Train Your Employees
According to IBM
, “95% of cyber security breaches are primarily caused by human error”. One way to help prevent human error is by providing security awareness training to your employees. Free security awareness training is available from the CDSE. For standard users, you can use the “Cybersecurity Awareness” e-learning course. For privileged users such as system and security administrators, you can use the “Privileged User Cybersecurity Responsibilities” e-learning course offered by the DoD Cyber Exchange.
Review User Account Permissions
Users should only have access and privileges they need to complete their assigned duties. The more permissions and privileges a user account has, the more valuable it becomes to a hacker. It also gives users who are insider threats the ability to damage your business.
According to Gregory Leiby
an Information Security Professional “understanding User and Group permissions is a standard practice in large organizations. It is also critical for small businesses as well. The difficulty is that one person might need permissions for several roles. It becomes critical to know exactly what permissions each User has, in order to understand the risks that are present.”
Businesses need to regularly review user group memberships and user account permissions. You also need to review user account privileges.
Restrict Cloud Sharing
More and more small businesses are moving to the cloud, this includes moving their important business files. This creates additional risk as employees can easily share files outside of your organization with the click of a button.
Most cloud storage services such as SharePoint and OneDrive allow you to limit file sharing. In general you should only allow file sharing within your organization. If another organization needs access to a file or folder, you can add them to your whitelist. You should also periodically review which files have been shared externally. You should also leverage file labeling capabilities when available.
Avoid Overusing Admin Accounts
Avoid using privilege accounts when performing non-privileged tasks. In other words, don’t use an account that has administrative privileges unless you are performing administrative tasks. We often see customers using Microsoft 365 accounts with Global Admin privileges. Don’t do this because it increases the likelihood of the Global Admin account being compromised. Employees with system or security administration duties should have both privileged and unprivileged accounts. They should only use the admin accounts when performing tasks requiring admin privileges.
In many small businesses, employees often have local administrative privileges on their computers. In most cases they don’t require administrative privileges to complete their work as a result you should revoke local admin privileges from your employees.
Review Antimalware Settings
Most small businesses have antimalware software installed on their computers, however in our experience they are either configured incorrectly, the license has expired, or it is not installed on all their endpoints.
Regarding anti-malware, ensure that:
- all of your endpoints have antimalware software installed and that the licenses are active
- scans are scheduled to run full (weekly) and quick (daily)
- removable storage devices are blocked
- the signature database is updated as soon as a release is available or as soon as your software allows
- users are restricted from changing antimalware settings
- files are scanned when downloaded
- files are scanned before execution
Uninstall Non-essential Software
The larger your attack surface, the easier it is for a hacker to successfully attack your business. One way to reduce your attack surface is to uninstall all non-essential software from your computers and servers. Software such as itunes, spotify, steam, and three different web browsers are generally examples of non-essential software.
Check Update Settings
Check the update settings on all of your computers and devices, make sure that they are set to automatically install security patches. You should also configure software such as Adobe Acrobat and Google Chrome to automatically update.
Upgrade Your Router
Many small businesses have simple routers that offer limited security capabilities. Upgrading your router to something like a Ubiquiti Unifi Dream Machine is relatively cheap but the benefits are great. You get intrusion detection, intrusion prevention, advanced firewall protection, and other advanced security settings.
Use a Strong WiFi Password
If you have never reset the WiFi password at your small businesses office you should do so today. There are tools available to hackers, allowing them to bypass even modern encryption algorithms. You should change your WiFi password bi-annually to make it more difficult for hackers to crack them. When an employee who was previously given the WiFi password is terminated, you should also reset the password.
Don’t Ignore Physical Security
Make sure that you have important equipment such as servers and network equipment stored in a locked room or closet. Have lockable files cabinets available for employees to store documents containing confidential and internal only use only information. Have a good shredder available for employees to use. Install a key card entry system to ensure that only authorized personnel access your facility and escort all guests while they visit your office.