A dodgy website plugin brought the reality of cyber threats close to home for Lisa McAully. Here’s how to protect yourself.
You know things are serious when you get an email with SHOUTY CAPS in the subject line that demands immediate action.
“Issue(s) Detected With Your Website. TAKE IMMEDIATE ACTION”
Oh dear. Then it gets worse.
“Malware detected. We recommend you remove malicious code from your website as soon as possible.”
In this case, it was an easy fix (an old plug-in turned rogue). But the potential impact was significant. For me no online presence means no shop-front; cue missed leads and reputational damage, plus heartache and stress.
So what’s a soloist to do when faced with cyber threats? Start with these 5 simple steps.
1. Do you need to do passwords differently?
Do you know how many passwords you have? My count surprised me.
Is each of your passwords secure and unique? If you’re like most people, the answer is probably not.
According to the Intel World Password Day Survey 2016, employees have an average of 27 passwords to remember. Industry player LastPass suggests the number is much higher. In a report released in 2017, LastPass stated their business clients manage an average of 191 passwords each. Yikes!
The two biggest password mistakes that leave you vulnerable to a cyber attack are:
- Password reuse
- Using passwords that are easy to guess, for example, using ilovecats instead of something strong (and random) like HUW4NeevjD7_
How do you tackle your ever growing number of passwords? Easy. Get a password manager. Password managers are software that you can use to generate passwords and store them.
These tools are built to be secure. They can simplify your life (don’t cost too much) and give you 191 fewer things to remember! The True Key app by Intel Security and LastPass are an excellent place to start on the hunt for a password manager that’s right for you.
2. Can you layer up your protection?
Now that you’re a password pro, you’re safe. Right? Apparently not.
It seems data and password leaks are surprisingly commonplace. Password leaks happen when someone (a shady cybercriminal or a passer-by) gains access to passwords stored by the companies or systems that you use.
In February 2018 the Australia Government introduced a Notifiable Data Breaches scheme (which sits under the Privacy Act 1988). This scheme mandates what companies need to do if they become aware of comprised data— like tell you what happened and what you need to do to protect yourself.
Before this scheme began, things were a whole lot sketchier. Users had to rely solely on ethical behaviour and company policy to find out if someone stole their usernames and passwords (or other data).
Beyond Australia’s borders, it’s even greyer. The same requirements around data breaches don’t bind businesses based in different parts of the world. Your passwords and usernames could be out in the world without your knowledge or consent.
For this reason, it’s a good idea to use extra layers of protection available to identify yourself (multi-factor or two-factor authentication). The extra layer could be a code sent in a message or an authenticator app that uses something like a PIN or a fingerprint.
Interestingly the US National Institute of Standards and Technology (NIST) no longer advises using SMS based two-factor authentication because of the risk of SMS interception (will we ever be safe?). Having said that, this type of authentication is better than nothing.
So layer up your protection now if you haven’t already. It’s easy to do and will give you a security boost.
3. Add updates to your urgent pile
Keeping your software up-to-date could be more urgent than you realise.
Consider this scenario.
A software vendor figures out there is some vulnerability in their software. It can let an online-bad-guy do something they shouldn’t; like break into your social media account or steal your data.
This vendor then releases a software update and sends out a message to the world saying something like “Hey guys, we had a vulnerability that would have let people do bad stuff, but don’t worry we fixed it! Just update your software, and you’ll be fine.”
All good so far.
Except now every potential cybercriminal in the world now knows there is ‘a vulnerability’ ready to be exploited. They also know that a whole bunch of people and businesses take their sweet time to run updates.
Many major security breaches are from vulnerabilities identified months or years earlier.
In 2017, ransomware called WannaCry was used to infect hundreds of thousands of computers across the world, and affected organisations such as the British National Health Service. Those affected had not installed a particular Windows patch, which addressed an identified vulnerability. Microsoft released the patch in March 2017, and the WannaCry attack was in May 2017.
So what does this mean for you? If you don’t apply software patches and updates promptly, you end up being a (technological) sitting duck. Auto-update (push) functions come in handy here, so consider making use of them (though you’ll need to review other impacts of this too).
4. Be ruthless and remove what you don’t need
Each extra element of technology we use potentially introduces a cybersecurity risk. So it’s time to take stock and be ruthless, for example:
- Do you have cloud-based accounts you don’t use? Unsubscribe.
- Are there unused plugins sitting around collecting (virtual) dust? Uninstall.
- Tried a new app but don’t love it. Delete.
- Are you collecting customer details you don’t need? Stop!
If you are back to the essentials, it can reduce your exposure to potential threats.
5. Don’t forget your email
Email is an essential element of most technology stacks; it’s also the source of some severe cyber headaches. If dodgy emails slip through the cracks (email filter), it increases your chance of crossing paths with malicious emails (like phishing emails). Hijacked accounts are particularly un-fun (damaging and costly) too.
There are countless email system providers out there, but not all are created equal.
Email services provided by web hosts are pretty lackluster when it comes to security services and email filtering.
There are plenty of other options on the market, but many cost a mint and may not offer multi-factor authentication for your accounts.
Two strong contenders for small business and soloists include Office 365 and G Suite. Both offer robust security frameworks, advanced SPAM and malware detection, and 2-factor authentication options.
For those who have been using Gmail or a web host email service for a long time, G Suite is a particularly good option. It’s straightforward to set up G Suite for your domain (as in youremail@yourdomain.com.au), and it’s inexpensive.
Over to you folks
Cyber threats have the potential to wreak havoc on most small businesses. Five simple strategies you can use to reduce your exposure to cyber risks include:
- Make use of a trusted password manager
- When it’s available, layer up your protection using multi-factor authentication
- Prioritise security updates
- Get rid of any software, tools and subscriptions you don’t need
- Choose an email service provider with security in mind.
These steps alone won’t eliminate cyber threats, but they will boost your defences.
Is cybersecurity on your mind? What steps have you taken to keep your systems and your data safe?