Every day we read about new companies or governments that have been attacked. Recently, the Georgia Department of Public Safety was hit with a ransomware attack. The attack left many Georgia State Troopers unable to use the computers in their patrol cars and it shut down services to all State Patrol district offices. Ransomware and other types of attacks can have a crippling effect on your business or practice. Why are so many companies and government agencies being breached now? The biggest reason is that hacker attacks today are focused on low hanging fruit – those networks that present the lowest challenge to get into. The targets are extremely attractive to attackers due to the low risk and high reward they present. In this post, we will cover how to make your own network unattractive to hackers.
Why do we have so many hacker attacks today?
The game has changed in the last 10 years. Before, a small company only really needed anti-virus software and a router to sufficiently protect their network and data. However, since then, a lot has really changed. As we all connect more and more devices to the Internet and our own networks, we increase the number of vulnerable targets for hackers. In addition, we are storing more and more data online. In 2017, data surpassed oil in value. Data is now considered by some, to be the most valuable asset on Earth. You know how valuable your data is to you and your business. Hackers know it also. Could you run your business if you lost access to your customer or patient information? What about your accounting and financial information? That is what ransomware does. It locks you out of all of your data and then demands an amount of money in return for releasing it.
Hackers are also smart. They know that small businesses can’t pay $50,000 to get their data back. They will demand a much smaller amount that many business owners will not think twice about paying to get their data back. This is a business for hackers and they want money.
Small practices and businesses are attractive targets
Just like government agencies, small businesses and practices are behind the curve on setting up protection for their networks. Security, until recently, wasn’t a budget item for most entities. As attacks become more and more common, this is slowly changing. In the news, we hear terms like firewall, anti-malware software, intrusion detection, and access controls. These terms are not what the average IT person who supports small businesses understands. IT and security are not the same thing. While there is some overlap, most IT people just don’t have the background necessary for security. This creates problems for the small business or practice owner as these are the individuals they rely on to protect their network.
In addition, since security isn’t usually a budget item, these networks are left wide open to attacks. Security does have a cost both in terms of money but also in training for employees. Protecting your data isn’t free but it doesn’t have to be expensive. In the next section, I outline a basic plan to secure your network and make it unattractive for hacker attacks today.
Your action plan to secure your network and make it unattractive to hacker attacks
Step 1 – Dependable Backup System
The first step is to make sure you have a solid backup strategy. Ideally, you want to follow the 3-2-1 approach to backing up data. This involves having (3) copies of your data on (2) different types of storage and (1) being completely offsite.
Here is an example of how that would work:
Original data is on your server – first copy of your data
You also would use a USB drive plugged into your server that contains a series of backups, perhaps 5 days of your data. This is the second copy of your data on a separate type of storage.
A final backup would either be a second USB drive that is rotated offsite periodically or a cloud-based backup service. Either way, it needs to be physically removed from your office and offsite.
This is a simplistic backup system that can be tailored for your specific needs.
Step 2 – Network firewall
Don’t rely on the device your internet provider gave you to protect your network. These are not true firewalls. They will not offer you any level of protection and many have been breached. In addition, the consumer-grade routers that are usually purchased at Best Buy or from Amazon also offer no protection. These devices, even when marketed as a firewall, often have numerous vulnerabilities. In addition, these devices are not often updated by their manufacturer so when a vulnerability is discovered, it remains unpatched.
Purchase and install a true business-grade firewall. This will protect your internet connection from outside attacks. Firewalls also monitor your outgoing traffic as well. This can alert you if large amounts of data are leaving your network such as data theft.
Examples of good firewalls can be found from vendors such as Cisco, Sonicwall, and pfSense.
Step 3 – Anti-malware software
In the past, this was referred to as anti-virus software. The types of threats have changed so the defensive software has changed too. Anti-malware software will protect you against the newest malware threat types such as ransomware, keyloggers, and rootkits. Be sure to purchase the full version of this software and don’t rely on free versions. Free versions often lack the ability to do real-time scanning. This is where the software actively watches for signs of malware in the background. Free versions are usually only able to perform a manual scan. This will only tell you that you are already infected.
Examples of good vendors to purchase anti-malware software from would be: Malwarebytes, ESET, and Webroot.
Step 4 – Strong passwords
Passwords are the most commonly used form of security. We use them every day to log into our computers, phones, and websites. But most people use very weak passwords. These passwords present no challenge to hackers and can be broken very quickly. You must use strong passwords on all of your computers, websites, and apps.
Strong passwords use a combination of upper and lower letters, numbers, special characters, and should be longer than 12 characters. Finally, whatever password you choose shouldn’t be a common word or something found in a dictionary. Hackers have compiled huge databases of common passwords that users have chosen. Just because you think its clever doesn’t mean it is. Make the password as random as possible. You can read a complete guide on strong passwords here.
Step 5 – Training for your staff
Your staff is often the weakest link in your security. If someone were to fall prey to a phishing email and allowed an attacker into your network, then many of your defenses are already breached. This is why it is very important to provide training for your staff. Topics such as phishing, password security, and good internet surfing habits are very good places to start. Google offers free phishing training that can be taken here.
There are many online services that offer security awareness training for office staff. Many are very affordable or even free. Make training a priority and follow it up a few times throughout the year.
This by no means a thorough plan to secure your network from all threats. But if you implement the steps in this plan, you will go a long way into making sure your network is very unattractive to the most common hacker attacks today.