Git (commonly used at the Github service) are a very useful tool for tracking and preserving work.
Or "devices" rather - each and every one of them needs to be attended to to be secured and monitored for any issues. Computers, phones, tablets, printers, TVs smartwatches even? Who knows, everything is connecting to the net, has password details stored in it, and could be an attack vector.
Kind of goes without saying, but here it is. Currently, the already-installed and hopefully running Windows Defender is good to use, but there are many more to consider. We would recommend Malwarebytes or Bitdefender as a start. Schedule automatic scans, and check the configuration settings to make sure they are fit for your needs.
Malicious hackers are always looking for weaknesses in software. Software vendors do their best to patch these vulnerabilities when they come to light and include the fixes in their updates. If you aren't allowing for updates you are missing out on the patches and leaving your software and therefore all your computer vulnerable.
Don't just rely on automatic backups, open and make sure in the settings and from the applications' websites that you are using the latest, updated, patched versions of all your software. Especially your browsers, chat, and Teamviewer-like applications, but any app that has internet connectivity and/or has powerful executing powers on your device.
Ensure you are encryoting your local drives, with the included Bitlocker on Windows or FileVault on iOS. Make sure to save the passwords for these encryptions securely in your password manager.
"Macros" are scripts (like mini programs) that can be run from inside Microsoft Office software and is an unfortunately strong and powerful vector for hackers. There is little benefit to having them enabled unless you really use them, and even then change the settings to be very stringent. Hackers will load macros in documents that when executed automatically can function like malware. Disable Macros in Microsoft applications under File > Settings > Advanced Settings > Trust Center > Macros or similar.
You don't need to use your computer as the root, admin user on a daily and regualr basis. If a computer used as root and then breached, the attacker has root access. Add a regular user with less prvilieges and limited abilities. In case of a hack the attacker has less power inside the machine. The same goes for every type of device, account and environment. Do not use admin access regularly, create, lesser privileged accounts that only have as much access, abilities and rights as they need to do their current work.
Every application is a potential attack vector, so if you aren't using it or are unsure of its quality or the trustworthiness of its source it needs to be removed. Further, any software that was once good, but is no longer supported (i.e. the company changed, went out of business or the product deprecated) it should also be considered for removal and replacement.
Especially in public, but also in office environments, and might as well at home too if not too inconvenient.
They enable you to find, lockdown and wipe lost devices. Common for mobiles but less so for desktops and mobiles, some anti-virus and EDR (see below) include this important feature.
Use good DNS settings, here is an overview.
You need to know all the applications that are currently and regularly running on your devices. Check in settings to look for active applications that you are not expecting so you can stop and remove them. An EDR (see next entry) or your anti-virus may provide some of this, but an extra solution to monitor running applications and manual reviews are advisable.
Like anti-virus on steroids, an Endpoint Detection and Response (EDR) solutions will proactively try to shut down any malicious activity on your devices. EDR pulls learned data for detection from your network environment and machine learning to (hopefully) detect dynamically advancing threats in real time by monitoring not just for virus signatures but also for irregular activity and behavior such as exfiltration of sensitive data. Here is a good survey of leading EDR solutions.
Malicious files can hide by being called reallyavirus.jpg.exe which you can click on and execute. Reduce that possibility by chaging your settings to always show all files final extenstion, the "exe", which are not shown by default so you can better know what you're working with, especially for downloaded files.
When installing software, perform a hash check to make sure the software you downloaded is the exact version unaltered from the provider. Here is a good how-to and another.
Be proactive in your organization by requiring team members to follow a set protocol for anti-virus use, encryption, automatic software updates and all listed here to make sure security is adhered to across the board.
More arcane and "in the background" from most people's perspectives, but no less important to security. Indeed paying great attention to keeping your networks secure is paramount.
You can use applications like Nessus, NMAP (free), WireShark (free), SolarWinds and similar to help discover many details about your network, for example all the attached devices, open ports, configurations and so on. Here is a good guide on how to get started and what to consider.
Measures to ensure your employees do not export or take away sensitive data like payment info, customer's private info an more via monitoring.
Giving vendors and extra applications access to your network may introduce some benefits via they work they perform, but it also increases risk and exposure with added attack vectors. Only add vendors to segmented and controlled areas of your network with only the access to data they absolutely need.
Make sure Windows Firewall is turned on if that is your OS, or an even more advanced Firewall if your company has it. Firewall's aren't as depended on as they used to be, but it's still a best idea. Even if you know about Firewalls, still check again to make sure it's on, it's easy to have turned it off at some point to allow some action, and then forget to turn it back or allow it to turn on.
Use an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) to actively scan for malware, irregularities and more in the information packets being sent over your network. Do not just install and think all problems are solved, these systems need consistent configuring, monitoring and reviewing of their logs to make sure they are performing as hoped. In the case of IPS, it attempts to actively stop detected threats.
Use third party manual operator vulnerability testing in addition to running simpler vulnerability testing software scans. Can also consider the more intensive, more manually and thoroughly performed Penetration Testing.
Your routers, switches and servers at your company are 'listening and open' on many ports ready for communication from the internet. These open ports are gateways to your network, close as many of them as you don't specifically need open.
At your office, your marketing department doesn't need access to all of the same data assets as the finance dept., so why are they on the same network with no barriers between them? The more mindful segregation and partitioning of subnetworks within your organization the more secure your sectors are.
Require that external access to your network comes via mandated and controlled VPN configuraton. E
In Windows, turn off Public file sharing, Public network discovery, and Public folder sharing - all unnecessary risks to have exposed when you happen to be on public networks. This is found in Network and Sharing Center > Advanced Sharing Options > Public.
Routers and similar devices come with default names that can give attackers more info about how to attack your network, and not changing the default password is of course the biggest vulnerability. Use an ambiguous name so any attacker looking for your specific network has a harder time, and make the password very strong (like 15 complex character minimum). Your router(s) are static, sitting ducks so attackers can take a very long time to attempt their hack so extra security is required.
Choose WPA2 if available which it should be with newer devices.
If you know no one will need the network for some period of time, it is a good idea to power it down so no one can "sit on it" trying to crack it while you are away.
Try to centralize your router, so its signal is centralized where you need it, but not spilling out strongly to the street or some public areas where an attacker can sit and "wardrive" attempts to crack it.
Router's administrations are available in the local network, but sometimes also remotely over the web, so for extra security disable this Remote Administration capability which you surely will not need.
Your router is most probably not updating its software automatically, it is a good idea to periodically log into it and manually update its software which may include vulnerability patches. Not just software needs updates, devices' firmware needs to be checked to make sure latest secure versions are updated to and installed.
It isn't just your own laptop or your phone, everything that is connecting is a vulnerability that can spill the network's passowrd and give up the keys to the castle.
Critical in network security is to not just rely on software solutions blindly, but to follow them up and manually check all activity with a conscientious human eye for irregularities and issues. This applies not just for network activity, but also for activity and history in personal accounts, company accounts, device usages and more.
We won't go into blocking websites for productivity boost hopes, but blocking access to known malicious websites is always a good idea. This can be done via hardware, software at firewall level or with cloud solutions.
A UTM combines firewalls, "next-generation firewalls", Intrusion Prevention Systems (IPS), secure web gateways, secure email gateways, network connectivity, web filtering, anti-virus and malware, VPN, IPsec and SSL, application and user controls and more.
Chances are your company or organizations you are a part of have a website that is important to their operations. Keep these ideas in mind to help keep it secure.
Probably obvious in 2021 but just in case, yes, do it. Can get from LetsEncrypt for free but we still buy ours at SSLS.com
You've may shared access to your website over the past months and years with different web developers, SEO people, blog article writers, employees and more. How safely are they guarding the access details you gave them..? It's critical to keep this ship tight. Only give as much access as you must for anyone to do the work they are doing, and no more, to help minimize risk. Use access-restrained user accounts, and if anyone leaves your company or no longer needs access, remove their access or change their passwords immediately.
This is a helpful measure in addition to the Access Control mentioned above. If you just periodically change the passwords on the secure accounts you'll automatically purge access for anyone over time not needing access that you may have failed to consider.
Most all registrars have this setting, absolutely set it to locked so no one transfers your website ownership away from you.
Knowing the identity of the website owner can give hackers incrediblly useful information and reaserch points to help further their attacks. In a worst case scenario it can give them a pressure point for extra leverage.
Run at least simple freely available security scans of your website like Observatory from Mozilla or Sitecheck from Sucuri to discover vulnerabilities that need to be fixed and actually make the repairs. There are more intensive vulnerability tests that can be run by professionals to help discover even more deeper issues and weaknesses. These tests will return many esoteric fixes that you can make, like setting X-Frame Options Security Header, the X-Content type nosniff, setting Strict Transport Security and more.
Whether it's just a spike in popularity from something at your company going viral, or a dedicated attack, a Distributed Denial of Service (DDoS) attack can take your website down in minutes. Use services like CloudFlare or a Web Application Firewall (WAF) to help mitigate it.
And set updates to automatic when available. This is perhaps the most important advice here, as outdated, unpatched software is the most vulnerable to attack. Note this also applies to the software on your server, and your CMS, everything.
You will be messaged if your website ever goes down. Our current favorite to use is Uptime Robot.
Not only the company needs to be reputable, but the company they keep. If there is malicious content and websites also being hosted where you are, your website will suffer by association and proximity to them. Further, check how seriously the host takes security, and if they are lax by allowing unsecured FTP transfers, for example, which bad actors can use to inject malware to servers.
As much as you can afford to, do not reside on overshared or badly managed hosting where malicious actors may be able to enter your hosting environment. This and other effects are referred to as Cross-site contaminaton.
A dedicated IP address will help your website stay distinguishable from any other bad actor websites you may otherwise have to share an IP address with.
Attackers rely on website's leaving settings left on weak options. Lock down comments on your website if you don't need them. Turn off everything you don't need, like Tracebacks, and so on.
Files can be Read, Written to, or Executed, and you want to lock that down so if an attacker has any acess to the website they cannot automatically affect files.
Just like for your internal company data, you need the whole backup regime including the 3-2-1 principle at a miniumum, with encryption, documentation, testing the backups and securing the passwords and encryption keys securely.
This can do everything from limiting access to CMS admin pages to whitelisted IP addresses, to blocking automated bot attacks and probes, to scanning and blocking malware.
A Content Security Policy (CSP) is a powerful tool to help lock down and dictate what exact sripts (programs) and from where (from only your website or subdomains, for example, or very trusted third parties) with the goal being to prevent malicious Cross-site Scripting attacks (XSS). In XSS attackers inject malicious code into your website unbeknownst to you that can wreck havoc for you and your site visitors in many nefarious ways.
SQL Injections (SQLi) are one of the most common and serious methods of website and web application hacks. A lot of quality steps are advisable to help prevent them, including stringent input validation for your site's forms, using "stored procedures" on the database, escaping user supplied input and more. Make sure your backend web and web app developers are very well of SQL injection prevention best practices.
The above tips seem like a lot by number, but they actually just scratch the surface of all the very many things that must be done to keep secure. Just as helpful as specifics is an overall awareness and mindset to consider security at every turn. Be mindful of security always in all actions and you'll be closer to maintaining control of your digital realm.
The goal of cybersecurity is often referred to as the "C.I.A. triad", not for the US intel agency, but rather for the objectives to: 1. Keep data 'Confidential', i.e. only in your hands and no one else's it shouldn't be in. 2. Keep data "Integrity", it needs to remain whole, uncorrupted, and unchanged by mailicious actors 3. "Available" in that those who need data to do their work should still be able to reasonably access it. These goals aply to all data whether for personal or company, it's a useful paradigm to keep in mind.
Cybersecurity risks are ever-evolving, maybe moving as fast or faster than anything else in computing technology. Stay tuned to cybersecurity news via some of the top blogs like CSO Online, ZDNet, Infosecurity Magazine, CNET security section, CyberNews, or a cybersecurity news aggregator like Cyber.Report.
How much Personally Identifiable Information (PII) customer data or payment and financial info, sensitive client data and so on are you handling? Even just your own data, what be the costs if you lost access to all your data and services immediately? In most cases, the consequences of data breaches, cyberattack disruptions and ransomware are high enough to warrant much concern. How much concern, and how much money should be invested to mitigating these risks is the goal of a risk assessment.
At a certain level of risk and liability, "rolling your own" security isn't enough, and even if you have a great team, an extra set of eyes, perspective and formal test and checks are invaluable.
It bears repeating, but it's so important to get it right, because this is the keys to the castle. The more people that have access to more data, the more risk exposure grows. Limit and restrict access and abilities to only the minimal required to do required tasks. This "Principle of Least Privilege" is key. Don't give anyone any more access than they need. If their situation changes (i.e. leaves company, or moves departments) make sure their access is changed accordingly.
Plan ahead for the worst, and who should do what when it happens, and what they should do, and so on.
Don't forget to actually lock the doors! The more secure the better. Locks, cameras, employee awareness to lookout for unknown and suspicious individuals.
2FA doesn't just mean a phone app like Google Authenticator, it also includes devices like smart cards, USB security keys you insert into devices or use to generate time-based codes, biometrics like fingerprint scanning and so on. Here is a good overview of physical security devices.
Not just your computer, but also your mobile phone, and all home Internet of Things products, and more. It doesn't do any good if you lock down your laptops but not your phones, etc.
If you're secure but your colleagues, family or friends aren't, they can be breached and attacks can get closer to you. Especially in work environments, security training and mindfulness must extend to everyone for the whole group to remain secure.
Check the open source options first to save your company money!
QA takes work! We use the best tools and processes to make it easier.
Get in touch with your website's SEO health with the best auditing tools
Gather a new perspective, tools and methodology.
Better security is within reach!
Honored to be recognized for MSSP cybersecurity work