Improving your Posture
Enhancing protection against cybersecurity threats doesn’t have to be a costly and time-consuming exercise. This is good news for SME’s who typically have neither of these resources in abundance. To provide guidance for improving security posture quickly and cheaply, we’ve come up with a list of quick wins that our experience shows will protect a Windows-based organisation against the majority of threats that they typically face.
1. Password Policy
Develop a password policy that encourages good practices rather than force users to use excessively long and unrememberable character strings. Simple rules such as recommending using three unrelated words combined with automated checks that prohibit commonly used passwords can improve resistance to password cracking and reduce the risk of accidental disclosure.
2. Password Managers
Password managers are an excellent low-cost solution for managing the multitude of passwords users are expected to remember. They have the added bonus that these passwords can now be of complexity well beyond the ability for most people to remember.
3. Multifactor Authentication
Requiring users to complete two or more independent actions before granting access to systems and applications can defeat most unauthorised access attempts to networks and devices. Requiring users to apply combinations of something they know (remembered password), something they have (smartphones authenticator app), and something they are (biometrics) will deliver significant improvements to security.
4. Software Updates
No software is perfect, and typical off-the-shelf business applications and operating systems are full of security vulnerabilities. Weaknesses must be resolved as soon as they have been identified and appropriate security patches released to fix them. Switching on automatic updates where possible and regularly checking they are being applied will protect against attacks that seek to exploit newly discovered weaknesses. Third-party software needs particular attention as update processes often require manual intervention. And of course, updates themselves are not perfect, so businesses are advised to ensure that a process is in place to roll back any troublesome updates, whether using the Windows built-in recovery feature or re-installing previous known good versions from a backup.
5. DNS Filtering
Domain Name System (DNS) blocking or filtering is a technique for preventing users from accessing known dangerous or inappropriate websites. Businesses can implement stringent controls by preventing access to all websites unless they appear on a safe list of vetted and approved websites. Alternatively, a less secure but more relaxed approach allows access to all websites unless they appear on a block list of known problem websites. As well as preventing access to sites hosting malware, they can also block access to sites hosting content incompatible with the company’s acceptable usage guide.
6. Isolated Browsing
A significant source for malware infection of company resources is staff browsing unsafe websites. The Microsoft Defender Application Guard is available for the Edge browser and works by automatically isolating the browsing activities on untrusted websites into a separate sandboxed container using virtual machine technology. Any malware will be unable to access the company systems, and the threat is isolated.
7. Controlled Folder Access
This new feature available with Windows 10 and Windows Server 2019 offers protection against the effects of a ransomware infection by preventing suspicious or malicious programs from modifying files and folders. The system is configurable to ensure this feature doesn’t intrude on the operation of standard business applications and processes.
8. Staff Awareness
Staff are often left to be the first line of defence for social engineering attacks. Simple awareness training, delivered in person, by email or a poster in a breakout area, can effectively prevent ransomware attacks and halt phishing in its tracks. There are plenty of free online resources available that are available to deliver awareness training. And for the more technically adept organisations, Office 365 comes with a phishing attack simulator to allow organisations to measure how effective the training has been.
9. Device Encryption
A simple way to protect sensitive information stored on devices is to implement full disk encryption. Windows BitLocker comes as standard and provides full volume encryption with various key length and passcode combinations. For most businesses, applying encryption with the minimum performance overhead will offer sufficient protection against stolen or lost devices.
10. Privileged Access Restrictions
The simplest way to prevent accidental user actions impacting security is to remove administrator access. This will limit the potential impact of any activities and make rolling back mistakes simpler and faster. It’s rare for an average user to actually need administrator access, so granting access on a case-by-case basis will typically be much lower overhead than the effort required to resolve inappropriate use. As a side effect, it will make lateral movement and insider attackers much harder to pull off.
For SME’s, adequate security controls shouldn’t be a burden, and the benefits of implementing quick wins such as these will far outweigh the effort needed. Does your business know where the gaps are in your security? EasyCyber (A Salus Cyber Service) have a Cyber Essentials Readiness Scorecard that enables organisations to measure their security posture. Find out your readiness score here It indicates where the holes are in their security defences, and we stand ready to advise organisations how best to fill the gaps. For those businesses that are not yet certified to the Cyber Essentials scheme, this will also estimate their readiness for assessment. Contact us today and let us explore together the best way forward for your business.