TOT 013:

Top 10 Mostly-Free Things to Make Your Business More Secure

John Barker
October 15, 2023
Read Time: 5 Minutes

Recently the Cybersecurity & Infrastructure Security Agency (CISA) and National Security Agency (NSA) released their Top 10 IT misconfigurations that make you susceptible to a cyber incident.

If you are a small or mid-size business cybersecurity may seem like a daunting task to adhere to.  It doesn’t have to be.  Most of the top threats to your organization can be handled with a little elbow grease.

The language used in cybersecurity circles is written in a way that only the most technically competent or larger organizations find useful.

My goal is to simplify the technical knowledge for smaller organizations here.

As always, the larger your organization or the more sensitive nature of your business the more cybersecurity resources you need.

Here is how to decipher these risks.

  1. Stop Using Default Configurations of Software and Applications

When I first started in technology all options in software were turned on by default.  Things are better now but still not perfect.  You need to look for two things with your software and applications.

  1. Change default usernames and passwords. Many providers use the same default admin username and passwords. You can just Google search them.  This is very prevalent with wireless routers and modems.   Change all default passwords as soon as possible.
  1. Operating systems still ship with many services turned on by default. If you are not using features with your software you should disable them from running. Pay particular attention to any software that is facing the internet such as web servers.
  1. Using Administrator Accounts for daily tasks

No person should be using their personal accounts with administrator-level privileges.  This usually is an IT component that can cause the most danger.  Administrator accounts should only be used when necessary.  Users should have the least privilege for all tasks.  This means the least amount of access necessary to perform their jobs daily.

  1. Insufficient Network Monitoring

This is the one item on the list that may not be feasible for small businesses.  The network is monitored for irregular traffic and collecting logs.  You are looking for threats that are residing in the network and moving from one area to another (lateral movement).

This is a must for larger organizations with a huge threat landscape.

  1. Lack of Network Segmentation

If someone manages to get inside your network, you want to limit their movement.  An easy way to do this is the logical separation of devices and software.  Your technology team can set up VLANs that separate your production environment of servers from your test environment.

The Operational Tech (OT) that you use should be put on a different segment of the network.  These are things such as security cameras, thermostats, door locks, etc.  OT and Internet of Things devices are notoriously insecure.  You do not want them on the same network as your computing devices.

  1. Poor Patch Management

This is the one that drives me the craziest.  Patch management is free.  Set up a regular schedule to patch all of your software and update the firmware on your devices.  New vulnerabilities are discovered all the time and patches are the easiest, cheapest solution to keep you safe.

Once a vendor has set a date, they will not support software any longer.  You need to make plans to upgrade as soon as possible.  Using software past the manufacturer’s end of life is a sure way to let in an intruder.

  1. Bypassing Access Controls

Threat actors can capture passwords if they sit in a network.  To make this harder you need strong password policies established.  I recommend making the minimum length very long and encouraging the use of phrases.  Example:  “TheBluePonyWasBornin1952”.

Passphrases are easier to remember.

You can also look at password vaults for your organization.  These can track and create secure password policies for your employees.

You will also want to enable Multi-factor authentication.

  1. Weak Multi-Factor Authentication (MFA) Methods

Having to enter an additional code to access your accounts is a pain.  But necessary.  When possible you want to implement MFA that won’t allow the user to bypass it or accidentally give it to a hacker. This is known as phishing-resistant MFA.  The only types of phishing-resistant MFA use FIDO keys (physical hardware devices) or a security certificate.

This isn’t possible for everything or everywhere.

The next best solution is using an APP on your phone.  Users should be instructed to recognize phishing attempts.  A sign would be getting a notification for access, and they didn’t initiate it.  Or something known as push bombing.  Getting repeatedly asked to push accept over and over again. People get frustrated and finally hit accept.

Avoid this.

A side not on MFA.  If a vendor tries to charge for security features you need to dump them.

  1. Not Managing Permissions on Company Files

A common and easy mistake to make is not managing the permissions on your company’s shared files.  The folders are set up so that everyone can access them fully.  The concept of least privilege applies here (and everywhere).  Employees only get the level of access needed to work. If someone only needs to read a document, then they don’t get edit access.

A secondary action is to encrypt the data in the shared drives.  Be aware of any data that contains social security numbers, banking, tax returns, or scanned documents.  These should all be encrypted.

  1. Poor Password Management

This piggybacks off number 6. Do not allow short and simple passwords.  Ensure that the software solutions you use do not store the passwords in clear text.  If you don’t know ask.  Clear text password theft is an easy entry point for a hacker.  Do not allow users to store passwords in files in the network share.

  1. Installing Programs without Authorization

If an employee falls for a phishing scam it usually involves installing untrusted software on their computer.  Avoid this problem by disabling administrator access to the computers and requiring authorization to install new programs on the computer.

That’s all for this week.

See you next Sunday.

John

Whenever you’re ready, there is one way I can help you:
I can help if you need help whipping your technology back into shape, looking to improve your cybersecurity, or just need someone to look over shoulder.
Click the above link, send me some details about your business, and schedule a zoom meeting.
Simple as that.

About the Newsletter

Get One Tip every Sunday morning to optimize and secure your business technology.

John Barker

John Barker

John has over 25 years of technology experience and earned a Bachelor’s in Business Management & MBA.  He also holds CISSP and PMP certifications.

0 Comments