Given all the news regarding cyberattacks, it’s not hard to get businesses thinking about improving their cybersecurity. But, when those same businesses want to move beyond just thinking about improvement and act to really mature their security, they may feel like they are on their own. After all, the typical small business doesn’t usually have an IT staff, and probably doesn’t know where to begin this journey. Not to worry, we’re here to help. 

These are the first 5 things we recommend a small business (really any business) do as they work to improve their cybersecurity posture.

ONE

The very first thing we recommend is to have a plan.  If you are not sure how to develop a plan, here is an overview of the different areas you’ll want to review as you begin the process of improving your cybersecurity: https://www.realtime-it.com/blog/solid-cybersecurity-plan.

TWO

You must perform risk and vulnerability assessments for your business. You want to understand (and document) how you use technology in your business and the technical risks you face so you can prioritize your cybersecurity improvement efforts.  It is not possible to fix everything at once, and your risk assessment will help you identify what might be addressed easily and what is critical to address immediately.

 For the rest of Part 1, we’ll skip ahead a bit in the process to shore up areas every business needs to address if they haven’t already.

 THREE

Backups – air-gapped, tested, secured. Simply put, you want to regularly backup all your important data, and have a copy of that backup outside of the building and inaccessible from your local computers. This way, if something bad happens, the backup isn’t affected along with everything else.  Don’t forget, you also want to periodically test your backups to make sure the process is working, and the data is up-to-date and usable.

FOUR

Firewall – managed, NextGen security. Your firewall, with the proper security services in force, is one of your primary means of cyber defense. Firewalls have been considered a security necessity for about twenty years now– and no, you can’t get a proper business-grade firewall off the shelf at your local big-box electronics store.

FIVE

Security Awareness Training – ongoing and often. If your staff is using computers and the internet, they need to be aware of the threats, to know what to watch for, and to understand how to report anything out of the ordinary. – We have a great blog on Security Awareness Training here with a lot of great links.

Finally, even though we said we’d only discuss the first five steps to consider in addressing stronger cybersecurity, we really want to make sure you understand how important it is for you to obtain adequate cyber insurance appropriate to your business type and cyber risks. Talk to your insurance agent and ask for qualified resources and options to help you find the best policy to meet your needs.

If you have Google’s Chrome browser installed on your computers, please make sure to update it asap to version 78.0.3904.87 or later (latest as of today is 78.0.3904.97) as there are two security vulnerabilities in older versions that have active exploits in the wild. Google doesn’t talk too much in detail about exploits, but Kaspersky has a decent write up if you’d like more details, https://www.kaspersky.com/blog/google-chrome-zeroday-wizardopium/29126/

 How can you tell if you need to update?

To check, open up Chrome, click on the three vertical dots in the upper right corner of the browser (“Customize and control Google Chrome”), and select Help → About Google Chrome. If the number you see is 78.0.3904.87 or higher, everything is in order. You may see a red up arrow in that right corner, indicating an update is ready to be installed. You will have to close Chrome for the updates to take effect.

RealTime clients don’t have to worry about this as we update Chrome and most other third party applications automatically as part of your managed technology services.

As you might imagine, RealTime fields a fair amount of questions regarding cybersecurity that range from, “How can we be better protected?” to “I’m scared that we might be hit like that local place just was”. As part of answering this real need for our clients, RealTime is now offering an end-user training program as part of our Identity Shield Services.

However, if you are not a client (yet) or you would like to try this on your own, then you can train on some of the basics of cybersecurity awareness just by spending a little bit of time on YouTube. This is not intended to replace formalized training, but these videos can help you address the most likely threats that the average person encounters just because they use the internet and email in the course of doing their job. These tips are excellent for anyone who just wants to reduce their risks online.

[I’ve watched all of these videos and the links are current as of November 2019. They are each under four minutes and are well worth your time.]

Best single tip that I can provide to help you avoid being hooked by phishing: Microsoft, Google, Apple, Verizon, Bank of America, SSA, IRS, and thousands of legitimate businesses just like them will NEVER, ever, send an email to you asking you to confirm your password.

SUGGESTED LINKS TO YOUTUBE LEARNING

Phishing explained with some education, by SANS

 https://www.youtube.com/watch?v=5RHeJAEdiEc

How to spot a phishing email, report by Fortune Magazine

 https://www.youtube.com/watch?v=jfnA7UmlZkE 
The best tip in this video: If the email looks suspicious, it probably is…

If you only watch one video, make it this one!

An excellent video spotting phishing scams that is well worth the almost 4 minutes of your time. Loaded with realistic examples and tips
 https://www.youtube.com/watch?v=0GwWTjz6txU 
BEST TIP: Think before you click.

Office 365 phishing attack types with some examples (this is not a video)

 https://betanews.com/2019/04/03/office-365-phishing-attacks/ 
Note that these threats are not unique to  Office 365 email – we’ve seen attempts against all web based email systems. Just more confirmation that if something asks you to confirm credentials, or enter your logon info to access an attachment – be wary!

Tech support scam, by USAGov

https://www.youtube.com/watch?v=UGBLjPKSUeU 

If you have older parents who use email and the internet, please ask them to watch this video! I have helped too many older, and not so older people, who have been scammed in this way, including my own parents more than once.  

Spot a bad URL or Link, by Symantec

https://www.youtube.com/watch?v=YIeS7sJ_Llw

Better passwords, Local CBS news report

 https://www.youtube.com/watch?v=oakITDBYElw

Better password management using a password manager.

This post explains LastPass, but all the password manager applications work pretty much the same
https://lifehacker.com/the-beginners-guide-to-setting-up-lastpass-1785424440 

One important detail – you want to be sure that whatever application you use has their security act together and stores the passwords properly.

Mobile device security from SANS Security Awareness

 https://youtu.be/WEfWFA4xdd4