October 15, 2017 – Cybersecurity is not ONLY about responding to a ransomware or hacker but being prepared to prevent it from happening. When you are prepared to prevent an attacker for entering your computers or network, you make it difficult for them to be successful. For an attacker that means they will have to spend more time trying to get what they want. If it is simply to hold your computer and information for ransom, then they will likely move on. If it is your information that they want, they will expend the extra time to get it. But who said you had to make it easy?
So, what can you do? Well, a lot. But don’t despair. It may not cost you a lot to implement. Let’s follow the National Institute for Standards & Technology (NIST) Cyber Security Framework. In the framework there are two areas that are easily addressed. Identify and Protect.
Asset Management – Get a list of EVERYTHING that processes information electronically. It could be a security camera connected to your network, your computers & servers, a printer, all you network devices, etc. Record what it is, what operating system (Windows, Linux, macOS, etc) and what software is installed on it (Office 2016, Adobe Reader, Adobe Flash, and the other programs you use). If it is a device like a printer or a security camera, record the brand and determine the firmware version.
Maintenance – Update your software and firmware when new version are available as they may address security flaws in the software. For Windows and other applications, updates are provided monthly. Others, not so often. Check with the developer and see if they have an email list you can join to be notified when there are updates.
The longer a security flaw remains in your software or firmware the easier you make it for an attacker to be successful in taking or ransoming your information. But by doing these two things, you have done a lot to protect your information and taken a proactive stance in preventing an attack from being successful.
If you need assistance, let us know. We’ll be glad to help you become proactive!
Here are some simple methods that won’t deplete your profits and apply to businesses of all sizes (1 person to 100,000 employees).
1. Encrypt your mobile devices. Laptops, tablets and cell phones are treasure chests full of goodies. We store everything on them. The days of the rolodex and the personal organizer/binder have given way to the electronic organizer. It used to be that if we misplaced or day planner we would feel lost and maybe even anxious as a lot of information was stored in that book.
All that information has migrated into the digital age and is now present on all sorts of mobile devices. Newer phones have enough processing power in them to encrypt the contents of the phone until the device’s owner enters a password to decrypt them. The encryption is part of Android and Apple IOS. It is also possible to encrypt the hard drive of your laptop in a similar manner. If you use Microsoft Windows, spend a little extra money and purchase the professional edition. It includes BitLocker, Microsoft’s utility for encrypting hard drives.
If you lose the mobile device, you are not likely to lose the encrypted information to unwanted eyes.
2. Use complex unique passwords for every account. I know, I know! I hear it all the time. I have this large number of accounts that I need to remember, how do I do it? There are number of articles out there for crafting complex passwords that are easily memorized. However, I offer that you only need to remember one or two. Use technology to help you create and remember the rest.
Use password managers such as Sticky Password, LastPass, KeePass, etc. Each offers certain capabilities that should fit with your business model. Check out http://lifehacker.com/5529133/five-best-password-managers for a review of some popular ones.
For the one or two passwords you need to remember, create passwords that really have nothing to do with you. One of the first things an attacker will do is profile their target. Anything on the Internet about you can be used against you to build a list of words. So when you choose a password, don’t use your favorite team, vacation place, family member names, etc. For example choose three or four letter character unique nouns that are some related, but not directly. Maybe you have three foods you don’t like, lasagna, buffalo wings, and prunes. These three items make an excellent password as it is something you are not likely to write to the world about. So let’s make a password out of it….
or plainly buffalo prune lasagna. (sounds nasty!) But it is a set of words that when in plane text don’t make sense and if you apply some character substitution to them it becomes a long (in this case 19 character) complex password. Come up with a consistent method in changing the letters. In this example I:
Choose a similar way to develop your own password and apply your own password style and use that password to control access to your password manager. Then let the password manager create complex random passwords for everything else.
These are just two quick examples of KISS that improve information security and don’t require a lot of cash. I will write more examples in later posts.