21 things that SMBs can do to be more secure
Paul McCarty — Founder & CTO of SecureStack
Over the years many people have asked me what I do to secure my workspace and online presence. My process is a combination of using free and paid security tools in a layered approach to make my life safer. In today’s world there will never be ONE security app or practice to make you safer.
So with that in mind I thought I would put together a list for you:
Multi-Factor Authentication: Before you do anything else install a multi-factor authentication (MFA) app on your smart phone if you don’t have one installed now. I prefer Authy, but the Google Authenticator application is probably the most common. Being a Michigan boy, I have to mention the Duo Mobile MFA tool can be found here. Microsoft has their own app as well. Authy allows you to do backups and migrate to a new phone and a lot of other housekeeping functions that the others don’t. There is still room for improvement with these apps as I personally would like to see the ability to create folders within the tool to manage similar types of access as well as biometric access to the app. However, the price is right.
Password manager: Install a password manager and then configure it to use multi-factor authentication (MFA) using the MFA you installed in #1 above. I personally use LastPass. Make sure that the master user and password are protected by MFA. MFA and a password manager are the two best things that a user can do to protect themselves. If you have employees I highly recommend you upgrade to the paid version of LastPass as you can then give each employee their own set of credentials and delegate required access.
- LastPass: https://www.lastpass.com/
- 1password: https://1password.com/
- Dashlane: https://www.dashlane.com/
Browser Extensions: Use Firefox or Chrome as your browser and install these extensions:
- LastPass: Follow on from the above… this extension will let you store your passwords and accounts and give you access to them in your browser. Make sure you enable MFA! https://chrome.google.com/webstore/detail/lastpass-free-password-ma/hdokiejnpimakedhajhdlcegeplioahd?hl=en
- HTTPS Everywhere: Install the HTTPS Everywhere extension and your browser will automatically go to the encrypted version of a site if it exists. It’s like a poor man’s version of HSTS. https://www.eff.org/https-everywhere
- Ublock Origin: Blocks adware, bad domains, tracking software and certain types of bad content for you. This one is a no brainer. Install it and you’ll be safer out the box. https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en
- No Coin: This browser extension looks for crypto-jacking websites and blocks them. https://github.com/keraf/NoCoin
- Ghostery: This extension tells you what trackers are running on a website. https://www.ghostery.com/
- Wappalyzer: I love this extension as it lets you know the technologies that are running in a web app or site. https://www.wappalyzer.com/download
- WhatRuns: On occasion, Wappalyzer doesn’t work correctly and it's nice to have a second opinion. https://www.whatruns.com/
- Block Site: There’s a certain amount of overlap with this extension and Ublock but I still prefer this one if you want to simply block a website for a limited period of time, or forever. https://chrome.google.com/webstore/detail/block-site-website-blocke/eiimnmioipafcokbfikbljfdeojpcgbh?hl=en
- Privacy Badger: This extension learns the behaviour of tracking software across the totality of your web experience and blocks based on that aggregate behaviour. Privacy Badger seems to play nice with other blocking software like Ublock Origin. https://chrome.google.com/webstore/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp
- Hoxx VPN: This one might cause a stir but I have found this to be useful in certain circumstances. The trick is to understand, and explore, its potential use as it’s not true VPN, but instead more akin to a browser specific web proxy. This is an extension you install in your browser and you connect to a “VPN Server” in one of 16 countries and your web session with that browser session. Works great for testing web apps from different locations, or more generally when I need my http requests to come from within the US or UK or wherever, I flick this on. Also works as a general privacy overlay, but if you need a real VPN, please build one yourself with WireGuard, OpenVPN or SecureStack. Or install a true VPN client from this list.
Enable MFA on your important websites: Make sure that all important websites you use have MFA enabled. Banking, Xero, LastPass, Jira, etc. If it supports MFA, enable it and use your authenticator from #1 above. This function alone can save your ass more than anything else when you are being targeted.
Endpoint Protection (AV/EPP/EDR): Back in the day I used free AVG and anti-malware and it was good enough. That’s not the case anymore. I can’t in good conscience suggest people do that in 2020. The threat landscape has changed too much, and for the worse. Instead, I recommend that you invest in a good “Endpoint Protection” solution. I’ve recently upgraded from Bitdefender Total Security to Bitdefender’s GravityZone product which incorporates intrusion detection, firewalling, anti-virus and anti-malware and several other components. Whatever you do, make sure you get something with some ransomware protection built in.
Cost: Starts at roughly $100 per employee per year.
Website Protection: Make sure that you have an antivirus web extension installed and turned on for your browser of choice (or all browsers really). The good products like BitDefender will automatically install this for you.
Cost: FREE (well, comes with paid subscription)
Sync Browser Data: I suggest you add the free sync feature in Firefox or Chrome. These functions mean you need to create an account with Chrome or Firefox but then any time you log into Chrome on any computer you will get the same bookmarks, history and cookies. This is very helpful but is definitely a potential privacy concern. I’ve wrestled with this dilemma internally and have decided that the security and redundancy that having Google back up my stuff outweighs my personal privacy concerns. You can read about setting up Google sync here.
WIFI Isolation: If your employees or guests can bring in their own computers, tablets, or connect their smart phones and connect to your company network, this is called “bring your own” or BYO. Have your IT team create a second wifi network for them called “Guest network”. Then make sure none of your employees are violating this policy. Make sure that all BYO devices are NOT on your work network. Your IT team can use some relatively simple methods to add only work computers to the work wifi.
Backups: Setup backups for any important systems. This includes laptops and workstations, not just servers. Many companies think that because most of their business functions happen in SaaS applications that they don’t need to do backups anymore but my question then is, “how long would it take you to setup your laptop again to 100% working?” and “how long would it take to perform 100% of your business functions on a brand new laptop?”
CrashPlan, Carbonite, Backblaze and other online backups have cheap pricing for SMBs. I have personally used CrashPlan for years and recently it has allowed one of my family members to restore their data after it was all encrypted with ransomware… twice.
One last minute addendum here: If you have a Mac I would recommend you use Time Machine. It’s simple and free but make sure you backup to a separate device at least once a week. Do not rely on a USB drive that’s always plugged in. If all your files are encrypted in a ransomware attack, that USB disk will be encrypted as well. So, pay for a couple 500G or 1TB drives and swap them once or twice a week. This article does a good job of explaining it.
Cost: FREE. Paid backup starts at $10 a month per computer
Cynch: Buy a Cynch membership. Cynch is as little as $99 a month and it helps your whole team become smarter about cybersecurity while it protects your business. These guys are friends of mine and are making a great difference here in Australia: https://cynch.com.au/
Cost: Starts at $99 a month
Phishing Awareness: If you don’t buy a Cynch membership, then at least buy some phishing training. There are cheap courses online in places like Udemy. I suggest you pay for something decent as phishing is one of the most successful ways that Australian businesses get scammed. The city of Brisbane alone has lost over $600k in multiple schemes this way. The phishing attacks have only grown in sophistication and are now coming from within Australia, so the person on the other end of the phone or email sounds like you and knows the same things that you do because they’ve studied your company and done their research. Potentially FREE, but you get what you pay for?
Cost: Varies, and some resources are FREE
Application Whitelisting: Have an IT company install application whitelisting controls so that people on your work computers can only run the applications that they should. Allowing your employees to install anything on a PC is a recipe for disaster.
Cybersecurity Awareness: Talk to your employees about cybersecurity. They are on your corporate network, and if they make a bad choice it can potentially affect everyone else on that network. This is COMMON. Someone clicks on the wrong thing and then the problem isn’t just on that PC, its now affecting your network. Employees spend a lot of their down time on company computers browsing the web, Facebook, etc and those are all avenues for attack. I recommend instituting a “no personal browsing” policy on work computers.
Link Awareness: Be very careful about clicking on any links in an email. See those links above? If you hover your cursor over them, and wait a second, the link will display what it’s going to. Train your staff to look and read the domain before they click.
Essential 8: Read up on the Australian governments “Essential 8” strategy. These are 8 mitigation strategies that companies globally can adhere to become more secure. I personally feel as though this list is dated and needs a modern cloud centric refresh but in the meantime it’s a good list of mitigation strategies that all businesses should be aware of. https://www.cyber.gov.au/publications/essential-eight-explained
Email Filtering: As an extension to the above, enable and pay for any email filtering available from your email provider. You probably want to talk to your IT vendor about this but Outlook 365, GSuite and others have email filtering that can be added. Your anti-virus/EDR agent running on your machine has some functionality built into it to check your email spool but its better to block it at the email provider.
Cost: Starts at roughly $20 a month
Mandatory Data Breach Notification law: Be aware of the mandatory data breach notification laws here in Australia: https://www.oaic.gov.au/privacy/notifiable-data-breaches/when-to-report-a-data-breach/
Cybersecurity Insurance: Cyber security insurance is mostly worthless nowadays unless you spend a lot of money on security products, audits and remediation. Most SMBs won’t be able to understand or meet the requirements to be covered so why pay for it? The insurance companies won’t tell you that of course. Don’t take my word for it, go google “is cyber security insurance worth it?” and make your own decision. Instead of buying cyber insurance I personally spend that money on IT services and products that will actively protect my business instead. (I do have a significant amount of liability and indemnity insurance)
Cost: Starts at roughly $500 a year
Be aware of current security threats: Keep up to date on new and emerging threats by reading updates at StaySmartOnline , ACSC, and ScamWatch. You can also join AusCert which is a federally funded but memberships start at $2k per business. For whatever reason AusCert has decided that Australians need to pay to get access to up to date cybersecurity notifications to protect their businesses. This feels excessive to me so for that reason I prefer to use USCert which is free. I’ve been getting notifications from USCert since at least 2004.
Security Up-Skill: Contemplate a more advanced cybersecurity policy. Most companies now have a lot of people bringing in their own BYO devices and plugging them into your network. Managed security service providers (MSSPs) help companies secure their complicated environments. MSSP’s can point you at a range of services like managed firewall, 24/7 monitoring, managed intrusion detection and others that will more proactively make you secure. Does it cost? Of course, but more than 60% of small businesses that experience a data breach go out of businesses within 6 months. AND, most attackers stay hidden inside a network for more than 6 months listening and gaining more information about your employees, customers, users, etc. If you want I can introduce you to MSSP’s that we work with.
Cost: MSSP’s start at roughly $100 per managed node per month
Hire a security professional: If you are going to host a web application, interact with customers online, sell online or use the web as a primary means to conduct business, you should hire a pro. If the loss of something like email, your website, chat functions or similar would damage you financially, then it’s time to budget for a cyber uplift. It’s surprising to me how undervalued cybersecurity is by many SMBs until they have a security incident and then the reality sets in that maybe they should have done more.
Cost: Well worth it