[BreachExchange] Protect Your Business From Hackers at Points of Vulnerability

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 22 20:28:39 EDT 2017


http://www.business2community.com/cybersecurity/protect-
business-hackers-points-vulnerability-01901720

Every business, regardless of how good they think they’re doing with
cybersecurity, or their size, is vulnerable to hackers. There are points of
vulnerability all over your company from top to bottom.

You need to protect these points of vulnerability, encrypt your data, and
get you and your employees up to snuff. Let’s get to work on protecting
your business from a solopreneur project, to a startup with dozens of
employees!

Protect your business from hackers

Knowing what the risks are

The first thing you should do is know what the three biggest risks are. If
you don’t know where you are vulnerable you cannot protect yourself. The
most common issues faced by businesses are:

- Phishing: This is when hackers send messages through email, or social
media, which appear to be genuine. They can appear to come from the CEO,
from an internal security agency, or anyone else with authority. They will
then prompt the person that is being phished to give over important
information. This shows that one of your most vulnerable points is your
employees, and human error.
- Malware: This is when a hacker has the opportunity to install malicious
programs on your computer network. This commonly happens when an employee
downloads something onto one of their machines that they should not.
Malware can also gain access through advertising on the Internet.
- System hacking: This may sound really fancy, but the most common form of
system hacking is done with a brute force tool. These tools will try to
guess the login details, especially passwords, for your systems. They will
simply guess thousands of times per second until they are correct.

These three issues are the most common forms of hacking against a company.
They are not particularly sophisticated, nor do they need to be as so many
companies leave themselves vulnerable.

Encrypting your company data

Finding ways to encrypt all of your company data, at all times, is
essential to protecting your business. Here are the most vulnerable times
for your information and when it should be encrypted:

- Full disk encryption: Most operating systems have a default encryption
setting. All you have to do is turn on full disk encryption for your
individual machines and they will be able to protect any data on them. It
doesn’t slow down the machines, it doesn’t make your employees less
productive, and yet it still protects your business. Learn about full disk
encryption for Mac and for Windows.
- Public Wi-Fi: From time to time, you’re going to find yourself using
public Wi-Fi for business reasons. At times like these, you need to turn to
the corporate VPNs that companies have been using for decades. These tools
encrypt your data right at the source of your computer all the way to the
server you’re connecting to. You cannot neglect this type of encryption due
to something known as a man in the middle, or even a fake WAP, attack.
These take place specifically on public Wi-Fi networks which you think are
secure… But are controlled by a hacker.
- Cloud storage: You cannot automatically assume that your cloud storage
provider encrypts and protects your data. You need to choose cloud storage
providers such as SpiderOakOne, Certain Safe, and Sync.com.

These are three points when you need to make certain that you have
encryption on your side. Hackers can’t stand it when you use encryption. It
makes their job difficult. When their job is made difficult, they move to
another target.

Securing the hardware of your business

Sometimes, it doesn’t come down to any sort of fancy computer skills. Some
of the worst hacks happen because hardware is not secured. You have to make
sure that your devices are physically locked down.

Device locks

The first step in physically locking down your machines is using something
like Kensington lock ports. These physically tie your machine down to a
desk. They’re not foolproof, but they certainly slow someone down who is
trying to steal your device. Again, slowing a hacker down makes their job
more difficult and makes them more likely to move to another target.

The other type of device lot that you need to look at is digital locks. I
am referring to your machines requiring some sort of password in order for
them to be opened. These digital locks can help you out when your physical
locks fail you.

Server room locks

If a hacker ever gets access to your server room… It’s all over. Once in
here there is an absolutely limitless number of things that they can do to
compromise the security of your business. It’s almost like the last line of
defense is a simple lock on a door. You’re going to need to:

- Limit the number of people who have access to your server room.
- Install a door which automatically closes.
- Install a door which automatically locks when it closes.
- Make sure that your employees know the importance of this door being
locked and closed, and not propped open.

Making sure that the server room is locked is not sexy, but that door is a
definite point of vulnerability for your business.

Change your company culture

In the old days, most company culture security practices began and ended
with a sign that said “No employees beyond this point.” And that was it,
you made sure that your employees knew that no one went beyond that point.
That obviously no longer cuts it.

Here is how you will change your company culture:

- Have a formal Internet policy and train your employees. Make sure that
there are consequences for those who breach it so that it has meaning to
them. Tell people what can and can’t be access within the office. Cover
attachments, apps, personal email, and devices used.
- Make each employee aware of how their position is vulnerable to hackers.
Your cashiers need to be aware of POS scams, while your office staff need
to be aware of access control and badge use.
- Have regular briefings on new threats that could impact any member of
your team. Keep things personal rather than addressing everyone. They have
plenty to worry about without getting updates on something which applies to
the night staff leaving doors open when they’re in accounting.
- Make sure that the information they get is from an expert on your IT
team. Have a lead contact on the team, and try not to have management with
little knowledge guide policy, or assist employees. Your team deserves a
competent, knowledgable, and adaptable employee. They deserve better than a
half-knowledgable manager reading from a policy.

If this doesn’t change your company culture, you need to change employees
that don’t get in line. Out of everything discussed above, it always comes
down to your employee’s actions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170822/6eeb5dc9/attachment.html>


More information about the BreachExchange mailing list