How to keep businesses and employees safe online? In the ever-evolving realm of cybercrime, opportunistic malefactors perpetually seek fresh avenues to reap illicit gains and pilfer sensitive data. The vast canvas of globally significant events serves as an irresistible lure for these nefarious actors. Among these, the COVID-19 pandemic stands as an unprecedented juggernaut, igniting a surge in cyberattacks spanning phishing, Business Email Compromise (BEC), extortion, ransomware, and data breaches. With a burgeoning global remote workforce, the vulnerabilities of video conferencing apps are being ruthlessly exploited, and Zoom, for example, has emerged as a focal point for high-profile security incidents. In this article, we will give some security tips considering Zoom as a case study in the later part. Keep reading.
Defending Your Digital Frontiers
Imagine leaving the front door of your physical store wide open, an open invitation to burglars. When it comes to your online presence, failing to protect it poses a similar risk. It becomes an irresistible opportunity for cybercriminals.
According to the National Cyber Security Centre (NCSC), a staggering 39% of UK businesses have endured a cybersecurity breach in the past year. The financial toll of a cyber attack on a small business averages £8,460. But the repercussions extend beyond monetary losses – trust is also on the line. A study by Atomik Research revealed that 33% of businesses that fell victim to a cybersecurity breach lost customers as a direct consequence. Furthermore, research from PCI Pal unveiled that 41% of UK consumers declare they will never return to a business post-breach.
Moreover, the loss of customer data can thrust your business into GDPR non-compliance territory, which carries the potential for a maximum fine of €20 million or 4% of your global turnover, depending on which is the greater sum.
We don’t intend to propagate fear, but with prudent measures and robust employee education, your business can remain secure online. 2020 emerged as a record-setting year for cyberattacks on UK businesses, with a 20% spike compared to 2019, as hackers capitalized on the vulnerabilities presented by remote workforces. This is precisely why now is the opportune moment to revisit and bolster your cybersecurity defenses and protocols.
Top Cybersecurity Tips: A Shield for Your Business
This section delves into top cybersecurity strategies, covering the following areas:
1. Resisting the Phishing Temptation
What is Malware?: Malware, or malicious software, encompasses any software wielded by hackers to infect and compromise computers or programmable devices, causing harm and facilitating exploitation. Security Software for Home and Office.
Fend Off Phishing Emails: Phishing attacks constitute the most prevalent form of cyber threats faced by small businesses, accounting for approximately half of all UK cyberattacks. These deceitful emails seek to manipulate recipients into divulging sensitive information or clicking on malicious links that can introduce malware to their systems.
Response to a Phishing Attack: In the unfortunate event of a phishing attack penetrating your defenses, a swift and strategic response is crucial. This includes password changes, malware scans, assessment of any inflicted damage, and internal announcements to alert employees to avoid similar emails.
2. Antivirus Software: Your Digital Guardian
Antivirus software plays the role of a vigilant sentinel guarding against a plethora of threats, extending far beyond just viruses. Picture it as a watchful protector, standing sentry over your digital domain, poised to thwart any malicious software incursions. Protect Your Mac Automatically.
In our contemporary digital landscape, most operating systems, such as Windows or Mac, come armed with free antivirus software. These tools prove remarkably effective and possess the added convenience of automatic self-updates. Your sole responsibility is to ensure they remain activated. This level of safeguarding typically suffices for small businesses. Nevertheless, if your requirements diverge, alternative antivirus software options abound.
3. Software Updates: Staying Ahead in the Ever-Evolving Battlefield
Cybercriminals and cybersecurity experts find themselves entangled in an unending arms race. To maintain an edge, it becomes imperative to keep your software up-to-date.
These software updates encapsulate bug fixes and security patches meticulously engineered to seal vulnerabilities. Swiftly embracing these updates serves your best interests. While those incessant update reminders on your devices might occasionally vex you, how to keep businesses and employees safe online, it is unwise to disregard them. Often, you can configure updates to execute overnight, thereby minimizing disruptions during your workday.
4. Selecting a Reliable Web Hosting Provider
If you opt for web hosting separate from website builders, it is imperative to choose a reputable provider with a strong security track record.
For example, Nexcess offers its customers up to 80% off SiteLock’s products, which include daily security scans, automatic malware removal, alerts, email notifications, and vulnerability patching.
For heightened security, consider VPS or dedicated hosting. While pricier than shared hosting, these options store your website data on a private server, significantly enhancing security.
Safeguarding your business’s digital assets is of paramount importance in our increasingly interconnected world. Cheap but Good Hosting services Rated by Reviewers. By diligently following these cybersecurity recommendations, you can bolster your defenses and protect your business from the perils of cyber threats.
5. Data Backups: Your Cybersecurity Safety Net
Conceiving data backups as an insurance policy against cyberattacks proves an apt analogy. Amidst an attack, your data may suffer damage, deletion, or even fall hostage to ransom demands. Possessing backups of your mission-critical data substantially mitigates such perils.
You can opt to back up your data either on an external hard drive or within the boundless expanses of the cloud. If you favor hard drive backups, exercise caution to ensure that this storage device remains disconnected from the source device, both physically and through local network connections.
6. Strong Passwords: Fortifying Your Digital Citadel
Envision this scenario: Employing solely letters and numbers, you unlock a staggering array of approximately 200 trillion unique eight-character combinations. However, even within this vast landscape, hackers persist in their endeavors to infiltrate your systems. Build Website. Start an Online Store. Sell Images. Client Galleries. Photo Gallery Apps. Start a Blog.
Their methods may involve brute-force techniques—systematically probing billions of words, numbers, and symbol amalgamations until victory is claimed. Alternatively, they could surreptitiously implant keyloggers to trail your keyboard inputs. Moreover, should your passwords find a residence in documents, a data breach could become the Achilles’ heel, endangering your cherished passwords.
Consider these cardinal password precepts:
- Shun easily accessible personal particulars, such as birthdays or family members’ names.
- Abandon the practice of inscribing passwords and storing them in close proximity to your device.
- Embrace the art of crafting unique, intricate passcodes incorporating words, symbols, numbers, and both uppercase and lowercase characters.
- Advocate for two-factor authentication (2FA), a security-enhancing paradigm necessitating a one-time verification code in conjunction with your password.
Efficient password management finds its champion in password manager tools. These invaluable utilities generate astoundingly intricate passwords while undertaking the onerous duties of encryption, storage, and supervision for all your assorted application and online service credentials, consolidating them securely within a solitary repository. Grab Courses, Grow Skills, Become An Employable.
7. Two-Factor Authentication: An Additional Stratum of Security
Elevate the safeguarding of your email accounts by enlisting the services of two-factor authentication (2FA). This secondary layer of authentication introduces an exclusive code, often dispatched via text message, as an auxiliary verification hurdle when seeking access to your account.
8. Firmware: The Overlooked Guardian
Firmware attacks have surged in prevalence, with a staggering 80% of global companies weathering at least one firmware assault in the preceding two years. Yet, many organizations remain remiss in allocating adequate resources to shield against this lurking menace.
Firmware operates as the conductor in a digital symphony, orchestrating hardware components to harmoniously execute their roles. Distinct from software, firmware remains impervious to user alterations or deletions, although providers wield the capacity to disseminate mass firmware updates, remedy glitches, fortify security, or introduce fresh functionalities to user devices. Trusted VPN Services to Secure Your Business.
Within a firmware assault, malevolent code infiltrates your device, wresting control from your grasp. These attacks can be executed remotely through Wi-Fi, Bluetooth, or by infiltrating via a corrupted USB connection. Firmware attacks attain a perilous stature by virtue of their elusive nature, enabling malefactors to clandestinely observe your activities, exfiltrate your data, or assert remote dominion over your device post-infiltration.
9. Guarding Against Firmware Attacks: Your Role
While hardware manufacturers primarily bear the responsibility of protecting against firmware attacks, there are steps you can take to bolster your defenses:
- Choose Hardware with Built-in Firmware Protection: When acquiring hardware, prioritize devices equipped with advanced firmware protection features.
- Regular Firmware Updates: Don’t disregard those firmware update notifications; install them promptly. These updates often contain crucial security enhancements.
- USB Vigilance: Be cautious when using USB devices. Stick to ones you can identify to avoid potential threats. Best Website Builders for Growing Your Business.
10. Avoiding the Easy Target Trap
To protect your business, review the publicly available information about yourself and your organization, how to keep businesses and employees safe online. Cybercriminals can exploit such data to craft convincing phishing emails. By leveraging personal details found on social media profiles, criminals can pose as high-ranking figures within your company.
For instance, if a cybercriminal discovers your social media posts revealing that your colleague affectionately calls you “Big Dennis” and that your dog Ralph recently suffered a paw injury while you support Chelsea Football Club, they might send you an email from a disguised address like this:
Hey Big Dennis,
Shocking result for Chelsea last night, wasn’t it?
How’s Ralph doing? Recovered from his paw injury?
To mitigate these risks, it’s wise to keep your social media accounts private and think carefully about what you share publicly. By minimizing the personal information available online, you can make it more challenging for cybercriminals to craft convincing and targeted phishing attempts. Premium Templates for Business, eCommerce, Professional, or Personal Websites.
Zoom’s (Online Platform’s) Vulnerability Under Scrutiny
The meteoric rise in Zoom’s popularity has inadvertently exposed it to heightened scrutiny and security concerns. Prior incidents, such as the revelation of a zero-day flaw in the Mac Zoom client that potentially enabled webcam espionage, and an API-targeted enumeration attack, had raised red flags. Remarkably, these vulnerabilities did not appear to have been leveraged by cybercriminals. However, Zoom’s meteoric ascent to a ubiquitous platform for business meetings and personal video calls has amplified the intensity of scrutiny. As a result, its security posture has come under an unparalleled level of scrutiny.
Unveiling the Perils
A series of new vulnerabilities have recently come to light. One vulnerability opens a gateway for hackers to pilfer Windows passwords, while two others pave the way for remote installation of malware on affected Macs and surreptitious eavesdropping on meetings. Yet, the most pervasive concern dominating headlines is the phenomenon known as “Zoombombing.” This nefarious practice occurs when uninvited guests infiltrate meetings, typically during large-scale semi-public events where meeting IDs are publicly shared on social media.
Without password protection and attendee screening, these intruders unleash offensive comments, stream explicit content, or disrupt proceedings in various ways. The same techniques can be harnessed by hackers to eavesdrop on or disrupt crucial business meetings. This hinges on exploiting vulnerable app settings and potentially deploying brute-force tactics to crack meeting IDs.
With unauthorized access, hackers can exfiltrate highly sensitive corporate information, disrupt business operations, or even disseminate malware through the file transfer feature. The final threat looms in the form of phishing attacks. Cybercriminals are acutely aware of the surging demand for communication avenues during government-mandated lockdowns. Craftily concealing themselves behind seemingly legitimate Zoom links and websites, they aim to filch financial details, distribute malware, or harvest Zoom ID numbers for covert entry into virtual gatherings. A single vendor reported the registration of a staggering 2,000 new domains in March alone, representing over two-thirds of the year’s total. Premium Plugins for Business, eCommerce, Professional, or Personal Websites.
Mitigating Zoom’s/ Online Platform’s Security Risks
The encouraging news is that proactive measures can substantially mitigate the security risks associated with Zoom. Commence with the fundamentals:
- Ensure Zoom consistently operates on the latest software version.
- Incorporate awareness of Zoom phishing scams into user training programs. Users should exclusively download the Zoom client from reputable sources and scrutinize meeting URLs for suspicious elements.
- Deploy anti-malware solutions, inclusive of phishing detection, on the devices of all remote workers, sourced from reputable vendors.
A more comprehensive approach involves revisiting the administrative settings within the app to minimize exposure to hackers and Zoombombers. Paramount among these is the management of the Zoom Personal Meeting ID, a unique 9-11 digit identifier allocated to each user. Should malefactors gain access to this ID and the meeting lacks password protection, they can infiltrate with ease. Leaked emails or rudimentary brute-force techniques may inadvertently expose these credentials. For recurring meetings, the vulnerability persists. However, a silver lining exists: automatic password generation is now the default setting, and the use of personal meeting IDs is disabled, ensuring the creation of unique, one-time IDs for each meeting.
Additional Online Protective Measures:
- Automatic generation of meeting IDs for recurring sessions.
- Restrict screen-sharing privileges to hosts exclusively to deter unwanted content sharing.
- Avoid publicizing meeting IDs online.
- Disable file transfers to mitigate malware risks.
- Permit only authenticated users to join meetings.
- Lock meetings once initiated to prevent latecomers.
- Employ the waiting room feature, allowing the host to admit attendees exclusively from a pre-assigned register.
- Enable audio notifications for attendee arrivals and departures.
- Empower the host to temporarily place attendees on hold if necessary.
By adhering to these measures, you can substantially fortify your Zoom, or any other online conferencing experience, ensuring the security and integrity of your virtual interactions in this era of remote work and virtual connectivity. Premium Widgets for Business, eCommerce, Professional, or Personal Websites.
Implementing an Incident Response Plan
Even if you meticulously adhere to the aforementioned steps, the digital realm is not immune to the lurking shadows of cyber threats. Therefore, it becomes imperative to have a well-devised incident response plan in place for those times when a breach occurs. Equally important is the dissemination of this plan to all pertinent personnel within your organization.
Consider this as a three-step incident plan tailored for small businesses in the event of a cybersecurity assault:
To effectively address the issue at hand, your foremost task is to pinpoint the nature of the incident and gauge its severity.
Several key questions need answers, enabling the rapid collection of vital information that will shape an appropriate response:
- Who reported the incident?
- When did it occur or when was it first noticed?
- Which systems, software, or hardware have been impacted?
- What potential repercussions might your organization face?
- Who falls within the sphere of influence affected by the incident?
- Who has knowledge of this ongoing incident?
With these answers in hand, you can assemble your cybersecurity incident response team, a roster that may include but is not confined to, senior management, department heads, IT specialists, legal experts, PR representatives, and HR personnel. An incident and recovery manager should also be designated, tasked with ensuring effective communication and execution of all required actions. Premium Themes for Business, eCommerce, Professional, or Personal Websites.
Once you’ve gathered the essential personnel, it’s time to efficiently manage and respond to the incident.
Vital to this stage is the meticulous tracking, documenting, and correlation of every task, discovery, and communication throughout the incident response. This serves multiple purposes—primarily, it leaves a comprehensive record of your procedures for future reference, invaluable in the face of potential legal or regulatory actions.
The response phase entails three pivotal steps:
- Analysis: Here, a technical examination of compromised systems is crucial to ascertain the extent of damage, complemented by an assessment of any public reaction to the incident, especially in cases involving customer data leaks, which could result in GDPR violations.
- Containment: This step focuses on minimizing the incident’s impact, preventing its spread, and averting further harm. Measures might include isolating affected systems and devices, resetting passwords, accounts, and access credentials, and, if deemed necessary, temporarily shutting down a core business system. PR personnel may also be required to prepare a media response.
- Eradication: After containing the threat, it becomes possible to eradicate it from your network and systems. Every trace of malware must be identified and securely eliminated, while software and systems demand fortification through security measures, patching, and updates.
With the menace neutralized, the time has come to restore normalcy to your business operations. This encompasses the restoration of affected systems, their seamless reintroduction into the workflow, and the culmination of any remaining actions aimed at addressing legal or PR concerns. Anyone can make a great video. That means you.
The incident may have concluded, but one final step remains within the incident response plan—a post-incident review. This retrospective assessment seeks to extract valuable lessons that can be applied to future incidents.
Were there security precautions that could have forestalled the incident?
Did the response prove effective?
Were there any aspects of the response that could have been executed more efficiently?
In the realm of startups, what measures can be taken to bolster cybersecurity for remote-working staff?
Communication is paramount—effective and consistent communication with your employees is key to ensuring they are aware of potential cyber risks while working remotely.
A personalized approach, one that extends beyond safeguarding the company, makes the message more relatable and applicable to the individual employee. By transforming their approach to safeguarding their own personal data, they are more likely to treat the company’s data with the same level of care.
What cybersecurity guidance would you offer to small businesses during the COVID-19 pandemic? Run Windows on any Mac—Intel or Apple silicon—and experience a seamless integration between operating systems.
Beware of phishing emails. With a surge in remote work, this period has become ripe for cyber scammers to target individuals. They frequently employ emotionally charged subjects like tax refunds or charitable contributions for healthcare workers to entice recipients to click on malicious links.
Take your time to scrutinize emails, verify the sender’s identity, and exercise caution before clicking on any links.
Are there any misconceptions about cybersecurity that you’d like to debunk?
Cybersecurity is an exclusively technical domain reserved for experts. Cybersecurity is a domain accessible and understandable to all of us, how to keep businesses and employees safe online.
As a compliance professional, translating complex jargon into straightforward and comprehensible language is imperative. Government resources are readily available to assist in this endeavor should the need arise. Get matched with a Career Advisor and Mentor who will help you select and enroll in the right program for you.