Cybersecurity is getting crazy. AI, automation and cryptocurrencies have combined to reduce the size a business needs to be in order to be profitable to attack.
Generally the attack takes the form of ransomware. Attackers find a way to isolate important databases or file stores and encrypt them. Make a transfer of a large sum of Monero to a drop wallet and they will decrypt it for you.
For almost all businesses their databases and file stores are in the cloud, protected by the large dedicated security teams of Amazon, CloudFlare, Google, Microsoft, etc. This means the weakest link is the access to those databases and file stores.
Your business premises and your staff are the hackers’ easiest avenue to gain access, so that’s where they focus their efforts and that’s why you require a multi-layer security strategy for protection.
Not everyone can afford a full-time security team or coverage from enterprise security vendors, but everyone can implement the basic must-haves for cybersecurity to reduce their risk while they find a cyber insurance provider.
What follows is a standard layered approach to security, starting with internet access and ending with your staff’s minds. If you’re missing any of these, make it a priority to put them in place.
Secure The Network Perimeter
Your connection to the internet. What traffic is coming and what traffic is getting out.
What you need to do: Install a Network Firewall.
In this day and age we all know what a firewall is, right? Most modem/routers have a basic one. It will block automated vulnerability scans and other network attack vectors from the outside, and give you control over how machines inside your network can access external services. Handy if a machine does get compromised.
Business-grade routers with integrated firewall capabilities are available from vendors such as Ubiquiti (UniFi Security Gateway) , or entry-level appliances from security-focused vendors like Fortinet (FortiGate) and Sophos (XG Firewall)
Secure Your Local Network Access
This layer concerns how users and devices connect to your internal network, primarily via Wi-Fi.
What you need to do: Implement Secure Wireless Network Configurations.
This is straightforward:
- use WPA3 (or at least WPA2-AES) encryption,
- disable WiFi Protected Setup (WPS),
- change the default administrator password, and
- implement a separate, isolated guest WiFi network
Most business-grade Wi-Fi access points and routers from vendors like Ubiquiti, Cisco, TP-Link (Omada series), and Netgear (Business series) support these features.
Secure Your Devices and Software
This is the desktop/laptop/phone layer. Because these are complicated and vulnerable out of the box there are 6 things you need to do to secure these “endpoints”.
1. Keep Software Updated
Turn on automatic updates on all your machines and leave it on. Yes, it will occasionally be annoying as an update occurs when you have better things to do, but those annoyances will never add up to the amount of time and money a cyber attack will cost.
Microsoft has Windows Update for Business for OS updates. Microsoft Intune can provide more comprehensive update management across devices and some third-party applications.
Apple sends out security updates regularly. You can set your Apple devices to automatically apply security updates while keeping OS updates manual
2. Use Endpoint Protection Software.
This is your virus scanner/malware detector like CrowdStrike Falcon. You run these because vulnerabilities (“0-days”) can happen at any time and who knows if visiting a website or opening an email has compromised a machine.
Endpoint protection software notices when file or network requests suddenly appear from a new program or an existing program seems to be behaving differently, likely trying to scan ports on other machines in the network.
They do create processing overhead and their scanning can get in the way, but what can you do? Leave yourself wide open?
Windows has Microsoft Defender (built into Windows), with additional threat and management capabilities in its Microsoft Defender for Business. There are also third party solutions such as ESET Endpoint Security, Trend Micro Apex One, Sophos Intercept X, and, as mentioned earlier because of its famous fumble, CrowdStrike Falcon.
3. Enable Per-device Firewalls.
This helps in the situation where you end up with a compromised device on your network. There is probably no good reason for Machine A to be connecting to Machine B on your intranet. All shared resources are in the cloud, right?
Using an on-device firewall to block traffic from local machines, and also report when blocking events occur, protects your intranet from a compromise spreading.
Firewalls are part of most endpoint security suites, and Microsoft Defender also offers basic firewall functionality.
4. Use device encryption, at the very least on laptops
It is unlikely a “hacker” will break into your business to steal a computer with data on it. If you face that level of threat you’re probably not even reading this article.
Laptops, being out in the world, have a higher chance of being stolen. They can also be accidentally left behind.
Encrypting hard drives so that the data can’t be read without a password or key is the solution to this.
Microsoft has BitLocker Drive Encryption for this, and recovery keys can be managed via Microsoft Intune if you’re worried about getting locked out. Apple has FileVault for hard drive encryption, while Google’s ChromeOS devices are encrypted by default.
5. Enforce the Principle of Least Privilege
This is simply granting users only the minimum system permissions they need to fulfil their role functions on the machine(s) they use.
The basic move is not giving admin accounts to users. If they don’t have full access over the machine, any code run during one of their sessions doesn’t have full access either. This limits the damage that a compromised account can cause.
6. Establish Basic Mobile Device Security for Accessing Company Data
This is for phones and tablets, whether they’re company-owned or personal (BYOD). It means making sure everyone is using strong passcodes or biometric authentication, device operating systems are kept up-to-date, application installs are monitored, and a VPN is used when connecting to public Wi-Fi networks.
All major providers offer Mobile Device Management (MDM) and Mobile Application Management (MAM) solutions. Here are links to Apple, Microsoft, and Google MDM solutions.
Secure Access to Applications and Services
This layer focuses on how users access your business applications and cloud services, and that is via passwords. Passwords scribbled on post-it notes are not going to work in a team environment, plus you can’t copy and paste (yeah, yeah, you can with your phone…).
What you need to do: Implement password managers and add multi-factor authentication.
For password managers, it’s straightforward:
- Deploy a team-based password manager solution across your business
- Mandate its use across all services
- Share credentials securely between team members when needed
- Ensure employees can access passwords across all their devices
For multi-factor authentication (MFA):
- Enable it everywhere you can, but especially for cloud providers, email and financial applications
- Only use authenticator apps or security keys.
- Never use MFA via SMS.
- Make it mandatory for all users
Team-based solutions include 1Password Business and Bitwarden Teams. For MFA, Google and Microsoft have apps plus Microsoft offers Microsoft Entra multifactor authentication with their Microsoft 365 plans.
Strengthen Your Human Defenses
This layer acknowledges that your employees play a key role in how secure your business is. You might think you can’t install software on them, but that’s exactly what training does.
Most of the threats are going to come in via email, but in this age of easy deepfakes, phone calls and video calls are also vectors.
What you need to do: Train your staff and protect your email.
For training:
- Run regular cybersecurity awareness sessions
- Teach employees to recognise phishing and social engineering attempts
- Create a culture where reporting suspicious activities is encouraged
- Consider establishing verification pass phrases that employees can use to confirm identities during calls if security or finances are involved. So old-fashioned. But it’s also our future.
For email protection, the major providers, Microsoft and Google, actively scan all email, but they can’t catch everything. But that’s why you have endpoint protection in place.
Protection and Recovery of Business Data
This layer ensures your essential data stays safe and can be restored if needed. You need backups. You need proof you can restore from those backups in a reasonable amount of time at any moment.
What you need to do: Set up regular backups, practice restoring
For backups:
- Follow the 3-2-1 rule: three copies, two different storage types, one off-site
- Test your backups regularly to make sure they can be restored
- Keep backups separate from your main network to protect from ransomware
- Make sure all your backup systems are protected by MFA.
Microsoft offers Microsoft 365 Backup and Purview Data Loss Prevention. Google provides Data Loss Prevention for Google Workspace. For comprehensive backup solutions, consider Veeam Backup or Backblaze Business Backup.
Establish Basic Security Governance and Response
This layer involves having plans in place for possible incidents. If your security does fail, you want to be able to move quickly and minimise disruptions,
What you need to do: Create and document your incident response plan.
For incident response:
- Create a plan for what to do when security incidents occur
- Identify key contacts and detail the steps to take
- Practice the plan occasionally (even just a quarterly walk through around a table) so everyone knows their role
Microsoft provides security guidance documentation and Purview Compliance Manager. Google offers best practice security recommendations for Google Workspace.
Security is a lot, isn’t it?
This “basic” list probably already feels overwhelming. You may have simply scrolled all the way down here just to see if it was really worth reading.
It is a long list, but if you look through it, mainly it is about making a decision and implementing it. Then it’s just monitoring and checking in on it every quarter. And never trusting an email or incoming Zoom call ever again.
Because keeping your business safe requires constant vigilance and the software tools to enhance it.
