Every day we see more and more security compromises in the news for large and small companies around the world. Whether you have a small company or an international organization, no one is safe from hackers and malicious attackers. In order to combat the high volume of attacks and attackers, companies must be proactive with their security measures and stay up-to-date with the current security best practices in order to protect their business from loss of data, compromises of sensitive information, and denial of service attacks.
Here are the top five security best practices for every SMB in 2020.
1. Use Strong Passwords and MFA
The single most effective way to protect your organization is to require complex passwords. If any user's password is too simple, it can put the entire company at risk of compromise. It only takes one user's email address to be compromised to potentially infect the entire business infrastructure. If a hacker takes over one employee's account, they can send phishing emails to other employees in the company, which may look official, in order to gain more access to servers or workstation.
To create a secure password, you will need to include letters, numbers, and symbols with ideally 14+ characters. These requirements can, and should, be set at a company-wide level in Active Directory on Windows or FreeIPA for Linux. Usually, businesses will enforce a 30-day password requirement to ensure users are regularly updating their passwords and no account can be compromised months or years down-the-line.
To further secure your passwords, we recommend enforcing Multi-Factor Authentication (MFA). Multi-Factor Authentication (sometimes noted as 2FA), adds a secondary authentication method when logging into an account or email address. This secondary method of authentication is usually from an app on your phone which provides an additional code to enter when logging in. Once you enter your account password, you will access a mobile app associated with your MFA and enter this randomized code to prove your ownership of the account. In this way, a hacker would have to both compromise an account's password AND their phone in order to log in. This stops most hackers from further attacking accounts and networks in the organization. Your MFA will be set up through your account management, whether that be Office 365, Active Directory, FreeIPA, or related applications.
2. Install Effective Anti-Virus
In 2020, it goes without saying that you absolutely need strong anti-virus protection for your servers and workstations. Where proper training, strong security best practices, and complex passwords fail, anti-virus software will be your saving grace.
It is a saying that humans are always the weakest link in security, and it couldn't be more true. Your employees may have gotten great training, set strong complex passwords, and are otherwise diligent about the companies security best practices, but anti-virus can certainly make the difference between a fraudulent email and a compromised network.
Your user may receive a phishing email from another compromised account in the company. This email would be from a legitimate sender and look official in every way. When the user clicks on the spreadsheet attached in the email, the anti-virus warns of a possibly malicious file and blocks the document from opening. This single act of having strong anti-virus software in place may have potentially prevented a ransomware infection from spreading from machine to machine across your network and compromising your entire business.
Whether you use ESET, SentinelOne, Webroot, or another product, it is absolutely vital to have strong end-point protection for each workstation and server in your network. This will be your last defense against malicious files and actors attempting to infiltrate your network. Where the attacker has gotten through every security measure put in place, your end-point anti-virus protection could mean the difference between another day at the office and thousands of dollars worth of data recovery and repair.
3. Secure Firewalls, RDP, and Open Ports
Securing your network with firewalls is an incredibly important measure to implement in today's security climate. Your firewalls should be blocking every port on every workstation and server unless it is absolutely necessary to leave open, and in most cases, you will want to lock this down to only allow access to internal IP addresses and computers.
If you have run a server for any amount of time, you probably have noticed an unending stream of failed logins to Remote Desktop. Hackers around the world have applications automatically attempting to authenticate to RDP and port 3389 with various usernames and passwords on a 24/7 basis. This is one of the easiest, hands-off ways for attackers to compromise servers and workstations, as many companies do leave port 3389 for RDP wide-open to the public, often to allow employees remote access to work from home or while traveling. If you need to allow the use of remote access, you will want to incorporate VPNs and other authentication methods to keep RDP closed to the public.
By blocking off all public-facing ports with your firewall, unless absolutely necessary, you will severely limit an attacker’s ability to infiltrate your systems using automated brute-forcing software. Any open port can be utilized by hackers to infect a given system and it is important that your network-wide firewall is properly configured to prevent the most access possible.
4. Ensure You Have Working Backups
So, you’ve been compromised and now restoring your backups is your next plan-of-action. You do have good backups right?
Having working backups is an important part of security best practices in 2020. If hackers do compromise your systems and have deleted or altered sensitive information, your only method of restoration is from good backups and restore points.
All vital information needs to be backed up and stored in a safe location in the event you need to restore corrupted or deleted data. Whether this is data stored in databases, spreadsheets, or on web server files, you will want to have this data protected and stored off-site to a location it can be recovered from later. It is important that these backups are not stored on the server itself as you will be unable to restore this data if the entire server is compromised.
Besides protecting valuable information from deletion and corruption from hackers, backups protect data from accidental alteration and rogue employees. If a user accidentally deletes an entire table of information from a database, your backups will allow you to return to multiple point-in-time backups to make sure your data is correct and secure.
Work with your IT department to determine the best methods to run backups. You will have to make a decision between only protecting your server and database information, or backing up all of your user's workstations. Figure out what data is irrecoverable and configure your backups to regularly backup and store this data in a way you can access it if the computer is compromised.
5. Proper Training for All Employees
Educating your employees about proper security guidelines and potential threats is an incredibly important part of your network security. You can properly configure all the security measures in the world but if your accounting department hands out your administrative password, there is nothing to stop attackers from abusing unfettered access.
While your accounting department might not hand out their passwords to a stranger, hackers are very clever if they are targeting your organization. Every employee and staff member at your company must be properly trained to spot phishing emails, bad attachments, and potential physical-security breaches. Many security consulting companies will make physically breaking in or bypassing on-site security a part of their assessments and most find great success with this approach.
Consider hiring a security consultant to train members of your staff to identify and report potential security hazards and breaches. An employee who quickly reports something phishy (pun intended) can quickly save the company tremendous time and money recovering from a successful hack.
Download the Complete SMB Infrastructure Security Checklist
About the AuthorMore Content by Mike Sherman