10 Internet Security Tips in 2020 for SMEs

10 Internet Security Tips in 2020 for SMEs

With the increase in connectivity of companies, people and devices, the risks associated with the vulnerability of systems and users to malware, phishing, ransomware, hackers, viruses and many other threats also increase. To help with the internet management of small and medium-sized companies, bringing more internet security and also helping with employee productivity, we have listed 10 updated tips that can serve as a basis for adopting an information security culture in your company in 2020.

  1. Use secure passwords for all users and devices
  2. Enable two-factor authentication (2FA)
  3. Protect and control internet access
  4. Use antivirus on all computers
  5. Limit and Log Network Traffic with a Firewall
  6. Have backup copies of important data
  7. Keep software always up to date
  8. Restrict permissions on shared files
  9. Educate employees about phishing and social engineering
  10. Implement a policy for the use of IT resources

Use secure passwords for all users and devices

Even today, passwords are the most important form of authentication for accessing information and computing resources. Increasingly faster computers make it possible to quickly crack a password that a few years ago would have been impossible to crack. Therefore, it is currently necessary to use longer passwords to increase internet security.

Make it a rule to use strong passwords in your company:

  • passwords with a minimum length of 8 characters (preferably 12 or more);
  • that combine uppercase, lowercase, numbers and symbols; It is
  • that do not contain obvious information or simple sequences.

More information about password security can be found in the article with recommendations and tips for creating strong and secure passwords and in the guide for creating and managing user accounts and secure passwords .

Research from PreciseSecurity.com revealed that 30% of ransomware infections occurred due to the use of weak passwords . Another survey, carried out by Google, shows that 2 out of 3 people reuse the same password on different services they access on the internet, with more than 50% of people reporting that they use the same “favorite” password on most websites and systems. that they access.

Also don't forget that it is extremely important to change the factory default password for equipment connected to the network . For example, many Wi-Fi routers and surveillance cameras come from the factory with a username admin and a default password admin. If you do not change this password, the equipment will be vulnerable and could be harmful to the security of your entire network, including problems with privacy and information leakage. Likewise, “administrator” user accounts and any other unused accounts must also remain with a strong password or be locked.

Enable two-factor authentication (2FA)

Two-factor authentication is also called two-step verification, or, in English, two-factor authentication – the term from which the abbreviation 2FA derives. This technique complements the password and adds a lot of security when accessing systems and resources on the internet.

With two-factor authentication, access will depend on the correct password and also on another factor, such as a code sent by SMS or a code generated in an application on the smartphone. This way, even if someone discovers the email account password, they will not be able to access the account as it will depend on the code that will be sent to the account owner's smartphone.

It is recommended that it be activated, at least for the most important features. This list of important resources to be protected certainly includes the email account, as through email it is possible to reset the password for many other services, through functions such as “I forgot my password”.

To get started with 2FA, we recommend enabling two-factor authentication on Gmail and WhatsApp . Two-factor authentication is called “two-step verification” by Google and greatly increases the security of Gmail. The same functionality is also called “two-step confirmation” by WhatsApp , and it is highly recommended that it be activated to make stealing or “cloning” WhatsApp more difficult.

Also check other important applications in use at the company to see if they have 2FA or two-factor authentication functionality and try to activate this protection.

Protect and control internet access

It is recommended to use tools that prevent access to harmful content, such as suspicious websites that often contain viruses or malware. It is common for employees to receive fake emails with links that direct them to scam websites. Furthermore, attempts to download mp3 music, adult content and games can often end with a virus installation. Most attacks begin with access to a harmful or malicious website, when access occurs, this website hiddenly installs a virus on the equipment and thus opens a door on the network for other attacks to occur, generally damaging security. on the Internet.

The use of protection mechanisms against access to malicious websites is increasingly important. Through this type of control, it is possible to define which groups of users will have access to which types of websites, thus avoiding the use of websites inappropriate to the scope of the work and also access to addresses with harmful content. Using this tool, the manager protects the network against websites used in phishing attacks, the spread of malware and ransomware.

How to control browsing and block access to harmful websites? See the article on internet access management and control for small and medium-sized companies . A good solution for protecting and controlling internet access in small and medium-sized companies is Lumiun , which protects browsing against malicious websites and generates access reports, increasing information security and employee productivity. It is an easy to implement and manage solution, requiring low investment.

 

Use antivirus on all computers

Especially on computers and servers with a Windows operating system, it is essential to use good antivirus software, updated and configured to perform periodic scans. Currently, antivirus cannot be left aside or replaced by other solutions, being essential for internet security. In the company, you must opt ​​for a paid license and not use pirated software or continue with trial versions. It is important that your antivirus and/or antimalware is always up to date and activated to offer protection. An outdated antivirus, or one with real-time protection disabled, would lose its efficiency and leave computers more vulnerable.

Some good antivirus options for small and medium businesses:

Limit and Log Network Traffic with a Firewall

The firewall controls the flow of data, with it it is possible to filter the traffic, configuring what should pass through and what should be discarded. When correctly configured on a computer network, the firewall works as an additional layer of protection against external attacks and increases the company's security on the internet, including its information, equipment and systems. Typically, the firewall is one of the main defenses at the perimeter of a private network, being an essential component in protecting against unwanted traffic and intrusion attempts.

Check if you have an active and well-configured firewall that is protecting and recording connections between the internet and equipment on your local network. If possible, keep internet access to your internal servers blocked in the firewall, especially the remote desktop service. This service is a constant target of invasion attempts to deploy ransomware with data blocking and hijacking. An alert has already been issued by the FBI regarding the large wave of attacks on the remote desktop protocol (RDP). The alert even mentions the existence on the black market of selling lists of servers vulnerable to invasion, which have unrestricted access to the standard port of the remote desktop (3389).

Good network firewall solutions for small and medium-sized businesses include FortiGate, SonicWall, Lumiun, Sophos and pfSense. Read more about this in the article “ Firewall: does your network need this protection?

Have backup copies of important data

It is never enough to remember the importance of having a reliable backup, from which important data can be recovered after any incident. In some types of attack, such as ransomware, which locks data until a ransom is paid , the main way to solve the problem is to restore company data from a backup copy. Backup is essential for the security of company information.

The backup strategy must be implemented in such a way that there is a backup copy maintained in a location disconnected from the original location of the data. If the backup copy is made on an additional disk constantly connected to the server or network where the original data is located, in the specific case of ransomware, it is possible that the backup files will also be blocked at the time of the attack, making the backup useless. It is important to have a backup copy in a separate location from the original location of the data .

To understand the importance of making a backup copy of your company's data and documents, imagine, suddenly, your company losing all of its financial spreadsheets, management controls, commercial data, customer information, products and services offered and history of its collaborators. It is very difficult to imagine the depth of the impact of such a situation on a company. The loss will be enormous, and all administrative and commercial activities of the company will be compromised.

To avoid this situation, it is essential to maintain a well-structured backup strategy. The more automated the task of performing the backup, the greater the chance of having it up to date when data restoration is necessary. It is important to periodically document and test the restoration process: the real use of a backup is not the backup itself, but rather the successful restoration.

For companies that do not yet have a well-structured backup and want to start with a copy of their important data in the cloud, some service options for simple cloud backup are as follows:

Keep software always up to date

Companies that produce software are continually making corrections to their programs to correct defects, improve performance and add functionality. These fixes also include solutions against vulnerabilities and security improvements in software packages. It is increasingly important to keep the operating system and other software packages with automatic updates activated , at least for those related to information security.

For example, the ransomware known as WannaCry (or WannaCrypt) – which installs itself on Windows computers, encrypts data and demands a ransom – can successfully attack computers that do not have the MS17-010 update. According to Microsoft, “ Security update MS17-010 resolves multiple vulnerabilities in Windows Server Message Block (SMB) v1. WannaCrypt ransomware is exploiting one of the vulnerabilities that is part of the MS17-010 update. Computers that do not have MS17-010 installed are at high risk due to the various variations of the malware.How to check if MS17-010 is installed

Restrict permissions on shared files

In many small and medium-sized companies, it is an item left aside. However, it is important to check the level of access that each user or group of users needs in relation to files shared on the network, for example, in order not to provide access beyond what is necessary. If a group of users only needs to view certain files, and not modify them, they have read-only access. This segregation of access permissions according to the needs of each group of users is essential for information security . This prevents unauthorized users from being able, for example, to change the files in the system used by the company or the financial planning spreadsheets.

The widespread use of administrative-level user accounts, such as administrator or root, on computers should also be avoided. In the same way as the care regarding file access permissions, this measure limits the extent of damage that a user, even unintentionally, could cause to data.

Educate employees about phishing and social engineering

Phishing is a type of cybercrime that uses social engineering techniques with the aim of deceiving internet users through counterfeit messages and websites. The objective is to steal confidential information , such as access passwords and credit card data, in addition to inducing, in some cases, the payment of fraudulent bills .

The volume of phishing attacks targeting people and companies in Brazil remains very high: out of every 5 Brazilian users, 1 is susceptible to phishing. Brazil is in 3rd place in the ranking of countries most attacked by phishing scams . A report published by Cisco in 2019 found that 38% of respondents faced problems with phishing in the last year.

The company must make its employees aware of safe behavior on the internet.

Employee training on phishing

Guidance for employees regarding phishing should especially cover the following aspects:

  • Pay attention to what the message is offering or requesting : be wary of emails, SMS or advertisements with product offers at much lower prices than normal, do not believe in offers sent at an incredibly low price. Do not believe emails that ask you to respond with your webmail or bank username and password, this is fraud. Messages supposedly sent by the Federal Revenue Service informing about irregularities in the CPF are also fraudulent. Be wary of emails supposedly sent by the bank with a link to update the internet banking module. Don't trust emails with quotes, invoices or work orders that you never requested. And pay attention to the text of the message, it is very common for phishing messages to contain spelling errors.
  • Pay attention to the sender and the links contained in the messages : pay attention carefully to the sender's email address and also the destination address of the links contained in the message. If they seem strange, be suspicious immediately, don't click.
  • Pay attention to the website address : if you clicked on a link and were directed to a website, a downloadable file or a form requesting data, pay close attention to the address that appears in the browser's address bar. That tip of checking if the site has an HTTPS lock (encryption) is no longer enough, as new phishing sites also use HTTPS. However, it is important to check whether the website address is correct. When in doubt, Google the name of the company you want to access and check the real address of their website.

For more information, including examples of phishing and protection techniques, see the article Phishing: how to protect yourself and not fall for the scam .

Implement a policy for the use of IT resources

Ideally, the company should be concerned with documenting and informing all employees about a policy on acceptable use of the internet and technology resources, aiming at information security and employee productivity. This policy must describe what can be accessed on the company's network and what the penalties are for non-compliance with the rules. For legal reasons, the company may require the employee to sign a form acknowledging this policy, informing their awareness of the rules and penalties.

Employees must be guided in good internet security practices and must be aware of their responsibility to keep the company's data and information protected.

We provide a model document on internet use policy in companies . You can use it to inform and make employees aware of the company's internet use policy in the workplace, to ensure appropriate use of the internet and technology resources by employees.

One point to be considered in this policy is the use of personal equipment in the workplace, especially cell phones – smartphones – the company must make it clear what the rule is. To facilitate the creation of a specific policy on cell phone use in the company, aiming for the appropriate use of equipment without compromising focus and productivity, see the model document on cell phone use policy in companies .

To finish

We believe that taking care of information security is essential for the success of growing companies. Those small and medium-sized companies that gradually and consistently implement the 10 factors covered in this article will certainly have good internet security in 2020: secure passwords for all users and equipment; two-factor authentication (2FA); protection and control of internet access ; antivirus on all computers; firewall to limit and log network traffic; backup of important data; software always updated; restricted permissions on shared files; employee education about phishing and social engineering; and a policy for the use of IT resources.

Was this article useful to you? Do you have any questions? You can write a comment or contact me directly at heini@lumiun.com

Lumiun DNS integration with pfsense software
Lumiun DNS Free Trial
10 comments

Comments closed

Related Posts