Millions of phishing e-mails are sent daily. Hackers from foreign countries are tirelessly trying to find openings in networks to exploit companies for Bitcoin. While larger companies, city networks, and hospitals tend to make the news, it is typically the smaller companies that get hurt the most.
There are several steps your company can take to protect itself:
Essential Software and Hardware Configurations
1. Ensure that you are protected with the four basic device protections:
- Malware and ransomware software on every device and appropriate server
- Web filtering on every computer
- Spam protection on every e-mail address
2. Install a dual/multi-factor password system for remote connectivity.
3. Confirm you have no open ports on your firewall. Ensure that you are using a VPN (Virtual Private Network) or an RD Gateway for all remote connectivity. Confirm that there aren’t any exceptions such as ones opened for vendors.
4. Properly configure your FSRM (File System Resource Management). This is a fantastic tool to stop the spread of ransomware, should it get into a device on the network.
5. Check your active directory monthly for removal of any non-employees.
6. Install geo fencing on your firewall and configure appropriately based on your business location.
7. Only allow admin rights on a workstation if absolutely necessary and you understand the risks.
Best Password Practices
1. Ensure that your password policies are thorough. Passwords should be complex, more than eight characters, changed every three months (minimum), and present lockouts after three incorrect attempts.
2. Confirm that admin, system, and service passwords are even more complex and changed every three to six months.
3. Never share or keep lists of passwords (secured password programs may be an exception). Never send a password through e-mail (even internally).
4. Ensure you have an on-boarding and termination checklist that addresses any password/access issues, including the disconnection and wiping of any mobile devices.
Understand Email Risks
1. Block access to all non-company e-mail sites for all employees (such as Yahoo, Gmail, etc.)
2. If you do happen to click on a suspicious e-mail, but nothing seems to have happened, always tell your network administrator. Don’t delete the e-mail. Hold it for review.
3. Consider engaging a company that specializes in penetration testing and/or phishing education for your employees.
Running a business can be endless work, and it might seem more convenient to have easy-to-remember passwords, or to put cybersecurity on the “things to do” list. But leaving these actions on your low-priority list could have disastrous consequences. Take the time to ensure your business is protected.
Adapted from an article written by Steve Jaffe, co-founder and active partner of eDot, LLC, a large managed services provider in the Chicago area.