You’ve heard about cybersecurity; you want some and not sure where to start? This cybersecurity 101 is the right place! It explores some of the basic concepts of cybersecurity and provides you actionable steps to become [more] cybersecure quickly, most of the steps below are free and can be done today!
Spoiler alert 1: Cybersecurity is a journey, not a destination.
Spoiler alert 2: The most important thing you can do to be cybersecure is to actually start (today).
For this 101 article, we align with Microsoft’s findings from their latest Microsoft Digital Defense Report 2022 that states doing these 5 things will protect you against 98% of the attacks. That figure might be a bit generous, but this is definitely a good place to start!
A little background before we get started, we like to follow the approach outlined in the Five Functions of NIST (here). High level, in order to maximize your return and minimize your investment in time and money:
- Know what you are trying to protect (Identify)
- Setup a plan to defend it (Protect)
- Check that your defenses are working (Detect)
- Do something when you see an issue (Respond)
- Have a plan in case it gets bad (Recover)
With all of this covered, let’s get started!
1: Enable Multi Factor Authentication (MFA)
Passwords are pretty weak and often not that hard to obtain through phishing; MFA can help! By not relying only on passwords, you are making it much harder from someone to get into your accounts. If the system can only be accessed from inside your office, it could be considered a factor (since you need to be there and have a password), but it should (must!) be turned on for all your cloud services (anything you can access over the internet) and for remote access (VPN, LogMeIn, GoToMyPC…). This is usually included with most services, so it’s free! If the platform you are using does not have it, it might be time to change for a service provider that cares about protecting your data.
2: Apply Zero Trust Principle
This can get pretty crazy and intense (more here), but for this 101 let’s just focus on good basic principles (all the below require some work, but they should all be free!):
- If you don’t need some data, get rid of it: Keeping data you don’t really need “just in case” is good way to increase the impact and complications of a data breach.
- Not everyone should have access to everything: People should only be given access things they need to get most of their job done. Exceptions should be treated as such and be temporary (like a special project or covering for someone on vacation). This way, should something happen, you are minimizing the impact (see a trend here?).
- Your “normal user” account should not be an administrator (privileged) account: If your account can access everything all the time, then any issues with your account would impact everything, right now (third time, I hope the principles are starting to make sense: less is more).
3: Use modern anti-malware
The term you will see get thrown here the most often is Next Generation Anti-Virus (NGAV) which are part of End Point Protection (EPP). The reason we are specifying “modern” or “Next Generation” is that malware (viruses, trojan, ransomware…) are evolving fast and your anti-malware should too. This means relying less on file signature and more on behavior (for example, the pdf invoice you just opened is trying to run some commands on your computer, not something an invoice should do, aka bad behavior). Since the Anti-Malware is your last line of defense and can make the difference between an attack being successful or not, this is not a place to try saving a little money (a word of caution on “free” anti-malware: nothing is ever free, make sure you understand how they make money).
Most important part here: allow the tools to do their work, aka turn on automatic remediation and containment, yes this may create an issue at some point, but the benefits of near instantaneous response in case of an attack outweigh the risk by multiple order of magnitudes. Some resources to check to find some good anti-malware vendors are the Gartner Magic Quadrant for End Point Protection Platform (just be aware that the Microsoft one in it is not the free Defender that comes with Windows) or the MITRE Engenuity ATT&CK. ALCiT is a SentinelOne partner, so that is the one we recommend by default.
4: Keep up to date
The world is constantly evolving, and new software defects and issues (bugs) are discovered regularly. Software vendors issue patches to fix these bugs (usually for free), but you must install them (or turn on auto-update). Many successful attacks from the last couple of years were leveraging vulnerabilities for which patches had been issued for weeks or months. Since manual patching can be quite time consuming and error prone, for this 101 level we are recommending automatic patching, it will be your best friend: turn it on and just forget about it. Should a patch break something, you can usually uninstall it. Lastly, if your excuse not to patch is pretending that “if it ain’t broken don’t fix it”, just know that you are wrong: if a patch was issued, it's because it is broken.
5: Protect data
This is the one place where there are no free options. There are cheaper options, but they usually require more work, but if you have the time and the meticulousness to follow your plan all the time no matter what, it could work.
First, why: this is your get out of jail free card, should everything else fail, this is how you get to live another day. Your backup strategy must meet the following 3 criteria:
- Have one copy “elsewhere”: this way should something catastrophic happen to the building (fire, flood…) you will still have data.
- Make sure one copy is “air gapped”, what we mean by this is not accessible over the network. So should a virus or person try to wipe it, they can’t.
- Make sure it’s encrypted: You are backing up that data because it is precious, make sure it also stays private by using encryption. It should be encrypted “in transit” (while it travels on the network and/or the internet) and “at rest” once saved on the (disk/vault/tape).
Notes about passwords:
- Change all default passwords on all devices: default passwords are well known (you can just google them!) so they should never be left in place.
- Use unique passwords: passwords should never be used in multiple places, should one of those system become compromised, they would gain access to those other system that use the same password.
There you have it. There is a lot of things you can do today for basically free to start your cybersecurity journey. Do them today and sleep better tonight.
If you are a Canadian Small and Medium Business, you may also be eligible for CDAP (Canadian Digital Adoption Program here). The program will cover 90% of the assessment cost and provide you with a plan of action. Once you register, you will see ALCiT listed in the marketplace for advisors. We can also help you get registered if you are facing issues with the process.
Our Cybersecurity 201 blog layers on top of this one and make you even more cybersecure. The guidance in 201 will get you close to the requirements of Cybersecure Canada which was developed to help Small and Medium Canadian businesses become cybersecure. Subscribe below if you don’t want to miss it.
As always, please reach out to us if you have any questions!
(If you represent a group of businesses (like a chamber or an association) and you would like us to present this content to your member at an event or via a lunch and learn, contact us, we might even pay for lunch!)