Cyberattacks are a big threat to US businesses, costing an estimated $650 billion per year. These attacks come in many forms and from every direction – including malware, brute force attacks, password guessing, software exploits, phishing and social engineering attacks, and even physical theft of hardware.
To defend against this relentless cavalcade of threats, you need a truly comprehensive cyber attack prevention system. And to put together such a truly comprehensive system, you need a truly comprehensive blog post – this one.
In this post, we’ll show you all the different cyber security measures you should be implementing and why. And we’ll present it in a simple, no-nonsense way that even non-technical business owners, managers, or anyone in charge of IT security can understand, while also relying on our years of in-depth security experience and expertise.
Let’s get started.
What’s New in Cyber Attack Prevention in 2020?
To be honest, not as much as you might think, despite an unprecedented global shift in many people’s work habits due to COVID-19. As we’ll get into below, most cyber security measures should be implemented, managed, and monitored remotely and/or in a centralized way. You shouldn’t need to physically touch or be in the same room as any of your users’ devices after the initial setup.
Some changes to consider:
- If you’re not managing your IT in a remotely-accessible and centralized way, you should be. Consider deploying an RMM tool or getting help from an MSP or MSSP.
- If you have users remoting into in-office resources like PCs, file servers, and application servers, make sure you’re using secure VPNs.
Public cloud providers handle only a portion of security responsibilities for you. AWS.
- If you’re moving assets to the cloud in response to COVID-19, make sure you’re configuring your cloud instances correctly. Misconfigured, insecure cloud servers and databases are a widespread problem, perhaps because people wrongly assume that public cloud providers like AWS and Azure are secure out of the box.
- With increased layoffs due to COVID-19 and many people under increased financial pressure, it may unfortunately be necessary to take extra precautions against insider attacks, for example by limiting people’s access to things like backups and admin accounts and watching out for large or unusual data transfers.
Of course, a lot of businesses are still in wait and see mode at the moment, making do with what they have. As time goes on, there may be a more dramatic shift away from physical offices and hardware to more remote workforces and cloud-based IT, which will make cloud cyber attack prevention increasingly important and physical security increasingly irrelevant.
The Strategy: Defense in Depth
To protect your business from cyberattacks, you want to practice defense in depth.
Defense in depth is an age-old military strategy that means having multiple defensive lines, one behind the other, delaying attackers and making it harder for them to break through to their objective.
In WWI, for example, each side had not one trench but multiple trenches, often with a relatively thin frontline of machine gunners and reserves and counterattackers in the trenches behind. The Japanese used it to great effect in the later island battles of WWII, too.
Military defense in depth – overhead view of a German trench system in WWI
Cyber defense in depth. Microsoft.
In IT terms (and we’re simplifying things a bit here), defense in depth means both:
- Having a layered defense in case one of your cyberattack prevention methods fails (for example, having a firewall with IPS, an endpoint firewall and antivirus, and gapped data backups to protect yourself from ransomware) and
- having a complete and unbroken line of defense as a whole, since there are so many different ways for hackers to break into your system (protecting yourself from ALL types of data theft including malware, social engineering, and physical theft of hardware).
The Tactics: 8 Key Cyber Attack Prevention Measures
1) Employee Training
A fake Microsoft login screen used for phishing. From Microsoft.
It’s important to teach your employees the basics of cyber attack prevention, since they can negate your other well-planned security measures by, for example, being tricked into sharing their username and password with a hacker.
A common example – employees get an email asking them to reset their password to some account, let’s say G Suite. They click the link and enter their info but nothing happens. Well, not exactly nothing – they’ve just submitted their username and password to a hacker, the one that sent them the fake password reset email and created the fake G Suite login page that looked just like the real ones.
To maximize your protection from incidents like these, we advise signing up for comprehensive security training from an MSP or similar company. It’s the best way to ensure that even the least tech-savvy members of your team “get it” and contribute to the whole team effort of organization-wide IT security.
If you’re just looking to cover the basics, however, you can follow the “PEA-UU system” to avoid things that don’t pass the smell test and keep from making a mess of your IT.
Phishing email, with an example of link hovering. Microsoft.
- Passwords. Use strong, unique passwords that contain at least 12 characters and include numbers, uppercase and lowercase letters, and symbols. Don’t reuse passwords for multiple accounts. Change your passwords every 90 days if you can.
- Email Addresses. A common trick these days is for hackers to send emails pretending to be your boss or a colleague. Double-check the email address – the From name may be correct, but the address may be something like “email@example.com“.
- Attachments. Don’t open email attachments or files from the internet unless you’re expecting the attachment (it’s a Word doc you’ve been collaborating on, for example) or you trust the source (a download from your own Dropbox or from Microsoft.com vs. a ZIP file from a site that hosts illegal movies)
- Unsafe sites. Avoid unsafe sites like gambling, adult content, and free video game websites. These sites often contain malware.
- URLs. Always hover over links to see their actual destination before clicking on them. If the actual destination looks suspicious, don’t click on the link.
The Sophos Intercept X Endpoint dashboard
Antivirus software is like your IT network’s immune system. It won’t prevent malware from getting into your network, but it’s designed to identify, neutralize, and remove the malware before it executes. It does this by rapidly comparing files and the operations they perform to known forms of malware. We recommend installing antivirus software on all of your Windows PCs and Windows and Linux servers.
Do you recommend a specific antivirus?
We’re big fans and have had great results with the antivirus of our partners at Sophos, Intercept X Endpoint.
What about free antivirus software?
First, most free antivirus programs like Avast and AVG aren’t licensed for use by businesses, so legally you shouldn’t be using them on your work PCs.
Second, the antivirus software Windows Defender comes free with Windows, is just as effective as other free antivirus programs, and doesn’t have the annoying pop-up ads that some of the others do. So if you want to use free antivirus software, just use Windows Defender.
Third, the general consensus with free antivirus is that you get what you pay for. They’ll stop some threats, but aren’t as effective as paid programs.
What about Macs?
There are some Mac viruses and forms of adware out there, and people on Macs can download Windows malware and spread them to Windows users including colleagues and clients, so go ahead and install antivirus on your Macs, too. Many antivirus programs, including Sophos Intercept X Endpoint, have Mac OS versions.
What about Android and iOS?
You don’t really need antivirus on your mobile devices. Just use MDM software like Microsoft Intune (which you should be using anyway if you’re providing company phones or tablets to your employees) to prevent users from installing unapproved apps or jailbreaking their devices.
Sophos firewall dashboard
Antivirus isolates and removes malware that’s gotten into your network; firewalls prevent malware and other bad or unnecessary traffic from getting into your networks in the first place.
There are two main types of firewalls: network-based and host (i.e., endpoint)-based. Network-based examples include hardware firewall appliances from companies like Sophos and Fortinet and routers with built-in firewalls. Host-based examples include the Windows Defender Firewall that’s included with the operating system and the firewalls included with antivirus software.
For the most part, firewalls work by blocking traffic on unused ports and from known malicious/blacklisted IP addresses. You can use your firewall to block dangerous or non-work-related websites like gambling sites, adult content sites, and social media.
Many also have Intrusion Prevention System (IPS) features that will detect and block malicious intrusion attempts – sort of like a network-level antivirus.
Getting help with firewalls
Firewalls can be kind of difficult to select, price, deploy, manage, and monitor, so if you’re not a technical person we’d recommend talking with an IT services company like ourselves before doing anything with them. Does your hardware firewall appliance support your level of network traffic? Do you need to sign up for any of the services add-ons offered by the firewall maker (for advanced threat protection, content filtering, etc.)? How do you configure your firewall to allow access to remote workers?
An IT services provider can help you answer questions like these and get you the right firewall setup for your business.
Also, because email is the top source of IT security threats, we recommend pairing your firewall with an email filtering service like Sophos Email Security or Mimecast Secure Email Gateway, which help to remove spam and malicious emails before they reach your employees’ inboxes, and are more effective than the built-in filtering tools of email services like Exchange Online.
Example of the 3-2-1 backup rule, explained below. Veeam.
Up until a few years ago, you might not have thought of backups as a key element of cyber attack prevention. But that’s all changed with the emergence of ransomware.
Most people have probably heard of ransomware by now, but if you haven’t, it’s a form of malware that encrypts all your files and demands money to decrypt them for you – essentially holding your data hostage. Ransomware outfits have hit hospitals, city governments, and many other businesses – totaling at least over $1 billion in costs to U.S. organizations in 2019.
And in case you thought ransomware gangs might have developed a conscience or sense of communal spirit as a result of the coronavirus, as others have, you’d unfortunately be wrong. They continue to hit small businesses, large firms like Cognizant, Telemetrex, and the University of California San Francisco, and – yes – even hospitals.
So how do you stop ransomware attacks from affecting your business? Hopefully your firewall, antivirus, and patch management measures will prevent the ransomware from infiltrating and activating itself on your network in the first place.
If they don’t (and you have to be prepared for the possibility that they might fail), the only way to restore your files (aside from paying the ransom, which might not even work) is by restoring from non-encrypted backups.
Doing backups right
When doing backups, follow the classic 3-2-1 rule: 3 total sets of data (including the original files/data) and 2 sets of backups (in case one gets corrupted or otherwise messed up) including 1 offsite in case something happens at the office like a flood, fire, or break-in. Make sure your backups are “gapped” – i.e., not continuously syncing or replicating – so that you can stop the encrypted files from being backed up once you’re aware of the ransomware breach.
Also, if you want to ensure a quick recovery, make sure to do full-image backups of at least your servers and possibly your workstations, so you can restore these systems without having to reinstall and reconfigure everything.
Setting password policies in the G Suite admin view
Most people know by now why it’s important to use strong passwords and how to create one.
Of course, knowing password best practices is one thing; actually getting people to follow them is another. Fortunately there are plenty of ways to enforce password policies. Services like G Suite let you set password policies in your administrative dashboard, and you can use Active Directory to enforce password policies on your local network and devices.
6) Multi-Factor Authentication (MFA)
MFA example by Google
You may not have heard of the term multi-factor authentication (MFA), or its more numerically-specific counterpart two factor-authentication (2FA), but you’ve probably used it before when signing up for services like Google Apps. Authentication is a fancy term for logging in to something, and MFA/2FA is when you log in using your username and password and also have to perform an additional action on another device, such as:
- Receiving a passcode via text message, which you then enter into your computer
- Receiving a passcode or yes/no prompt to confirm your login attempt on an app on your phone such as Duo
- Receiving a passcode on a USB stick-sized device with the unfortunate name of “dongle” that you might have been given by your IT department
MFA is relatively easy and inexpensive to implement and adds an extra layer of security to your IT. It prevents hackers from accessing your stuff even when they’ve gotten their hands on one of your users’ credentials (username and password combo) via social engineering, password guessing, viruses, or other methods.
Services like G Suite and Azure Active Directory have integrated MFA features available for free or as an inexpensive add-on. For services that don’t have built-in MFA you can use an MFA service like Duo, which starts at $3/user/month.
7) Patch Management
Windows Server patch management in NinjaRMM
Patch management is a fancy way of referring to the process of keeping your operating systems, applications, and hardware firmware and drivers up-to-date. Keeping your systems up-to-date is important for cyber attack prevention because many forms of malware and hacking techniques work by exploiting known security holes in out-of-date software.
Since you don’t want to have manually update all the operating systems and applications on all of the devices in your office, the best way to handle patch management is with Remote Monitoring and Management (RMM) tools like Ninja RMM, which let you remotely and automatically update your OSes and applications in bulk.
Or if you don’t want to deal with patch management at all, since it’s a gruesome foursome of boring, complicated, time-consuming, and mandatory, it’s one of the processes that’s easily outsourced to a managed services provider (MSP) like XOverture.
8) Physical Security
When you’re thinking about your overall cyber attack prevention, don’t forget about physical security. There’s the obvious stuff like putting locks on your doors, security cameras, cages for your servers, server rooms, and networking equipment, and only allowing trusted employees, contractors, and clients to access your work areas.
There’s also less obvious security measures to consider like:
- Making sure publicly-accessible Ethernet ports aren’t active
- Making sure people’s computer screens aren’t readily visible from public areas
- Ensuring your employees don’t leave their PCs unattended after logging in
- Ensuring employees don’t write their password down on a post-it that’s pasted to their monitor or under their keyboard (pretty common)
You may also want to set up an electronic access control system that tracks access on an individual basis with a key fob or access card.
Your physical security needs can vary depending on variables like your office layout, how much hardware you have onsite, and the neighborhood your business is in, so feel free reach out if you need some guidance – we’ve helped many high-security businesses like cannabis dispensaries and manufacturing plants to develop and implement their physical security plans.
On a related note, make sure you encrypt all of the stored data on your PCs, servers, and storage devices. That way, if someone manages to physically steal one of these devices, they won’t be able to access the data.
The Pro version of Windows has built-in disk encryption that you can enable. Otherwise, even if your non-encrypted Windows PC is password-protected, a hacker can still easily access your data by, for example, removing the storage drive from your PC and plugging it into another.
Last Tip: Stay Informed About Cyber Attack Prevention
Finally, if you want to maintain your cyberattack prevention on an ongoing basis, you should keep an eye on the later cyber security news, trends, and best practices. Threats may emerge that are outside the scope of this article, and there may be occasions when you want to take action on something immediately before waiting for a company like Microsoft to release a security patch.
Here are some good resources to get you started:
- ISC StormCast – daily information security podcast, a go-to resource for IT pros
- CISA National Cyber Awareness System – Department of Homeland Security cybersecurity alerts
- Sysadmin Reddit – discussion forum for system administrators, good place to learn about emerging threats and what other companies are doing for security
- Microsoft Security Update Guide – for security updates and patch notes for all things Microsoft
- ArsTechnica – for all the big security news
- Krebs on Security – great in-depth security analysis for both laypeople and the experts
How XOverture Can Help
We’re IT security experts and an MSSP Alert Global Top 501 so we can help out with pretty much anything mentioned in this article – everything from evaluations, to planning, to implementation, and monitoring, management, and incident response.
It’s generally more cost-efficient to outsource security tasks, processes, and projects to an IT services company like us instead of handling them in-house. Also, if you’re worried about not being able to afford all these different security measures, especially during a down market, we can help you select and prioritize the most important security technologies to get you the best security your budget can afford.
Feel free to get in touch with us at firstname.lastname@example.org or 866-808-9901 at any time.