Cyber security is becoming increasingly important as time goes by. I remember my first experience with a virus in the late 1980s or late 1990s. I was building a Novell Netware server and noticed the words on a blank screen that read something like, “Your PC has been stoned.” I had no idea what that was until I investigated it later. It appeared that the installation CDs that I was using to install networking components and applications were infected with the stoned virus. Networking security was never the same after that.
I have since encountered business owners and individuals who have experienced a cyberattack. Most of the time, those incidences could have been avoided or mitigated if they were more aware of cyber secuity. Common bad practices were lack of file backups, strong passwords, good file access policies, and overall lack of planning.
Today viruses are a common thing. Many of us know that we should have antivirus software, but there are many other kinds of cyber threats now. For over 30 years, I’ve encountered numerous types of cyber threats ranging from “simple” viruses, malware, ransomware, crypto lockers, phishing schemes, poor system policies leading to unnecessary vulnerabilities, and much more.
This article highlights the components necessary to protect your systems and data against cyber-attacks and the like. You’ll find that it is much more than mere antivirus software. Many other things need to be in place to protect your systems and data from cyber threats. A commonly overlooked component, in my opinion, is training on cyber security.
Many malware and the like are installed on computers because of user actions. The person clicked on a link they should not have on a website advertisement, clicked on a link in a suspicious email, etc. After reading this article, I hope you will be more knowledgeable and equipped to protect your systems and data from cyber-attacks.
There are a plethora of cyber threats. These include but are not limited to the following
- Crypto lockers
- Key loggers
- Social engineering
- Malicious ads on infected websites
- Malicious links in emails
- Poor cyber security practices
- Poor data protection policies within an organization
- Lack of proper patch management and software updates
Businesses, solopreneurs, and home users must be diligent with cyber security to help protect their digital resources against cyber-attacks. What’s even more daunting is that new threats often appear as well as variants of current ones.
Cyber threats involve more than computer systems. The Internet of Things (IoT) is at risk, such as internet-connected devices like Alexa, refrigerators, home security systems, cars, etc. I will only discuss cyber security involving computer systems in this article.
Infrastructure and Data
An often-neglected aspect of cyber security is protecting the infrastructure and data access. For example, computers within an organization may have the latest and greatest antivirus software. However, there is little security to prevent a hacker from gaining entry onto the network.
I’ve seen companies whose file access policies allowed everyone complete control over all files on the file server. This proved fatal when ransomware infected one computer. Since that one user had full permission on all files everywhere, those files were infected along with the ones on his computer. Proper file access policies would have mitigated that attack.
Another illustration is homeowners who have weak passwords on their routers or are still using the default password. Did you know that you can find the default passwords for many routers online? All a hacker has to do is try those passwords on the routers they find in a neighborhood to attempt to gain access to that router and, therefore, the home network even though the home computers may have antivirus software installed.
Therefore, it is imperative to consider access to your network and data when developing a cyber protection plan. Some entry points to your network besides the router is remote control software and VPNs. Proper security measures should be implemented when using those resources. A critical component is strong passwords. You can also restrict what IP address can connect to your network, e.g., remote desktop connections.
Users on a company office network should have the appropriate permissions to the files they need to access. They may have only read permissions in one folder, modify/write permissions in another, and have no permissions to access files in specific folders. Each user should have their own “personal folder” to store files associated with their particular work. They should not have full permission to each other’s “personal folders.”
The bottom line is to restrict access to your organization or home network and files on systems within that network. Each user should have sufficient permissions to do what they need to do.
Nothing can make a systems administrator sleep better at night than knowing good backups exists for their systems. They know that they can at least recover lost data from backups if a disaster should strike. Now, when I say “good backups,” I’m not merely referring to a copy of files. I am referring to sufficient backups that may require disk images in addition to file backups.
The first step in establishing a sound backup system is to use the 3-2-1 rule. The 3-2-1 rule states that you should have at least three copies of your files (including the original files) on two different media, and one copy should be offsite. Let me give you an example of how the 3-2-1 rule might look.
- Your files are stored on the hard drive of your computer
- A copy of the same files are stored on an external hard drive or NAS unit
- A copy of the same files is also stored in the cloud using a backup service such as Acronis Cyber Protect Home Office.
You might use a modified version of the 3-2-1 rule depending on how critical your data is or your data recovery plan. For example, you may include disk images in your backup strategy instead of just copies of your files. I recommend this approach when possible. It makes system restoration quicker in the event of a hard drive or system failure.
That brings me to a distinction between file backups and image backups.
A file backup is simply a copy of your files onto another medium. An image backup is a snapshot of the entire hard drive as one big blob of data. What is the difference between the two? The primary difference is realized if you need to restore a system.
All that would be necessary to restore a failed hard drive, for example, is to replace the drive and then restore the last image backup to it. Voila! You are back up and running. If you only had file backups, then you would have needed to install the operating system (Windows 10), install all of your programs, and then restore the files from backups.
The image backups may not need to be created as often as the file backups. The purpose of the image backups is to make system recovery quicker. Once your system is back up and running from recovering from an image backup, you could then restore the files, which would be more recent than what was on the image.
There are many ways to implement a backup strategy. The critical point is to ensure that you consider recovery and restoring files because restoring files is the primary purpose of backups.
Another thing that you should consider in your backup strategy is access to it. It doesn’t matter how great your backups are if you cannot access them to restore files or systems. There are many ways to implement this, depending on your particular needs. Some solutions provide file-sharing features to access data during a disaster. Others use virtual machines to spin up image backups in the cloud enabling you (or staff) to access the server and its resources during a disaster.
Good backups also necessitate testing and validating the backups. Just because backup software is configured to perform backups on the schedule does not mean it is successful. Sometimes things go wrong, e.g., a problem with a NAS unit or a network error. Someone should therefore monitor the backups to ensure that they are actually being done. Periodically, the backups should be tested by partial or complete restoration of the data or system if possible. The last thing you want is to need your backup, and something goes wrong with the restoration process.
Disaster Recovery Plan
What happens to your business if a disaster strikes and you cannot access the files and resources on your computer or servers? You may find yourself in a dire situation without a disaster recovery (DR) plan. The purpose of the disaster recovery plan is to enable you to recover from a disaster. In many cases, it also includes a business continuity plan, i.e., how your business will continue during a disaster (e.g., a power outage at the office).
The disaster recovery plan enables you to continue your business and recover from a disaster without spending a lot of time figuring out what to do when the disaster strikes. With a DR plan, you only need to activate and then implement it in the event of a disaster. Think ahead of time about how you would respond to a disaster. A disaster could be a failed hard drive, ransomware attack, power outage, etc. The more prepared you are, then the more you can operate during a disaster and recover afterward.
Business Continuity Plan
The business continuity (BC) plan is typically part of the DR plan. It is not enough to have good backups. It would be best if you also considered how your business would operate during a disaster. Without this plan, you may find that you will be down along with your systems during a disaster.
For a BC plan to work, its components must be in place before a disaster strikes. For example, you may identify a secondary computer system to use if the primary goes down. If the primary office is inaccessible, you may move operations to a backup location.
You also need to ensure that the files and resources you need to operate are readily available to use in your backup environment. Cloud systems shine here because they are accessible as long as you have a working computer and internet access. For example, if the office is inaccessible, then you might work from home using Microsoft 365 or Google Drive, etc.
The important thing is to develop a plan that could be implemented during a disaster and to ensure that plan is evaluated regularly and updated as needed.
A big part of cyber security is software updates, including the operating system. Often, malicious code or hackers attempt to exploit a vulnerability in the operating system or software on the computer. If your computer remains unpatched, then you become more vulnerable to an attack. Therefore, ensure that your operating system (e.g., Windows) and the software you use are always updated/patched.
Of particular concern is the status of your cyber security software. Ensure that it is always up to date. Observe notifications that these systems may create. Sometimes they indicate a problem preventing an update. Cyber security software is less effective if it is not kept up to date with the latest virus definitions and the like.
An office environment might incorporate a centralized management system (e.g., Pulseway, Kaseya) that will handle patch management, system alerts (e.g., low hard drive space), and more. The important point is to keep the computer systems up to date.
Cyber Security Practices
Cyber security practices include malware protection, cyber security education, and policies. It is well known that a computer system should have malware protection. However, many tend to neglect file access permissions, password policies, and especially cyber security education. Let me briefly discuss these practices
Malware protection software may include several components such as a firewall, banner ad protection, spam filter, parental controls, privacy protection, and more. Examples of some internet security software are Kaspersky Internet Security, WebRoot, and BitDefender.
The important thing with malware protection software is to ensure that they remain up to date
Internet security education is critical to cyber protection. I mentioned previously that many malware infections occur because the user allowed them. They clicked on a link they shouldn’t have, opened a file they shouldn’t have, etc. Those doorways for malware could be minimized if people were educated adequately in cyber security.
People should be aware of the types of threats that exist to be on guard for them. The more a person is educated about cyber security, the more likely they are to thwart cyber-attacks. Education could help by cyber security webinars, classes, or videos.
Another aspect of education that I like to include is knowing your internet security program’s general look and feel. Sometimes people will see a pop-up indicating that their computer is infected and to click a button or link to clean it—or something like that. If they knew the theme of their internet security program (e.g., color theme), then they would be less likely to fall for such tricks. I have encountered many people who clicked the link and subsequently installed malware.
Cyber threats do not always come from an infected website. They might come as a link clicked in a malicious email or a hacker. Sometimes the goal is not to gain access to your system but your pockets, i.e., your money. See my article “Beware of Scams” for more information.
However, another type of scam can be used to obtain personal information to gain access to your system subsequently. This type of scam is called phishing (pronounced fishing). It may come as an email or a phone call. The important thing is recognizing a scam and avoiding giving personal information to people you do not know. Cyber education is key to thwarting phishing and most cyber threats.
I think one of the most neglected aspects of cyber security is password policies. We should use strong passwords, and they should periodically change. People tend to use easy-to-guess passwords for the systems they use. I’ve even seen one company tape the username and password for a shared laptop to that laptop!
A typical password policy might dictate that passwords must contain a combination of upper and lower case letters, special characters (e.g., $*! _), have a minimum length, and more. So, instead of using a password like “james123”, you would use something like [email protected]!ntM34*.
Another kind of password is called a passphrase, a combination of words, numbers, and symbols that is longer than a traditional password, easy to remember, and difficult to crack than a password. A passphrase may be as long as 100 characters. An example of a passphrase might be [email protected]*TeamsPhillyTRASHTyson!Ali. Now, of course, the passphrase could mean something to you, making it easy for you to remember but hard for someone else to crack.
Some argue that they have too many passwords to remember, and creating strong ones would make it impossible to remember them all. I understand that, but there is a solution—the password manager. Use a password manager instead of writing passwords on sticky notes or creating easy passwords. You only need to remember one strong password to get access to all your passwords.
An organization should have several policies to help protect itself against cyber-attacks. These policies include file access, network access, and password policies and are designed to document guidelines for using company resources. For example, everyone in the office would know what kind of password they should make so that it is accepted by the system when they attempt to change it.
The File access policy controls access to files and folders stored on company servers or in the cloud (e.g., SharePoint). Each person is provided with the minimum restrictions needed to perform their duties. For example, general staff should not have access to Human Resources or accounting files and folders. Other files may only need read permissions, which will prohibit them from deleting or changing the files.
The Password policy dictates requirements for creating passwords. These requirements could include the following.
- Minimum length of the password
- Maximum age of the password
- How soon a password can be changed
- The type of characters and symbols should be included in the password
- How often an old password can be reused.
Passwords (and passphrases) are critical because they tend to be the gateway into many resources. Therefore, the password should be strong (the policy determines the strength). Generally speaking, the password should be easy for you to remember but hard for anyone else to guess or crack.
The Network policy controls how and by whom the company network is accessed. It could include VPN usage (virtual private network), remote control programs, and more. The idea here is to restrict access to the network and, therefore, company resources.
Let’s not forget wi-fi networks. The network policy will provide guidelines for its use within an office environment, including the security protocol (e.g., WPA2). However, home users should be careful to secure their wireless networks as well. Use the latest secure wi-fi protocol available on your router or WAP (Wireless Access Point), change the default password, and restrict access to it.
It is also good to periodically audit the list of connected devices to the wi-fi (and wired) network to identify unknown or strange entries. That is especially useful for a home office user with only a few devices connected to the networks.
Cyber protection is critical today, given the number of cyber threats and how ubiquitous the internet has become for daily business operations. Therefore, we must be diligent in protecting our data from those threats
Cyber protection will include a sufficient backup and recovery strategy, disaster recovery and business continuity plans, cyber education, proper system maintenance, and restricting access to the network.
Please get in touch with me if you would like an assessment of your environment for cyber protection. I can give you an evaluation and recommendations to help protect your data and environment from cyber threats. You can reach me at 215.362.0967 or via email at [email protected]