IT security is no joke. According to the Federation of Small Businesses owners lost 800 million GBP to cybercrime. The cost of preventing this colossal amount would have been a fraction of this loss. Some fixes need special consultancy and training such as penetration testing or if a breach has occurred digital forensics techniques may be required. Prevention is better than the cure. Many fixes are simple and don’t require much in cost and effort from you or your IT department.

I have summarised some tips below to help secure your small business.

Top Security Tips Summary

• Use Anti-Virus/Firewalls/Anti-Malware/Active Monitoring This can be free for your small business so there is no excuse. Comodo is a great antivirus and can be used legally for small businesses. Sophos provides a great free firewall for small businesses as long as you keep the rules up to date and configure it correctly! Much active monitoring software exists, take a gander at Variato for example.

• CCleaner By Piriform is worth having it allows admins to wipe disks that may hold IP so they may be recycled (Don’t wipe or reuse ex-employees data. Look at this article so you can find out why!). This is important as you don’t want insiders using data recovery software to find artefacts. It can also function to delete internet history and can wipe free space so old data can’t be discovered so you may not want this to be present on employees systems.

• Shred Unwanted Documents You may want to use a digital shredder

• Secure Your Website This can be done by patching, updating and ethically hacking to test the site to test the site’s security. Update the backend of your site and schedule regular tests. Test the applications on the site, design them with security in mind.

• Backup Be sure to back everything up off your network before an event occurs. Make backups of servers and computers using Clonezilla, a free cloning software. Backup your website and if using WordPress use plugins such as ‘All In One WP Security & Firewall‘ that has built-in scanners and firewalls. Backup your assets the old fashioned way to cheap readily available external USB disks. Make sure these are encrypted, you can add encryption and passwords for these using Veracrypt. Store backups safely and if needed in a safe with limited access. Making regular backups that can be readily restored means your business can get up and running should ransomware or other threats strike. Your assets will be protected and the crash or hack will be a minor setback. It is important to save and cherish your intellectual property but keep it off any networks.

• Due Diligence Consider employee background checks as can be carried out by companies such as Tendo Solutions.

• Conserve Ex-Employee Data Be sure to preserve ex-employees hard disks in case of IP theft or unauthorised activity that you may need to use against them in the future. Consider a forensically imaging the disk and having a full computer forensic analysis on the data. You may need to hire a computer forensic expert to do this.

• Use Strong Passwords Don’t use default passwords on devices, change the passwords on routers and similar. Use password creation websites such as Password Generator to generate a strong password. Don’t store passwords on post-it notes attached to your monitor!

• Implement Two-Step Authentication Try to use an email service such as Gmail Business that has two step authentication where you can link a mobile phone with an account and use this device to generate a code after you enter a password as another layer of security. Even if some gets hold of one of your employee’s password while doing business in Hong Kong they can’t get into your account without the Authenticator application linked to a particular phone.

• Mobile Phone Security Try to have all your employees phones preconfigured with encryption, a decent password and an anti-virus.

• Virtual Private Network Try to have a VPN app installed and running at all times to protect your data while browsing on unsecured WIFI on a mobile phone or computer.

• Encrypt Whole Disks Protect movable assets such as laptops by using Veracrypt to encrypt the disk before you even get to the Windows login, you could even us Bitlocker already built into Windows.

• Training You employees need training in threat awareness and online security.

• Look For Software and Hardware Keyloggers or Recorders Sometimes rogue employees may attach hardware devices to log keystrokes or indeed install software in order to do so. If they can do this they access to your passwords and activity.

• Phishing Train your staff on phishing awareness and even try and bait your staff to see if they fall for spoofed emails or similar.

• Restrict ‘Bring Your Own Devices’ This policy is risky as you have no way of knowing the integrity and security of your employee’s devices. Give staff their own devices preconfigured.

• Updates Keep your software up to date and patched. Nothing is more useless than anti-virus that is 4 years out of date!-virus that is 4 years out of date!

• Guest Networks Your companies WIFI and the network may be secure but plenty of juicy information can be sniffed using a man in the middle attack in the canteen on level 0’s free unsecured WIFI network. Again use a decent VPN.

• Restrict Software Allowing employees to download software that hasn’t been vetted by anti-virus software or the IT department is a recipe for disaster.

• Maintain Logs and Store Them Backup your server and other logs, encrypt them and keep them somewhere safe for a possible future analysis.

Thank you for reading. No single technique or guide will totally secure your business.

Please like and share this article.

Regards,

Alistair Ewing

You can trace your current IP address here. The trace will tell you your location, internet service provider and even which browser you are using. This means if you are a major our corporation you risk a data breach. Your data can be logged and monitored by your ISP, marketers can then target your computer with area-specific adverts. Onlookers cannot see your information should you use a VPN. If you are not using one now you may be only one transaction away from online banking fraud thus giving your details to the hacker. You can also purchase full protection for up to 5 devices for only £40 a year.

What is a VPN?

In a nutshell, a VPN is a secure encrypted connection between your computer and the VPN server. While connected all your data passes through an encrypted tunnel. This way no one can eavesdrop or sniff the data being transferred. Also, you have a different public IP address (Your internal IP will remain the usual 198.168.1.xxx or of that range).

Many corporate environments have a VPN. You could be using one already. Consumer versions of VPN technology are vast. A personal favourite of mine for many reasons Private Internet Access. This company offers a super fast VPN service for Windows, Mac, iOS and Linux for around £24 a year. They have on their hardware list a plethora of servers from around the world as the closest server to you will be the fastest, this is a must. There is no use of watching online videos browsing from a slow server in Mumbai when sat in a cafe in London.

Benefits of a VPN

Free WIFI Security Concerns

One of the main advantages of a VPN is if you connect to a free WIFI hotspot such as an airport anyone related to that service can see your browsing stream and use a tool like Wireshark to sniff your credit card details and passwords. Recently it is now possible to do this on a mobile phone. An android tool called ZAnti automatically filters out the noise and leaves users with a report detailing sniffed passwords and activities. The culprit would start reconnaissance by using a tool to scan IP addresses and discover devices on that network then target a particular device to sniff the data. Had you been using VPN your activity would be invisible. I once conducted a pen test for a bluechip firm. I couldn’t find any holes in their network; It was pretty tight. I went to the canteen ran by a dreadful favourite coffee chain style clone. They had free WIFI and an open connection. This connection infiltrated the business, and some employees were unwittingly using this to connect to the internet. From this, I was able to sniff confidential company data while supping a terrible faux Italian coffee looking trendy utilising a ‘man in the middle’ attack. I reported that this occurred and the director of compliance was shocked. Heads rolled, and changes were made. I collected my bonus pay for finding the weakness and their brands reputation was saved.

Being Naughty

If your family has been doing the unthinkable and downloading that latest release through BitTorrent then you probably won’t be receiving that court summons as the IP address won’t be trackable. Your IP address will also be anonymous. Most VPN companies don’t leave logs so will have nothing to hand over when they receive the knock from that ‘Paramount Fox’. I do not condone this and if you download copyrighted material then expect strange things to happen.

Watching Online TV

More innocently, If you are in a foreign country and wish to watch your local online TV stations then you can fool them into thinking that you are based in that country. Just recently though Netflix have grown wise to this so there is no guarantee how long this bubble will last.

Tin Foil Hat Wearers

If you are worried about the reptilian government NSA spying agency intercepting your plans at organizing a David Icke appreciation tea party then a VPN is for you. Instead of your outside IP address being traceable and your data stream being unencrypted using a VPN will make your activity much harder to track and decipher. This article suggests that the US government are silently deciphering up to two-thirds of VPN connections. Right or wrong, this article is simply informational and remains agnostic but it is happening. This may aid spooks to catch those who wish to harm but who’s to say that someone doesn’t come knocking at your door at 3 am in 10 years time when a fascist government takes control and they got hold of information you voted Green for Ralph Nader back in 2000.

What to Look for in a VPN Firm

A google search will reveal ‘free’ VPN services. They are OK for short-term use but on the whole, I find them slower and unreliable; see Tunnelbear, Windscribe and Cyberghost.

You want something fast, that doesn’t hand over logs, one-click activation, one-click connection, advanced features, fast performance, multiple payment options with Multi-platform support and a VPN kill switch. Again I tested many and find Private Internet Access has the best speed, the most servers, and countries in which to choose to browse from.

I Have an Anti-Virus and Firewall so Why Bother?

Fine then! But think about it; for the price of a Spotify subscription, you can evade from network attacks which are becoming increasingly common. A VPN provides another level of security that anti-virus and firewalls don’t. With NSA, hackers, and IP hungry advertisers all vying for our information, VPN is going to be something that will become more common in coming years. Think about using a VPN as a daily habit for you anonymity and protection.

Written by Alistair Ewing Director at Compute Forensics