VSEs/SMEs and freelancers are often faced with a lack of resources and skills to secure their IT system. However, the stakes are high in the event of a computer attack: sometimes long and costly repairs, loss of turnover, loss of reputation.
This guide aims to provide Small Businesses (SMBs) with practical and affordable advice to secure their business. It is based, among other things, on the work of the National Cyber Security Center (NCSC) and the recommendations of the National Agency for Information Systems Security (ANSSI).
1. Data backups
Backing up your data increases your resilience in the event of a computer attack: zero risk does not exist, so it is better to be prepared and be able to get your business back up and running as quickly as possible.
✅ Identify which data to back up
These are the data essential to the proper functioning of the company: the documents, photos, e-mails, contacts, calendars and any other computer work file that are on your PCs, smartphones and tablets. Additionally, some companies may have file servers and specific hardware/software configurations that also need to be backed up.
✅ Secure your backups
Do not keep backups in the same place as the data to be backed up: make several copies of them on hard disks / USB keys. Some solutions also allow you to host backups in the cloud. Depending on the criticality of the data, it is interesting to use both the cloud and the physical medium. Make sure backups are only accessible by authorized people, keep them offline when not in use, and separate copies in different geographical locations (in case of fire or theft).
✅ Set up a process and make sure it is followed
Determine a backup frequency (how much data can you afford to lose?). Make sure that the data is correctly saved: check for example that the modification of a document has been correctly reflected in the backups. The use of automatic backup solutions can facilitate this tedious and error-prone manual process, but it will still be necessary to regularly check the level of freshness of the backups and the ability to restore them.
For more information on backups: https://www.cybermalveillance.gouv.fr/tous-nos-contenus/bonnes-pratiques/sauvegardes.
2. Protect yourself from viruses
Viruses (malware) are software that allow hackers to infect your equipment in order to recover your data, make it inaccessible or control your PC remotely.
✅ Use an antivirus software
Most operating systems offer free antivirus software included: you must ensure that they are activated. If the budget allows it, a commercial antivirus could be used in order to provide additionnal functionalities. These offer an automatic update and an automatic scan of the storage spaces that it will be good to activate. Make sure that as many devices as possible have an antivirus.
✅ Limit malware installation
Make sure to install mobile apps only from official stores (Google Play, Apple App Store). In the same way, only install on your computers software from sources you trust. On PCs, do not use an administrator account for your daily work: prefer a simple user account and use the administration account when necessary.
✅ Keep your systems up-to-date
This rule is one of the most important to improve your company’s IT security. It is essential to carry out updates (patching) of the operating system and any software as soon as patches are made available by editors. Activate automatic updates wherever they are available: at the level of OS, business and office software, as well as IT equipment. If you go through a subcontractor, require this practice in your contracts. The software has an end of life from which the publishers no longer offer updates: then consider replacing them with a modern alternative.
✅ Beware of USB keys
USB keys are a well-known virus transmission vector. In order to reduce the risk related to their use, it is recommended to activate the antiviral analysis of removable media and not to connect a USB key whose origin is unknown.
✅ Switch on your firewall
Workstations are often equipped with a local firewall, pre-installed with the operating system: the default setting is often sufficient in the case of a small business (blocks any incoming connection). Do not modify the firewall settings of your internet box if you do not understand the ins and outs: this could expose your file shares or other sensitive services on the Internet. If the information system is more extensive, physical firewalls can be configured, in which case a specific guide can be used. Calling on a qualified service provider in the latter case is strongly recommended.
3. Securing your smartphones
Mobile devices such as smartphones and tablets are often used in professional environments. When the budget is sufficient, the use of an MDM (Mobile Device Management) can help administer its mobile fleet. Otherwise, the following three rules will limit the risks associated with mobility:
✅ Set up a complex PIN/password to access it
A complex PIN will consist of at least 8 digits. In addition, modern mobile devices offer unlocking by fingerprint or facial recognition: it is recommended to activate and use it.
✅ Ensure mobile devices and apps are kept up to date
Enable automatic OS and application updates and educate your employees to do the same.
✅ Do not connect to unkown Wi-Fi network
Public Wi-Fi (hotspots) are convenient but generally insecure. Sometimes they may even be controlled by malicious individuals. Prefer your 4G/5G connection which includes default security, even if it means sharing the connection with your computer if necessary. Using a VPNcan protect your phone when connecting to unknown Wi-Fi networks: be careful to use a company VPNor a trusted third-party service.
4. Improving passwords
Passwords, if used and implemented correctly, are an effective and free way to increase the security of your business and your data.
✅ Protect your equipment with a password
Whether for your smartphones, tablets or PCs, it is strongly recommended to configure a unique password, known only to you and complex. To generate this type of password, the CNILoffers an effective method. Unlocking a device must require a password in order for it to be secure. Also make sure to enable encryption for these different devices when available: BitLockerfor Windows, FileVaultfor macOS and other features often included in mobile OS.
✅ Use two-factor authentication (2FA) when available
Two-factor authentication allows the user to be asked for a second verification of their identity (for example an SMS or a Google Authenticator code) in addition to their password. Thus, even if the latter has been compromised, the attacker will have a much harder time taking possession of the account. Configuring this feature adds a very important layer of security, especially in small businesses where accounts are often shared and used on uncontrolled equipment (social network accounts, ERP access accounts or with suppliers).
✅ Use unique and complex passwords
Faced with the multitude of services that require a password, we tend to use the same one everywhere or in various mutations. Attackers know this and use it to compromise all of your accounts (pro and personal) when they discover your password. In order to secure your important accesses, use a password manager like Keepass: no need to remember your passwords which can now be generated automatically. A user guide is made available by the government.
✅ Change all default passwords
Smartphones (SIM card), PCs and other equipment are often delivered with default passwords from the manufacturer. It is better to modify them allbecause they are also well known to hackers.
5. Limit the risks of phishing
In a typical phishing attack, scammers send fake emails to thousands of people asking for sensitive information (such as bank details) or containing links to malicious websites. They may trick you into sending money, steal your details to resell, or have political or ideological motives to access your organization’s information. Phishing emails are getting harder to spot, and some will trick even the most attentive users. Regardless of your business, large or small, you will receive phishing attacks at some point.
✅ Secure your accounts to limit the impact of a successful attack
The principle of least privilege is a golden rule in computer security: employees must be granted the privileges strictly necessary for their tasks. Applied to the risks of phishing, this rule implies that to limit the execution of a virus or the theft of an employee’s account, their rights must be limited: use of a non-administrator account on their PC, non-administrator accounts on business software, configuration of two-factor authentication when possible. This rule should also apply to senior executives of the company: an administrator account should only be used when an administration task is to be performed.
✅ Consolidate your way of operating
Your company’s sensitive operations must have a clear and well-defined operating mode: creation of new computer accounts, bank transfers, password resets. It is important that managers, employees and potential partners are aware of these processes and that the interlocutors are clearly identified. Also pay special attention when you communicate: do you usually ask for passwords by electronic messages (emails, WhatsApp)? Do your emails have a well-defined graphical identity? A “classic” phishing email will not include the precise signature of the company, for example. Be careful, this does not mean, of course, that you should trust any email with the company’s signature.
✅ Know the obvious signs
There will always be phishing attacks that will bypass defenses and the attention of employees. However, it is possible to apply a few simple rules in order to defuse the most obvious attacks:
- A large number of phishings are sent from other continents which sometimes makes spelling and punctuation hazardous (although this is also sometimes the case in legitimate exchanges…). In addition, the logos and the overall appearance of the mail are often poorer than the official communications.
- Is the email addressed directly to you? It is not uncommon for it to be addressed generically to “dear customer”, “friends” or “colleague”.
- Check the sending email address (by hovering the mouse over the sender if necessary): does it seem legitimate to you?
- Is the content written in a way that generates a sense of urgency or threat? Attackers use this psychological bias to trick victims into acting without thinking.
- Beware of e-mails that seem to come from inside the company, from a high-ranking person, sending you a sensitive transaction request. Take the time to analyze the email and the legitimacy of the request. If in doubt, call the person directly or ask for a second opinion.
- If it’s too good to be true, it definitely is…
✅ In doubt, report it
Encourage your employees to report phishing emails or seek help if they suspect an attack. This allows you to react faster and warn other employees. Do not punish an employee who has been duped as this encourages hiding the incidents later. When you suspect a compromise, disconnect the equipment, carry out an antiviral analysis, change the user’s passwords and report the incident on cybermalveillance.gouv.fr.
🛡️ DSecBypass supports you in raising your teams’ awareness of cyber risks through simulations of phishing attacks as well as novice-level and interactive conferences. Do not hesitate to contact us for additional information and/or a personalized quote 📝.
References: https://www.ssi.gouv.fr/uploads/2021/02/anssi-guide-tpe_pme.pdf, https://www.ncsc.gov.uk/collection/small-business-guide, https://www.economie.gouv.fr/files/bro-guide-secu-info-print_0.pdf
