Navigating the digital world is no easy feat. With threats seemingly lurking around every corner, and attackers finding new ways to infiltrate systems on a practically daily basis, it’s hard to know what you should be doing to keep yourself and your business safe and secure.
But that doesn’t mean that the latest advancements in technology should be avoided, or that you should become a recluse who never goes online. There are a few quick and easy steps that you can take (and some that you never should) to protect your business devices, data, communications, and your business overall.
Without any further ado:
Taking these simple steps will help you to protect yourself in all of your online transactions.
The more characters, and the more different types of characters (letters, numbers and punctuation marks, for example) the better. But, at the same time, you want to either use a password manager, or ensure that your passwords are memorable. Otherwise, all that’s going to happen is you’ll keep forgetting what your passwords are and need to reset them every time.
How long would it take to guess your password? Read our blog to find out.
It’s no longer enough to just have a password protecting your account. Passwords can be broken, even if longer ones do take more time to crack. It’s also entirely possible for attackers to gain access to your password in other ways, making its length a moot point. But when your accounts are secured in more than one way, it’s far more difficult for an attacker to gain all the information he or she would need for unauthorised entry. This is where multi-factor authentication (or MFA) comes in. It ensures that whenever you login using a password, you also have to provide a second piece of information which is sent to a separate device or email address, which the attacker hopefully won’t have access to.
Anti-virus programs have come a long way over the years, and tools like Defender for Microsoft 365 have come even further. Where your average anti-virus refers to a database of known threats each time it runs a scan on your machine, Defender takes this a step further by proactively protecting your email addresses and your devices. It stops you from clicking on dubious-looking links and suspicious attachments. While most protection tools will detect a virus or malicious software that has been installed, Defender tries to stop you from installing it in the first place. There are even options to train your teams by sending them fake phishing mails and seeing which of your employees fall for them.
There are many different types of email attacks, each of which carry varying degrees of threat. Spam, for example, though extremely annoying, is actually relatively harmless advertising. Phishing mails that come from strangers on the internet are also fairly easy to detect and avoid. But it’s the mails that claim to come from people we know that can cause the most damage.
These fall into two main categories: email impersonation and email hacking. In the first case, an attacker claims to be someone you know, but if you look closely at their email address, you’ll find that there might be one character that differs. Or it might come from g-mail instead of gmail.com. Or perhaps it’s coming from gmail.com instead of their usual business domain. In all of these cases, it can be fairly easy to tell that you’re not really emailing your friend or colleague, but a stranger pretending to be them.
Email hacking on the other hand is a little harder to identify. This takes place when an attacker actually gains access to your colleague or friend’s address, and sends emails from it. In this case, the email address itself will be legit, but what they are asking for will seem suspicious, and this is where some of the other do’s and don’ts in this article will come in handy.
If something in a mail seems a bit suspicious, pick up the phone. No one will mind you taking the extra precaution – they’ll usually appreciate that you’ve taken the time to double check. But, on the off chance that their mailbox has been hacked and they’re not the ones who sent the email you received, you can save yourself and your business a great deal of heartache by taking the extra step and confirming any changes or details telephonically.
In fact, if an email requests confirmation of personal information like your ID number, date of birth, contact number or personal address, it’s often best to provide this information telephonically in any case. You never know who may be watching or waiting to intercept your mail, from your end or the receiver’s side.
Everyone knows that updates are an absolute pain in the backside. They always come up at the most inconvenient times, and can see you having to restart your devices two or three times before your duty is done.
But it is essential to install these updates as soon as they become available.
Updates often include security patches which fix vulnerabilities in your software and devices. These vulnerabilities are often doorways for attackers to exploit, allowing them access to your machine without you even being aware of their presence. The sooner you can close these doorways, the more secure your systems and your business will remain.
Outdated software is just one risk that putting cyber hygiene in place can take care of. Find out more in our blog.
Whether you’re backing up to the cloud, to an external device, or to an on-premises storage solution, the more often you perform cloud backup, the more complete your data will be. You never know when disaster may strike, or what form it will come in. The last thing that you want is to lose information that’s critical to your business operations, or lose documents that you’ll have to spend hours on end recreating.
On top of making sure that the right information is recoverable, you also want to regularly clean out your devices of unnecessary documents, apps and information. You may, for example, have passwords stored in your password manager for platforms that you haven’t visited in years. Those apps on your phone that you downloaded once upon a time and have actually never opened? DELETE! Getting rid of the clutter will not only see you being more organised and potentially more productive, but it will be one less piece of information or software that attackers can use to their advantage.
Performing regular backups is only one step in the process. You want to make sure that even when the worst-case scenario comes true, your business operations are back up and running as quickly as possible. This means putting plans in place not only for backing up and storing information, but recovering it as well. From defining the folders that need to be saved, to assigning and training the responsible teams, to ensuring employees know how to recognise an attack and who to call when that happens, investing in a Disaster Recovery Plan is essential for any business, big or small.
Here are a few items that should be on every company’s Disaster Recovery Plan checklist.
Sometimes the key to success is to REPEAT, REPEAT, REPEAT. Once-off training is all well and good for some scenarios. But the digital world is constantly moving and changing. The best practices that you might have put in place last year could become the worst possible response tomorrow. I kid you not. That’s how fast technology moves, and how quickly attackers are finding ways to turn security practices on their heads. So it really is best to conduct regular training that delves into the latest threats to your business, and the best ways to address them.
Now that we’ve gone through 10 of the proactive steps that you can take to protect yourself and your business, let’s look at some of the practices you should avoid at all costs.
Even if it’s someone you completely trust. Even if it’s your mother. Just don’t do it. First of all, you never know who may have access to an email address, or if the person you’re emailing has had their address hacked. Secondly, even if you’re giving someone your password over a phone call or in person, how can you ensure that they will keep it secure?
Most platforms will have an option to add an extra user or create another set of login details. This should be your first choice wherever possible – giving the person their own access, rather than sharing yours. If that really isn’t possible and you really need to give someone your login details, be very, very careful about it. There are platforms like Password.Link which allow you to send encrypted messages with once-off links, ensuring that the person you email the link to can only open it once and never again. This reduces the risk of someone who may be monitoring their email address accessing the details and making use of them.
So you’ve found the perfect password. One with just the right number of different letters and characters, that you can remember without a hitch. That’s fantastic. But I’m sorry to say that you should only use it once.
Reusing passwords, even great ones, across multiple sites opens you up to attack across multiple platforms. It’s not uncommon for sites or apps to fall victim to identity theft, resulting in their clients’ confidential information (such as their personal details or their user credentials) to become leaked. And if this does happen, you want to make sure that the password you used for one site will give an attacker as little access as possible. This means using different secure passwords for each site that you use, especially where business or personal data is involved.
In the old days, we would have told you not to leave printouts of confidential information sitting on your office desk for anyone to see. But how many people actually print information any longer? Data is digital, and leaving it ‘lying around’ could mean forgetting to lock your computer screen, or neglecting to check that you’re sending an email to the right person.
This applies to both business data, and personal information (which I’ll discuss in more detail a little further down). Be mindful of who you share documents and data with, and make sure that when you do access information on one of your devices, you close any windows that contain sensitive data, or lock your screen, before you move onto something else.
These days, it’s not just strangers’ emails that you need to be wary of. You need to be critical of any links and attachments that you receive, which is why it’s so important to check the from address in mails as I suggested above.
But emails from strangers are the easiest to notice. If you get a mail from someone you don’t know, or an address you don’t recognise, asking you to click on a link or open an attachment, DON’T.
Easier said than done in business, I know. After all, you want to make sure that you’re responding to prospective clients, and the likelihood is that you won’t know their names. But there are more cautious ways to approach prospects. If a prospective client emails you, follow up with a phone call rather than clicking on a link. If you want to view their website, type it into your browser rather than clicking, since it’s all too easy for a link in an email to redirect you to an unfamiliar site.
It’s very tempting to tell you not to use public wireless networks at all, since they are inherently insecure. I know that it’s extremely convenient for you to check your mail free of charge over your morning cup of coffee at your local café. If you want to open yourself up to a Man in the Middle attack, be my guest, though I don’t think that you’ll much like the consequences if you do become a victim.
But, if you are using a VPN, which adds an extra layer of encryption and security to any traffic that flows over the network, then you’re protecting yourself, and can go ahead and connect to just about any free network you like. Though, I’d still be wary of ones that aren’t attached to businesses nearby.
Social media has its benefits. It can help people stay connected across continents. It has the potential to boost communities through shared experiences, and it can help businesses to grow in a number of different ways. But the scourge of social media is public posts.
Every piece of information that you make available to the public is another opportunity for attackers to learn more about you, and become better at impersonating you. Social engineering is a very real phenomenon and a very real threat to business operations. So do yourself a favour – when you use social media, make sure that your posts are private, and only add those who you know and trust to your friend lists.
Learn more on how you can avoid social engineering attacks work in our blog.
We’re in an electronic era, where even Mr Price has stopped printing our receipts, preferring to email them to you instead. Getting bills and invoices by snail mail is fast going the way of the dinosaur. But just because you’re sent an invoice over email does not mean that it’s legit.
Any email that asks you for payment, particularly to an unfamiliar bank account, should be viewed with suspicion. Phone the company that’s asking you to pay, and confirm your account status or their banking details telephonically to ensure that nothing’s out of the ordinary.
If it’s an online transaction, see if you can’t arrange to pay via the company’s website rather than making an EFT. And I don’t mean that you should click on the link in the email – remember, that’s another strong DON’T. But if you get an invoice from, for example, Mr Price, that needs to be paid, go and type “https://www.mrp.co.za” into your browser, sign in, and pay for the outstanding invoice directly from their site.
The same way that you should never access public Wi-Fi without a VPN, it’s in your best interest to never make an online purchase on a public machine. Don’t stop into an internet café (if those still exist) to quickly make an EFT. Don’t borrow a business’ laptop to log into your online banking and transfer money. Leave those kinds of transactions for your own devices. You never know what cookies other devices may be storing, and how they handle your private financial details. You also never know who may be looking over your shoulder or spying on the browser history.
It’s all too easy for someone to install ransomware on a machine. At least you know where your own devices have been, who’s been using them, and what has been downloaded on them. This will allow you to protect yourself as far as possible.
I know that I come across as intimidating… I kid. IT Teams can come across as hard asses (excuse my French) when it comes to security, but the fact is that they’re there to help. Particularly when you work with an IT helpdesk like Solid Systems’, no question is ever too ‘stupid’ or too small to be asked. We’re here to help you however we can. If you come across an email that looks dodgy, or are not sure how to handle common cyber security challenges (or any other IT situation for that matter), you can always turn to us and we’ll be more than happy to help.
Let us make cybersecurity a priority for your business
Keeping yourself and your business safe and secure in this digital world should be one of your top priorities. But it’s not something that you need to handle on your own. When we talk about IT services at Solid Systems, we offer so much more than simply managing your infrastructure. One of the first steps that we take is to understand your business inside and out, and spend our time strategically planning your technologies to ensure that your business is safe, secure, and covered for any disasters that might come your way, including cyber attacks.