“During the meeting, [name withheld] said their organization was hacked. Is there anything we should all do?” the email said. Apparently, unauthorized access to an email account allowed a thief to make a financial account transfer that resulted in the loss of tens of thousands of dollars. Larger companies often reduce risk by hiring staff or paying a technology service provider for security expertise. But that meeting was one attended by leaders of several small- and mid-sized organizations. People were worried. No one wanted their organization to be next.
SEE: Security incident response policy (TechRepublic Premium)
My response: Remind people to focus on the security basics. The following six steps are ones I rely on every day to protect my systems and data. These are the same steps I encourage every organization I work with to put into practice.
How many of these steps does your organization have in place?
1. Install available updates
Similarly, check for and install available application updates. On Apple devices, check for updates in the App Store. On Android, check for updates in the Play Store. On Windows, check for updates in the Microsoft Store. If you use apps installed by a method other than the vendor’s store, look first for an update method within the app or check the developer’s site for updates.
Larger organizations likely have device management systems (e.g., Google endpoint management, Microsoft device management or Apple mobile device management) to allow an IT team to manage updates on company-owned devices.
SEE: How to secure your Mac in 4 basic steps (TechRepublic)
Also, check for and install available updates for specialized devices, such as printers and routers. In most cases, you can retrieve updates from within the administrative controls on your device.
Replace any system for which the vendor no longer provides regular updates.
2. Enable multi-factor authentication
On all sign-in systems that offer it, enable multi-factor authentication. This includes email, financial, social media and online collaboration app accounts.
If the system offers no other option, then SMS/text authentication as a second factor is better than relying solely on a username and password. However, a better option will be to use an authenticator app that generates codes, such as Authy, Google Authenticator or Microsoft Authenticator.
SEE: 63% of organizations face security breaches due to hardware vulnerabilities (TechRepublic)
Physical security keys remain one of the best multi-factor authentication methods available. Sign in with a username and password, then insert your security key into an open port, press a button on a Bluetooth security key or place an NFC-enabled security key near your device to approve access. While not all services or sites support security keys, an increasing number do.
3. Use a password manager
Use a password manager designed for businesses or teams. (This type of system allows an administrator to add and remove accounts.) Password manager apps let each person create long passwords made up of a variety of letters, numbers and symbols. More importantly, these apps allow people to share passwords securely and enable login by a colleague without revealing the password.
Make the password you use for every site and service unique. Never reuse a password.
4. Rely on cloud protection
In most cases, organizations should rely on either Microsoft 365 or Google Workspace to provide solid email and file security. Both deliver significant protection from malware, spam and viruses as part of their email and file storage services. The scale and scope of the security operations at either company is beyond what most companies can match in-house. In nearly all cases, the scale and security expertise provided by external vendors will be greater than most companies maintain in-house.
SEE: How organizations can combat the security risks of working remotely (TechRepublic)
5. Address DNS
To help prevent outbound email spoofing fraud, enable and configure SPF, DKIM, and DMARC DNS records to authenticate email and reject unauthorized messages. If you’re a large company, additionally protect your visual identity and trademark with brand indicators for message identification, or BIMI, configuration.
SEE: Why do so many wireless routers lack basic security protections? (TechRepublic)
To help prevent accidental access to problematic sites, use a DNS service that filters and blocks malware and phishing sites as people browse the web. In small organizations, you might configure DNS on individual devices, or more often, adjust the DNS settings on your organization’s router. DNS services such as Quad9, which is free, or the highly-customizable NextDNS, which offers paid service, both filter DNS queries.
6. Backup regularly
A reliable backup of your data ensures you can recover files and data. For example, should a file system be affected by ransomware, turn to a trusted backup to restore your files safely. Backup might be handled in multiple methods (on-site to cloud, cloud to on-site, cloud-to-cloud, network attached storage, external drives or even flash drives), but what really matters is that you periodically ensure that data is stored securely in different formats and places.
SEE: How organizations can better manage and prioritize security patches (TechRepublic)
What’s your experience?
Of course, the above six steps are a start, a baseline from which to build. Additional account, device, network and application security may be appropriate in many situations. But once you have the above six items fully implemented across your organization, you’ve made your organization significantly more secure.
Has your organization implemented all six of the above steps? Are there additional essential actions you think should be taken? How long did it take your organization to implement all of the above items? Let me know how you and your organization address the basic security tactics above, either with a comment below or on Twitter (@awolber).