Do you keep databases with information about other people?
Do you allow teleworkers, road warriors, suppliers, contractors and so on to connect in remotely?
Do you accept payments, for example from credit cards or NFC devices? Do you make payments of your own online?
Do you keep important business or personal data – tax returns, bills, receipts, pay slips and so on – on your computer?
Do you have an email account, or a website, or a blog, or a social media presence where you promote your business or simply hang out with friends?
Admittedly, that’s a lot of questions – but whether you’re a small business, a sole trader, or even just a home user, chances are that you do some or all of these.
At the same time, you are probably your very own IT department, which doesn’t give you much time to invest in even doing IT, let alone trying to decide what to do in the first place.
![]() |
Naked Security is here to help, so we came up with 5 security tips to keep your business safer online. |
1. DIVIDE AND CONQUER
Firewalls aren’t for “your network” and “the internet” any more. Why have your cash register on the same network as your web developer? Why have your accountant on the same network where you keep active on social media? And so on.
If a crook gets into the network where your web developer works, that’s bad because they might be able to steal your intellectual property. But why make it easy for them to go from there into your accounts network, where they might be able to steal personally identifiable information (PII) belonging to your customers!
Setting up modern firewalls isn’t terribly difficult, and if you buy a product like Sophos, with user-based licensing, you can add as many firewalls as you like to your network without paying extra licensing fees.
2. PATCH EARLY, PATCH OFTEN
Brand new vulnerabilities and exploits hog the limelight of security news.
Because you couldn’t have patched ahead, they’re known scarily as “zero-days.” But if you’re worried about brand new attacks from cutting-edge crooks, you should definitely also worry about automated attacks against old holes that are well-known and easy to exploit.
One problem with old exploits is that the crooks have had time to fine-tune their attack code so that they almost always get in if you haven’t patched. In other words, a new zero-day might give a 1% “it works” result on unpatched computers. But an old and practised exploit may give a 100% “it works” return if you haven’t patched, making you into low-hanging fruit open to more than just the cutting-edge of criminality.
People often put off patching either to save time or because they’re scared something might break. The problem is that the longer you leave it, the more time it will take when you get around to it, and the more likely that what will “break” will be crooks getting in.
3. IMPROVE LOGIN HYGIENE AND
CONSIDER TWO-FACTOR AUTHENTICATION
Come up with a checklist that you use before giving someone remote access to your network. Remember that it’s not enough to trust the person: you also have to trust their computer, because a PC with malware on it that connects to your network is essentially letting cybercriminals in with it.
And consider requiring all remote users to have two-factor authentication (2FA). It costs a little more, and it is slightly less convenient when you come to log in. But it helps to prevent egregious attacks where a criminal steals (or guesses, or buys) one of your user’s passwords today and then uses it at their leisure to raid your whole network.
4. HEED WARNINGS AND
LOOK AT YOUR LOGS
Don’t collect logs just so you can look back and cry over spilt milk after a breach. Use them proactively to watch out not only for attacks, but also for otherwise-innocent behaviours you want to improve anyway.
If the logs from your patch assessment tool are trying to tell you that your remote sales guy in Kuala Lumpur somehow missed out on the last three Microsoft Word updates, do something about it!
If you don’t, the crooks will, because they don’t have to know you have a hole. They can just keep poking at you and everyone else, and they’ll know you had a security hole because they’ll succeed in breaking in!
5. USE ENCRYPTION EVERYWHERE,
NOT JUST WHEN REQUIRED BY LAW
Regulators are becoming increasingly strict about encrypting sensitive data, to the point that the US Appeals Court recently ruled that it is unfair business practice not to protect your customers’ information.
Nevertheless, many small businesses stick to encryption as an unavoidable cost that goes with compliance, rather than as an investment that helps keep the business healthy. Similarly, home users often avoid encryption because they’ve heard stories that it may slow down their computer or cause compatibility problems.
However, wisely used, encryption gives you a valuable extra layer of protection against hackers, eavesdroppers, intellectual property thieves and many other sorts of cybercriminal.
THE BOTTOM LINE
No business is immune to data theft and loss, regardless of geography, size or industry sector.
Put these tips into practice and you’ll have not only defence, but also what’s known as defence in depth.
If you force the crooks to jump through multiple hoops to get into your network…
…then they have to get through every hoop, whereas you only need to block them at one, which turns the balance in your favour.
💡 If you’d like to keep up to date on the latest tips and security advice from Naked Security, you can subscribe to our daily newsletter, Like our page on Facebook, or follow us on Twitter.
Image of knight courtesy of Shutterstock.
No antivirus or backups? 🙂 These are probably higher on the list than looking at logs, which even medium-sized businesses fail with.
We wanted to present some slightly different ideas that weren’t the usual “use an anti-virus.”
The reason we specifically mentioned logs is that most business (and even home users) *do* keep them, whether they realise it or not. But then never look at them. So all they have are ziggabytes of disk (and backup!) clogging files that aren’t serving any purpose…
…except perhaps to an attacker who gets hold of one and can tease his own security (or insecurity) readings from it.
Antivirus has no role to play on a secure web server. A web server cannot have a virus downloaded to it. A web server does not run Office, does not run Adobe, does not run Java – in fact a web server has very few services enabled. A database server cannot get a virus because it only runs a database and all other software is disabled.
Backups to tape stopped ten years ago – data is replicated to many database servers in real-time – data is not just copied to another physical site, it is replicated to many other data centres in real-time.
The five topics are excellent – excessive encryption is the only way to go in the future. Do not look at logs after the fact – monitor all audit trails in real-time – you must know instantly when an attack is taking place.
Does not run Java? You’ve never heard of a Java servlet? Look it up.
You probably need to listen to this podcast 🙂
It’s entitled “Malware on Linux – When Penguins Attack”
https://nakedsecurity.sophos.com/2015/07/28/malware-on-linux-when-penguins-attack/
It’s about the problem of…malware on servers.
Java is installed on most web servers in the world… and, the minority that does not have Java installed, then has PHP (maybe with WordPress) or .NET or …
If you have a piece of software, this has a vulnerability. If it’s connected to the Internet, then it can be exploited.