We recently announced that we’re offering free mini cybersecurity penetration tests to businesses looking to test their cybersecurity and so far quite a few businesses have taken the offer (take the offer by filling the form below). We met with each business independently and gave them their results individually to review their gaps in their cybersecurity. Our results cover the following nine technical aspects of your cybersecurity: backups, accounts, M365, patches, antivirus, firewalls, employee education, encryption, and surveillance. After reviewing enough reports, our technical team started putting together the list of ‘don’ts’ when it comes to SMB cybersecurity- review the list below to learn the easy ways to avoid being hacked! And we’ll tell you what cybersecurity tools are whack or actually good hacks…..
What a Cybersecurity Penetration Test Reveals in SMBs
- First up, backups. Do you know what data is or isn’t being backed up? Is everything being backed up locally on a server at the business or is it being stored in the cloud like with M365? The second important aspect to backing data up is how often you back up your data- is it hourly, monthly, annually? And what’s the right answer? Unfortunately, there isn’t an easy answer here as it will depend mostly on what type of business you are and how much private data you house. We can relay the common set ups we’ve seen and how it is or isn’t working for them.
- Local servers vs. the cloud: A lot of businesses are making moves to put their data in a cloud server over a local server because data stored in the cloud will not be lost due to physical catastrophes like fire or flood, but downside to a cloud server is that files are stored with a 3rd party and if the third party is experiencing downtime then you will not be able to access files. There are plenty of other reasons why you wouldn’t or would choose a cloud or local backup over the other, but the most important aspect to where your backups are is having confidence that it is the safest method of storing data for your business. Need more details? Download our whitepaper about hybrid work environments which walks you through cloud backups and when to utilize them.
- How often should you be backing up data? Our experts in tech here suggest the more often the better- but it can often depend on what type of program and how often data is being added/changed. For example, something that employees are using constantly like an ERP or CRM system should probably be updated daily, if not hourly. Company files should also be something that should be backed up daily, as edits company-wide may happen often. On the other hand, HR systems may only need to be updated weekly as the information changes less often. As a rule of thumb, companies should consider “recovery time objectives,” which specifies how long a company would be able to operate without that system. This, in turn, influences how often a system is backed up- the more integral to business objectives, the stronger the data protection should be. Companies can also turn on automatic backups so no one employee is required to manually back up a system, but be careful as automatic backups can make employees complacent. Data backups can fail, so having backups become moot if backups are not monitored properly. Find more data backup information here.
- Next our cybersecurity penetration test will look at the different user accounts associated with your company, and there are several key cybersecurity elements they check with every single account. There are a couple things that we’ve found that almost all businesses do that drive us crazy:
- Using the same password with little variation across apps, websites, and do not distinguish between personal passwords and business passwords. Most hackers have some type of password-breaking tool, although some more sophisticated than others. A cybersecurity penetration test can imitate the same way a hacker would gain entry into your system, and a breached password from a website used throughout the computer is almost always how someone gets into your system, and the more a password is a repeated the more damage it can do. And hackers won’t just lock you out of your data or sell it online (which does happen) but they can also imitate you on your own accounts and replicate the same method on someone else unsuspecting within your company or even your personal life.
- Storing their passwords in their browser! Newsflash, we know the average person has over 100 passwords they need to remember, so flat out memorizing more than one or two is unmanageable. But in 2022 there are quite a few tools available to help track and store password information (and they’ll even store your personal passwords and information as well!) What everyone at our IT company uses is a Password Manager Application. There are quite a few out there (we currently partner with LastPass) and they all perform a better job at securing your passwords from prying eyes than your internet browser (which can be exposed relatively easily).
- Having passwords that never expire. The longer your information is stored on a website, the more likely it will be to be involved in a breach. To prevent this, you can have reminders to go and change unique passwords for programs that don’t require them to better secure your accounts. Or you can quarterly go through your recorded sites with passwords and delete the account and data from the website when you stop using it longer than 6 months. There are some other healthy ways to keep your information from leaking, or preventative measures you can take to stay safe with cyber crime around every corner!
- From there, our nifty tool will look to see if it can exploit any outdated hardware or software, looking for missing patches where ever it can find it. They can quickly look up patches that have been recently released to utilize that against you if your computer isn’t constantly scanning for updates and new patches. Hackers can often reverse engineer patches because the dark wen gives detailed instructions on how to exploit businesses that don’t update their computers and systems often enough. Sometimes it’s just a matter of targeting the right business at the right time when they are most vulnerable. Making sure automatic updates for computers are enabled for all computers and technology as well as ensuring that updates are installed and there is no way a user can override or disregard updates.
- After that, our technology will test the antivirus and check to see if the proper alerts are created and that someone is notified during an incident, as well as checking how long it took to respond to the incident. A client of ours who wanted to expand their cybersecurity with us further first used a cybersecurity penetration test to see their vulnerabilities, and our network consultants watched as the antivirus warnings triggered several times as the penetration dug into our systems. Thankfully we had warned our technicians we were doing this so they didn’t implement proactive solutions to start blocking the attack. Our current security and antivirus partner is Crowdstrike, whose advanced endpoint virus protection predicts malicious behavior, rapidly eliminates threats, and seamlessly adapts defenses so we as a tech company are able to stay mobile and responsive when it comes to cyber threats. Every company should have some type of antivirus and antispam to help keep attacks at bay– but by no means should that be the end to your cyber protection as malware protection can only go so far- employee education is just as important when it comes to preventing a data breach or cyber crime.
- Next up, firewalls. If antivirus is the alert system to your data, then firewalls is the fence that lets internal and approved traffic flow through, but blocks any outsider attempts at accessing the information. A firewall for a business something fairly easy for a technician, but can be difficult if you are a small business owner without the proper IT support. Or even if a company does have a firewall- is it the right one for the business, up to date, and properly configured? All are important questions when it comes firewalls. Of course, if do think you have a great firewall you want to put your firewall to the test, take our cybersecurity penetration test and submit your information below. Either you’ll come away knowing you have the firewall you knew you do all along, or you save your company from a potential breach (it’s a win win). Our partner SonicWALL supplies firewalls, physical or virtual, and our team will configure a firewall to a client’s needs. Firewalls do need maintenance and updates, so it is not something you can set and forget (unless you are inviting a hacker into your system).
- We’d also like to talk about encryption and PII (Personally Identifiable Information). If you are a business that has what is deemed “personally identifiable information,” you must take every attempt at keeping this data under lock and key. PII is, according to the United States Department of Commerce is “The term personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” This means any data involving client, employee, third parties like contractors, etc. that has personally identifiable information must be protected as this information can and is easily sold on the dark web at the detriment to whosever data is sold. Imagine your employer accidentally exposes your social security number via email to HR during tax season, and no one is alerted. Hackers can take out whole lines of credit with your name and social security information, so encryption of private data is imperative.
- Lastly, employee education is critical. According to a 2019 security report, 91% of cyber attacks start with a phishing email. Training can be the difference between a hacker getting your data and just getting past your technical defenses. Remediation: Consider simulated phishing training to help users recognize phishing. Provide password management training and training on how to respond to a potential breach.
Cybersecurity is not going away, it’s only getting more essential
It’s hard to know what your business would or wouldn’t be ready for when it comes to a cyber attack, so preparing for the worst and making sure all digital assets are covered will be your best bet. Not one aspect of cybersecurity is more important than others, so a well balanced IT roadmap will go miles rather than one expensive piece of tech or software. If you are looking for insight to how your network and business would respond, our cybersecurity penetration tests are offered free to all. We offer this both because it’s a value to small to medium businesses who are looking to see how to get better cybersecurity, and because we know if we provide excellent results and partnership our business and yours will grow. Fill out the form below to request an email from our team to set up a cybersecurity penetration test for your organization.
Take our (free) cybersecurity penetration test today!