#BeCyberSmart for Cybersecurity Awareness Month 2023
It’s the Wild West out there. Cybercriminals ride tall in the saddle, hacking left and right, ready to pick off any unsuspecting business owners that dare to venture out into the wild range of building a digital business portfolio…
That’s a tad dramatic, but if you follow the items in the news media about cybercrime, you’d be forgiven for thinking that the digital space is a dangerous and lawless place to do business, and you’re taking your business life into your own hands by creating a digital presence anywhere on the web. While there are dangers, that’s just simply not true, and 99% of potential cyber threats can be eliminated simply by preparing your groundwork properly, or by fixing the holes in your existing online security. Since it’s Cybersecurity Awareness Month, we can show you how to boost your business cyber resilience with some simple cybersecurity tips and basic cyber awareness steps.
Do I Need To Employ A Cybersecurity Agency?
Almost certainly not. There are some things that you might like an outside opinion on, and if you have a very large or complex business you probably should have an IT profess, but by and large, you can set up good digital security and data protection by yourself.
We’ll break down what you can do to increase your online safety into a few easy sections.
Keep Up To Date To Defend Against Online Threats
Cyber threats evolve all the time, but so do the countermeasures, and software and hardware developers work hard around the clock to make sure they fix any vulnerabilities they may have in their systems. It’s pretty obvious then, that you need to stay up-to-date to get the benefit of their hard work.
We see lots of business owners using old versions of operating systems, with outdated or free software (free software itself isn’t bad, just keep it up to date), old phones or laptops donated by family members that have become business devices… the list goes on. It all needs to be kept up to date. Repurposing older hardware for business purposes is fine, and laudable, but you need to ask yourself three questions;
- Can it run the software I need? – Some older devices are simply incapable of running the latest software or operating systems effectively and securely.
- Is the hardware secure? – Older hardware may have security vulnerabilities allowing software to execute unchecked code. These can’t be patched by software so if you’re unsure; check.
- Is it fast enough not to affect workflow (cost)? – It’s tempting to run a ‘free’ device, but if it’s so old you can’t work properly on it, then it’s likely to be costing you money by slowing workflow.
If the answer to any of these questions is no, then you should probably recycle the device or give it to a charity to repurpose.
Older phones are also a problem when it comes to security vulnerabilities, so make sure you update your phones whenever there’s a security update available. Making sure that your devices are current and up to date is a great
Consider All Factors
Multi-Factor Authentication (MFA), also known as Two-Factor Authentication (2FA), is a multi-layer security approach that has become the standard for keeping your digital presence secure. If you’re not familiar with it then you really should be, as it’s nearly impossible to do anything digital now without some MFA requirement.
Businesses that have a digital presence should take advantage of MFA wherever possible, and we’ve certainly had to deal with clients coming to us with hacked accounts on social media to know that you should take this seriously. It’s especially important where accounts that handle funds are concerned, such as Meta Ads for Facebook, Google Ads and Google Business Profile pages. Ad account security is a must-have. Leaving your Social and Ad account logins without 2FA can ruin your business.
Implementing 2FA or MFA is simple, and requires you to have two or all three of the following things
- Something you HAVE – This is a password, known to you and only you. This is your first layer of security.
- Something you HAVE – This is usually a device, like a phone or tablet, or an app or even a separate email address that you can have a check sent to, allowing you to confirm that it is you logging in. Can be used alongside or instead of;
- Something you ARE – Biometric data. A fingerprint, iris or facial scan, or maybe even the tones present in your voice.
Effective multilayer security will need all of these factors to be satisfied before you can log in. MFA by itself is the easiest way to harden yourself against 90% of cyber threats, as these are focused on passwords, which can be leaked in data breaches and exploited. With MFA in place, hackers cannot get past the password stage.
We always advise clients that implementing MFA is a must, but if you do so then you must also be able to recover it. Take note whenever you implement MFA or 2FA that you have access to recovery codes or an alternate email address for recovery, in case your MFA device is lost or broken.
Situational Awareness And Appropriate Access
Firstly, be aware of what you’re doing and where you are digitally. If you’re working from home, or a public location, are you working securely? Is your router up to date with firmware? Have you changed the router admin password from the factory default? If you are using the internet or cloud services via a public WiFi access point such as a bar or a coffee shop, then your access might not be secure. If this is a regular thing for you then you can ensure that your connection is encrypted by use of a VPN service. With lots of different providers for simple VPNs, you can get online securely for very little, taking the worry out of using public WiFi in airports, bars and cafes. Our recommended picks are PIA and NordVPN.
Secondly, you should know which accounts your business has, who the users are, what the passwords are and if 2FA is enabled.
Create a list of which apps your business uses every day, then run through them one by one to ensure that they are up-to-date and that any passwords are stored securely. The easiest and most effective way to manage this is to use a password management platform. Platforms such as Dashlane or LastPass have affordable business packages that suit businesses of any size and can ensure that your passwords are stored securely so that only you and chosen users within your business can access them. If you onboard with a platform, then the best thing to do is run a checklist of all your accounts, then cross them off as you add them to the platform. This way, if you have any issues with 2FA, or lost passwords for any account, you’ll be able to deal with it there and then, and store the new passwords securely. It’s worth saying that you should make sure that you have a way of ensuring you can get back into your password management account if there’s a problem, as all your secure access is contained there. It’s perfectly acceptable to keep a master password written down somewhere physical that won’t be disturbed. After all, hackers in another country are not likely to break into your home and ransack your drawers to find your Google Ads password. That sort of thing only really happens in spy movies.
Try not to reuse passwords. Most password managers have a function of creating a random secured password and then storing it. You should take advantage of this where possible to avoid any reused passwords being used elsewhere if they are compromised through one service.
Access All Areas
As you run through your list, take care to check who has external access to your app accounts. As an agency, we insist that anyone coming to us for ads and social does not give out critical usernames and passwords for their social media or ad accounts. Instead, they must invite our agency account to become an admin of that page or service. This way, we still have the control we need but the ultimate control and ownership stays with the client. If agencies or organisations ask you for your login details, this could be a sign that they are not running as securely as possible. If in doubt, ask.
As you’re doing this, you may notice old profiles with access to your social media accounts. Commonly these are ex-employees, ex-agencies designers or consultants who worked for you in the past. Transfer any privileges these accounts may have, make sure you have the same privileges and then get rid of this access. If there’s no current reason for an individual or a business to have access, revoke that access to secure your accounts. It’s usually as simple as a single mouse click. You can’t know if an old account belonging to someone else has been compromised, and these leftover connections are Golden Tickets for hackers.
Coping With Phishing And Email Threats
With everything connected to email and phone numbers for 2FA and account recovery, you must apply common sense to any emails that you may receive. Phishing, and its phone-related sibling Smishing, are methods used by cyber attackers to get you to enter your account details for a service to hijack it. You may receive an email telling you to check a banking alert or to enable a new security feature in your email account. In the case of Smishing, you may receive a text saying that your parcel is ready for collection. In any case, the mail wants you to click on a button or link to log in. The fields waiting for you at the link address are designed to capture your login data so it can be used by an attacker looking to breach your security. Most of these types of attacks have been rendered null by 2FA, but some are sneaky and will try and get you where you might not have 2FA enabled so be aware – You should always implement 2FA and make sure you know what phishing emails look like, and ensure that your staff have been trained to spot them too.
The trick to avoiding phishing attacks and smishing is to avoid clicking links in any emails or texts that come to you unsolicited; if you didn’t ask for it, then don’t click on it.
Email encryption is a good way to ensure that you minimise any email-based threats, and many services, like the excellent TrustiMail from Trust365, operate as a bolt-on to your existing email apps such as Gmail or Outlook, without changing the way you work, and can even add mail analytics and productivity tools. Mail is handled so that it sits on TrustiMail servers, allowing you complete security in your communications, totally encrypted and unreadable to prying electronic eyes.
One more avenue of potential cyber-attack is through your browser, so you should always use an internet security product when surfing the web or doing anything else online, to give you a good level of malware protection. If using Windows in your business, most threats can be taken care of with Microsoft Defender Antivirus, which ships with Windows 11 as standard, but if you use another platform, work in public places or use public internet a lot then you might want to be more serious about your online safety and consider a premium internet security product such as Bitdefender or NOD32 from ESET. Both these services have business-focused products and also have options for built-in VPNs.
Now You’re Up To Speed
All of the above represent entry-level cybersecurity best practices, and if you take the security of your business seriously, should be the minimum level of security that you put in place. It’s extremely damaging to your business if you have a data breach or have endangered the online privacy of a customer, so it’s always best to take a belt-and-braces approach when dealing with cybersecurity for your business.
As website optimisers, social media gurus and digital marketing experts, we would recommend that you only engage with agencies and service providers with good cyber hygiene and who operate using best practices, which includes us of course!
If you have a business with a strong digital presence and you need a comprehensive review of your website, social media and marketing data protection, then Market Rocket can handle your website, PPC, social media, email marketing and so much more in a safe, responsible way, ensuring that your digital business can operate as securely as possible.