Top 15 Cyber Security Recommendations for Small Businesses

March 21, 2019by Christine Becker

TNTMAX TOP 15 CYBER SECURITY RECOMMENDATIONS FOR Small Businesses (Detailed List)
IMPORTANT before you start reading our recommendations, say to yourself, “I am a target for hackers.” It does not matter whether or not you hold top secret information or have millions in your bank account – your identity and your computer resources are a target. EVERYONE is a target for cybercriminal “hackers”.

Check out our post here if you are an Individual

1. FIREWALL – PROTECT COMPANY PERIMETER
A stateful firewall or Unified Threat Management (UTM) appliance must be installed between the internet at the perimeter of the company’s internal network. The firewall must have access control rule (ACL) configured for allowed traffic and utilize a deny all traffic rule as the last rule in the ACL. The firewall firmware and other software must be updated on a regular basis to ensure the highest level of security and monitoring the firewall activity log on a regular basis is an important requirement

2. UPDATES – END-POINTS AND APPLICATION SOFTWARE UPDATES

Your business must make sure all endpoint devices (firewall, wireless ap, routers, switches, gateways, servers, user workstations, etc. are fully patched on a regular basis. Perform updates on a regular basis and reboot critical systems to ensure you are up to date with cleared memory.

3. ANTI-VIRUS / ANTI-MALWARE – USE ANTI-VIRUS SOFTWARE ON ALL END-POINTS
Make sure you deploy anti-virus / anti-malware software on all end-points (servers, workstations, laptops, tablets, etc.) in your organization. Make sure the anti-virus / anti-malware software cannot be disabled by the user. We recommend Sophos anti-virus with Interception X (see below). The anti-virus / anti-malware software must be updated on a very regular basis (daily) and any warnings/alerts need to be sent to your system administrator or your IT consulting firm. Below is a list of anti-virus recommendations.

4. POLICIES – IMPLEMENT INFORMATION SECURITY POLICIES
Document and implement a complete set of information security (IS) policies that cover general, network, server, and application security. The IS policies should include an acceptable use policy, password construction policy, password policy, mobile device policy, anti-virus policy, software update policy, etc. Make sure these policies are implemented in line with a training program to ensure your staff understands the requirements in each policy that applies to them so they can enforce them as intended. Update your policies on an annual basis. Conduct yearly training updates for employees on new policies and requirements.

5. IDS/IPS – IMPLEMENT PERIMETER INTRUSION DETECTION and/or PREVENTION SYSTEM
Implement an intrusion detection system (IDS) and/or an Intrusion protection system (IPS) at the perimeter of your company network. Use the IDS to monitor potential anomalies in network traffic to try to identify zero-day attacks. Use the intrusion protection system to protect your network from known threats.

6. ENCRYPTION – USE ENCRYPTION IN TRANSIT and/or AT REST
Use advanced encryption security (AES) to encrypt all remote connections, login authentications and traffic over the wireless network and any sensitive data at rest and in transit. Use encryption at rest (i.e. Self Encrypted Drive SED) to store any data that is under compliance requirements. Examples include ePHI under HIPAA and financial institutions under Gramm-Leach-Bliley Act (GLBA) and Federal Financial Institutions Examination Council (FFIEC) are required to use encryption of data at rest and in transit to mitigate the risk of disclosure or alteration of sensitive and/or confidential.

7. BACKUP – BACKUP ALL COMPANY AND CLIENT DATA
Make sure all company and client data is backed up using both a secure encrypted off-site and on-site backup. Make sure that the backup user is different from the system admin user and that the system admin account does not have access to the backup to ensure segregations. Check to make sure the backup is working correctly and perform weekly/monthly spot restores. Monitor the backup on a daily basis to ensure it works as expected.

8. TRAINING– TRAINING STAFF ON SECURITY AWARENESS
Make sure you implement a training program on security awareness for all your staff. Be sure to include in the training your security policy requirements and test your staff on their awareness of security by quizzing them or hiring a third-party company to conduct security awareness assessment testing and training. TNTMAX has implemented security awareness assessment training in-house with much success and we can provide these types of services to any business or organization.

9. WIRELESS – PROTECT YOUR OFFICE WIRELESS NETWORK
Protect your company wireless network by using an advanced encrypted security AES setting such as WAP2-AES or WAP2-AES enterprise with a strong key password that uses a strong password made up of upper & lower case letters, numbers and special characters with a minimum length of 32 to 34 characters. Create a fully segregated guest network with encryption and password protection that is fully separated from your private network. Audit your wireless network and keep it updated.

10. MULTI-FACTOR AUTHENTICATION & STRONG PASSWORD
Utilize multi-factor authentication whenever possible. This is typically a code or prompt that is sent to your cell phone, after logging into an account with your password, which you need to action (ex. enter a code or click on an approval link) in order to authenticate your login. Use a strong password that uses upper & lower case letters, numbers and special characters with a minimum length of 12 to 14 characters. Also, always use different passwords for each login requirement. Never reuse the same password for more than one site. Update all your passwords at least 1-2 times a year.

11. MONITORING & AUDITING
Make sure you monitor your firewall, intrusion detection system, servers, users logs for potential attacks and anomalies on a daily basis. The monitoring should be done on a daily basis and alters must be review daily by your security team or IT. Perform a yearly audit of your system and configuration to ensure no system is out-of-life and standards are maintained across the organization. Any findings should be remediated following company remediation policy guidelines.

12. BASELINE SECURITY AND APPLICATION REQUIREMENTS
Define baseline operating systems and application configuration that focuses on security. Eliminate all unused services and applications, shut down ports, lock down user workstations, etc. The baseline will provide your security team a solid reference point when monitoring your network to identified workstations and software that do not meet baseline requirements and provide a better handle of daily security monitoring and enforcement.

13. THIRD PARTY STAFF AWARENESS TESTING & PEN TESTING
Hire a cybersecurity company to perform staff security awareness testing. They will send phishing emails to you and your staff and perform other simulated attacks to provide you with a baseline of awareness that your staff has regarding cybersecurity. Part of this testing will also show them how to protect the company while conducting their daily job activities. This is very important to perform yearly since YOUR EMPLOYEES ARE YOUR NUMBER ONE WEAKNESS, but also YOUR NUMBER ONE ASSET when it comes to protecting your company’s technology. Consider, hiring a third party company specializing in cybersecurity to perform a penetration testing (PEN Testing) on your organization so they can show you how cybercriminals could get a foot-hold inside your organization and also provide you with remediation steps that need to be implemented according to your remediation policy.

14. NETWORK SEGREGATION / SEGMENTATION / ISOLATION
Understanding how to segment your business network and segregate and isolate critical systems from employees who do not require access to certain systems is a critical part of securing your office network. If you have one network where everyone has equal access to all devices, servers, and workstations, it makes it much easier for a rogue employee and/or intern to try to gain access to the accounting, finance and/or research server on your company network. By segregating and isolating each sensitive department of your company you improve the security infrastructure of your network and gain the ability to monitor, manage and restrict access more efficiently, resulting in higher security.

15. NEVER LEAVE DEVICES UNATTENDED – CLEAN DESK POLICY
Make sure when employees leave their desk, they log out or lock their computer. Desktop computers and other devices logged into the company network and servers must not be left unlocked and unattended in a way that risks access by an unauthorized user. Unattended logged-in computers create easy opportunities for unauthorized access to information and misuse of accounts, such as sending bogus email messages purporting to come from the genuine account holder, accessing company resources restricted to certain users only (i.e. accounting, finance). Make sure you create, roll-out and enforce a company “Clean Desk Policy” that will cover unattended devices and more (see partial example below):

  • Computer workstations must be locked when the workspace is unoccupied.
  • Computer workstations must be shut completely down at the end of the workday.
  • Any restricted or sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the workday.

 

TNTMAX  – CYBER SECURITY TOP 15 RECOMMENDATIONS (Recap)

“My business is a target for cybercriminals/hackers.”

  1. FIREWALL – PROTECT COMPANY PERIMETER
  2. UPDATES – END-POINTS AND APPLICATION SOFTWARE UPDATES
  3. ANTI-VIRUS / ANTI-MALWARE – USE ANTI-VIRUS SOFTWARE ON ALL END-POINTS
  4. POLICIES – IMPLEMENT INFORMATION SECURITY POLICIES
  5. IDS/IPS – IMPLEMENT PERIMETER INTRUSION DETECTION and/or PREVENTION SYSTEM
  6. ENCRYPTION – USE ENCRYPTION IN TRANSIT and/or AT REST
  7. BACKUP – BACKUP ALL COMPANY AND CLIENT DATA
  8. TRAINING – TRAINING STAFF ON SECURITY AWARENESS
  9. WIRELESS – PROTECT YOUR OFFICE WIRELESS NETWORK
  10. MULTI-FACTOR AUTHENTICATION & STRONG PASSWORDS
  11. MONITORING & AUDITING
  12. BASELINE SECURITY AND APPLICATION REQUIREMENTS
  13. THIRD PARTY STAFF AWARENESS TESTING & PEN TESTING
  14. NETWORK SEGREGATION / SEGMENTATION / ISOLATION
  15. NEVER LEAVE DEVICES UNATTENDED – CLEAN DESK POLICY