They're lurking everywhere. And yet they're remarkably challenging to spot – at least not until they've infiltrated. And by then it's too late.
If you’re located in New England, you may be thinking we’re referring to the sneaky little buggers known as deer ticks, who creep their way up our pant legs to burrow their faces into our skin, possibly passing Lyme disease in the process.
But I'm talking about hackers, who are equally nefarious. They're masters at sneaking in on the sly, wreaking havoc on your systems.
Protecting yourself and your small or medium-sized business from an attack can feel like an overwhelming task (small and medium-sized businesses are at risk, after all: Your Business Is Not Too Small for a Cyberattack)
But there are some simple steps you can take to level up your protection immediately.
Consider these a digital version of tucking your pant leg into your sock when you're walking in the woods.
1. Don't Reuse Passwords
It's true, signing in with "corgisrule64" on every application and website you encounter is the easier way to go. Remembering a unique password for every account sounds like such a hassle. But here's the thing: If using the same password makes it easy for you to sign in to every account you have, guess who else it's easier for? Bad people who don't have your business's best interest in mind.
Use a unique password with every account - ones that use at least 8 characters (the more, the better) and a blend of uppercase and lowercase letters, numbers, and symbols (where allowed).
Since remembering those unique passwords is hard for most brains, consider using a password manager like LastPass, 1Password, or BitWarden. These managers securely store your usernames and passwords and make it a breeze to log in, even on that one website you only log into once every year that always trips you up because you created your account using "poodlesaregreatalso64." They're also great tools for teams to securely share passwords for shared accounts.
Here's more on password best practices: What makes a good password? 9 rules to protect you from cyberattacks
2. Use Multi-Factor Authentication
MFA (or two-factor authentication or 2FA) adds another step to the login process, typically a code sent to a mobile device, serving as an additional barrier to anyone who's trying to access your account. Like any security measure, it's not 100% hacker-proof, but the added protection is worth it.
Most of your accounts will give you options for which method you'd like to use as your second authentication, which can include a fingerprint, a one-time password, a code, a QR code, or your face. Of the options, SMS is the least effective (it's still more effective than nothing), so use one of the other options.
Here's more about why SMS isn't the best MFA option: Top 5 reasons not to use SMS for multi-factor authentication
3. Shut Down Accounts for Employees Who Aren't There Any More
When a team member departs, their accounts should go, too. Not only do those inactive accounts clutter things up, but their existence also puts your company at risk. Inactive accounts, particularly those that use simple passwords and/or don't use MFA, are susceptible to hackers – even more so when there's no one using the account who can call attention to suspicious activity.
Large companies have been hacked for just such a reason. In spring 2021, Colonial Pipeline was hacked through an inactive account. That ransomware attack "prompted Colonial to shut down its 5,500-mile natural gas pipeline for five days, resulting in more than 10,000 gas stations across the Southeastern United States being out of fuel." It was a big deal.
More about how Colonial Pipeline was hacked via a former employee's account: Colonial Pipeline Hacked Via Inactive Account Without MFA
4. Apply Appropriate Permissions Levels for Team Members
Not every team member needs the same amount of access to critical company information or applications. Apply the appropriate level of permissions to each person. This isn't meant to restrict your team but to provide them access to what they need without exposing your company's information unnecessarily.
5. Be Pro Antivirus
Antivirus software serves as an ever-present guard to your company's systems. Behind the scenes, it prevents, scans, detects, and deletes viruses – all while you're busy with other matters. The two key things you need to do are install it and keep it updated.
6. Use a VPN
Today's work environment is flexible, which is a perk to employers and team members, who can get things done in the kitchen, at a local coffee shop, or whilst sitting at a WiFi-enabled local park. But public WiFi puts files and company info at risk. There's no telling who owns that network or who might be intercepting files shared over it. Encryption is key, and a VPN can do that for you. VPNs are virtual private networks, and they protect your privacy online by securing your internet connection. They're essential when using public WiFi, but a smart thing to have even if you never use public WiFi, since VPNs also encrypt your internet activity and location.
7. Don't Save Passwords in Your Browser
Sure, it's convenient to save passwords right in your browser. The browser even asks every time you enter a password, "Would you like to save this? I'm happy to help and make it a cinch to login next time, even if I might not store it very securely, but that's the trade-off, right?" Browser storage doesn't have the level of security you need. Instead, go with a password manager as we mentioned above. Be sure to clear out any passwords you may have previously saved in your browser and disable the "save password" feature, so you won't be tempted to click it in the future.
8. Learn How To Spot and Avoid a Phishing Attempt
Phishing scams look so legit at first glance, but taking a few extra seconds to look more closely can mark the difference between avoiding a phishing attack or being a victim of one. And being a victim is no small deal: More than half of all cyberattacks are committed against small-to-midsized businesses (SMBs), and 60 percent of them go out of business within six months of falling victim to a data breach or hack. Knowing what to look for (misspelled email addresses, typos in the email) and what to do if you suspect an email could be a phishing attempt (don't click on any links and don't forward the email to IT – screen snap it instead) puts you in a powerful position.
Learn more: Tips to Spot and Avoid Phishing Attacks
These simple steps are a proactive place to start. If you're a business owner who would like to step up your company's IT security even further, reach out to us. We'd love to help you understand where your security currently stands and what steps you can take to make it even better.
Modern businesses rely on automation every day. Here are three of our favorite tools for helping our clients automate tasks and be more productive.
IT is no longer for geeks only! It's important for business leaders to understand the elements of IT that can make or break a business. IT is not only about internet connectivity, computer networks, and servers… it does include those things, but there are important strategic considerations to make as a business as well.