8 Ways to Protect Your Business from Cyber Attacks

Businesses face numerous risks associated with information security. And we’re not just talking about the risk of failing an audit by a regulatory agency checking for compliance with numerous regulations and protocols. Increasingly, entrepreneurs are encountering real attacks that can lead to business disruptions and/or financial losses. Here are the main types of such attacks:

• Phishing Attacks. These happen when hackers send fake links disguised as trustworthy ones to deceive people into disclosing personal information, typically login credentials for a service the scammer is pretending to represent.
• Malware. Malware is designed to harm computers or networks. The consequences of infection can range from annoying pop-ups to more serious issues such as data theft or system failures.
• Password Hacking. Hackers can crack weak passwords and gain access to confidential data. Finding the right password can be done in various ways, from simple brute force attacks to using social engineering methods or exploiting data leaks.
• Unprotected Wi-Fi Network Hacks. Hackers can intercept data transmitted over unprotected Wi-Fi networks. Leaked data may include logins and passwords, financial information, or any other confidential data.
• Attacks on Mobile Devices. The threat of mobile device hacking is often exacerbated by the lack of encryption measures, which can facilitate data interception. Weak passwords or PIN codes, unprotected apps, and outdated built-in software containing security vulnerabilities all contribute to this risk.

What can you do to protect yourself, your business, and your data against cyber threats? We’ve put together several simple to follow cybersecurity tips for businesses:

Control your passwords and set up multi-factor authentication.

There are several simple rules that can make a password more secure:

• Use a minimum of 12 characters in your password.
• Include a combination of uppercase and lowercase letters, numbers, and special symbols in your password.
• Avoid using any personal information in your password, such as names, birthdates, or addresses.
• Ensure that each account has a unique password to prevent hackers from accessing multiple accounts with the same password.

The most common passwords of 2023 that you should avoid. Source: Cybernews

Multi-factor authentication, such as sending a code to a mobile device, can also enhance password security. Google Authenticator, Duo Mobile, and Authy are considered the best apps in this category, according to experts from The New York Times. These services are available for free on Android and iOS devices.

Additional risks arise when passwords need to be shared. For example, if your social media manager is not an in-house employee, they will need access to accounts. But what if later on you part ways with the manager, and they refuse to return the account? In this case, one convenient option is not to provide the password but an Octo Browser profile with the logged-in account. This reduces the likelihood of losing the account.

Regularly update software and security systems.

Security updates do not bring new cool features, “dark mode,” or pretty new icons to your smartphone screen. Instead, they fix known vulnerabilities and help prevent cyberattacks. If software and security systems are not regularly updated, businesses may become vulnerable to cyberattacks, leading to significant losses.

Regularly back up your data.

Regular data backups are one of the most important steps that ensure security and uninterrupted work of information systems of a business. Anyone who has ever forgotten to back up and lost their data as a result will confirm this. Data loss can occur for various reasons, including system failures, human errors, or cyberattacks.

The 3–2–1 principle, the golden rule of backup, is to create three full data copies, keeping two of them locally on two separate devices, and one in remote storage. Source: ninjaone

It is recommended to schedule and conduct backups regularly rather than sporadically. Backups should be stored in secure locations, easily accessible in cases of emergencies. Additionally, having a contingency plan for emergency recovery in case of a serious data loss is always advisable. This plan should outline the roles and responsibilities of employees, as well as steps to minimize damage and quickly restore system functionality.

Conduct regular training sessions on social engineering protection measures.

You can teach your employees to recognize attacks based on social engineering. This requires regular training sessions involving simulations of phishing attacks and other social engineering tactics, as well as instructions on how to identify suspicious emails or messages. It is crucial to emphasize to colleagues that emails containing confidential information and login credentials represent a particularly high-risk category, and such communications should be treated with heightened scrutiny.

Here’s an example of a phishing email, supposedly from PayPal. Would you be able to distinguish it from a genuine one without any hints? You can find more phishing examples on Phishing.org.

Keep learning.

It’s impossible to learn everything about cybersecurity once and for all. At the very least the person responsible for information security in the company should regularly undergo training. You can find relevant information on the free US Cybersecurity & Infrastructure Security Agency website.

Implement security policies covering mobile devices.

If your business allows working from a smartphone, then smartphone usage should be covered by security policies. This includes all the measures described above: password policies, regular updates, and backups. Ideally, mobile devices should be equipped with remote wipe capabilities to erase data from lost or stolen devices, as well as device tracking services for finding such devices.

Monitor internal threats.

By internal threats we mean malicious actions by employees. These can range from inadvertent mistakes like clicking on random Internet links resulting in the infection of work computers with malware, to deliberate actions such as stealing corporate data.

Access control and employee activity monitoring can be used to detect internal threats. These measures can prevent intentional or accidental information leaks.

Access control means that employees have access only to the files and resources directly necessary for their job responsibilities.

Activity monitoring, on the other hand, involves tracking suspicious employee activities within the company’s information systems. This should not imply total surveillance: companies may only pay attention to specific “red flags,” unusual activities that may indicate a security threat.

One simple way to counter internal cybersecurity threats is to use a multi-accounting browser for teamwork. In Octo Browser you can create profiles for individual employees and distribute access rights to them. For example, an accountant will receive a profile with their set of tools, while a marketing specialist will use another one tailored to their needs; their manager or team leader will have access to all profiles with the ability to view activity history.

Use encryption to protect confidential data.

To protect confidential data, it needs to be encrypted. This is the most important idea: encryption is now a standard procedure, and all you have to do is check if encryption is available in your business software. But to help you better understand the issue, let’s talk about the main types of encryption.

There are two main types of encryption: symmetric and asymmetric. Symmetric encryption uses the same key for encrypting and decrypting data. This key must be kept secret to ensure data security. Asymmetric encryption uses two keys, public and private. The public key can be shared with anyone, while the private key must be kept secret.

Some common encryption protocols include Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Pretty Good Privacy (PGP).

SSL and TLS are typically used to encrypt data during transmission, e.g., when sending data over the Internet. To encrypt data using SSL, you need to install an SSL certificate on your server. This certificate will include the public key needed for encrypting data.

To determine if SSL encryption is used on a website, look for the padlock icon in the browser’s address bar. If it is present, the site has a corresponding certificate.

In turn, PGP encryption is typically used to protect data “at rest,” stored on a hard drive or another storage device. To encrypt data using PGP, you’ll need software like Gpg4win or Kleopatra. After installation, you can use them to create a pair of PGP keys. The public key can be shared with anyone who needs to send you encrypted messages.

To summarize, this is where you should start to ensure the information security of your business:

• Define password policies and set up multi-factor authentication.
• Keep software and security systems up to date.
• Develop a system for regular backups.
• Conduct regular anti-phishing training.
• Keep learning.
• Apply security rules and policies to mobile devices.
• Establish systems of internal monitoring and access rights control.
• Encrypt confidential data.