As the internet becomes increasingly integrated into our daily lives, online security becomes more and more important. Information that was once only accessible to large businesses is now available to anyone with an internet connection.
While this is generally a positive development, it also means that individuals need to be more vigilant about protecting their online information. There are a number of steps you can take to improve your online security, and in this document, we will explore some of the most effective ones.
Online security is important for two reasons: to protect your information and to protect your devices. Technology such as Multi-Factor Authentication is no longer a fringe process, but is now the norm for all businesses, especially those who want to keep their data, and the data of their clients safe. By taking a few simple steps, you can make sure that both your information and your devices are more secure.
Cyber security is not a role or a title, it’s a collective mindset of your team.
It is not surprising that email is the biggest security risk with limited options to improve it. With so many emails being sent and received every day, it is almost impossible to keep track of them all. Getting sensitive data off email is one of the key reasons we created Seamlss.
Passwords
The first step is to create strong passwords. A strong password is one that is as long as possible and includes a mix of upper and lower case letters, numbers, and symbols. At least 20 characters are necessary for a strong password. Attackers can crack your password in 58 seconds if it is eight characters or less. You should never use the same password at more than one site. A longer, unique password is the first line of defense against password hacking.
Things to help make this easy, are password managers like LastPass and 1password. These not only allow you to centrally manage your passwords so you don’t have to remember them, it also suggests strong, complex passwords to help with securing your logins. If you’re looking for something made for the accounting & bookkeeping industry look to Practice Protect.
Many apps like Seamlss will allow you to help reduce the number of passwords you need to remember. Single sign-on solutions like Sign In with Xero allow you to securely log in to multiple services with one set of credentials. This not only makes it easier for you to keep track of your passwords, but it also reduces the likelihood of you using the same password at multiple sites.
Multi Factor Authentication (MFA/2FA)
Tools that handle sensitive data, like tax file numbers and client identifying information, require Multi-Factor Authentication. Multi Factor authentication is an extra layer of security that requires you to enter a code that is sent to your phone, authentication app, or email in addition to your password. This makes it much more difficult for someone to access your account, even if they have your password, as it requires point in time confirmation using these unique codes or push approvals. Many major websites, like Xero, QBO, Gmail, Outlook, Google, and Facebook, offer two-factor authentication, and you should enable it on all of your accounts that offer it.
Seamlss uses MFA if you log in using your username and password, but using Sign In with Xero gives you the option to click the one button to log in automatically when you have already logged into Xero for the day. We even use MFA when you send a request to a client via email, they click the link and receive a 1-time code via SMS to log in to their Seamlss account.
It’s important to note that organisations, such as your accountant, bookkeeper, Seamlss or other software providers, will never ask for your MFA code or login details. If you receive an online message, email or text message asking for this information, it is a scam. Do not respond to these messages and do not click on any links in them. Forward them to the company’s support team so they can investigate. When in doubt delete it, if it’s important and from a legitimate company they will call or contact you again.
Protect your self and your business
Back up, back up, back up! You have probably seen advice presented a million times to do this, and it’s not until you have lost something big that you may take extra steps. Using offsite and regular backups is important. What is needed for each business is always different, but a minimum is to hold an offline back up or snapshot along with an online storage option also is key. A good back up allows firms to get back to work faster when an issue occurs.
BitLocker is a full disk encryption software that is pre-installed in Windows 10 and similar variants available for a Mac. It encrypts the data on your computer and then stores it on the hard drive. It works by using a Trusted Platform Module (TPM) chip to store encryption keys and passwords.
The Trusted Platform Module (TPM) is a hardware chip that provides hardware-based security for computers, networks, and mobile devices. The TPM protects information from being accessed by unauthorized parties when it’s at rest or in transit.Turn on remote tool to find your devices if stolen, from Find My Iphone to Prey for your laptop (https://preyproject.com/plan-comparison). This is generally available in all new Microsoft Windows based
Firewalls are not just for the movies
A firewall is a system that monitors and controls the incoming and outgoing network traffic. A firewall typically consists of at least two network interfaces connected to separate networks, one of which is the private network and the other of which is the public network. The firewall uses rules to allow or deny traffic based on a set of conditions. A firewall can be implemented as a dedicated hardware device or as software running on general-purpose hardware. They are often used in conjunction with antivirus software which will help protect against viruses and other malware that might try to enter through the firewall or through another application or operating system vulnerability.
Something smells phishy
Phishing scams are a type of malware that sends emails to users in order to steal your personal information. These emails can be hard to identify because they will often look like legitimate messages from a trusted company or person. Phishing scams can lead to identity theft and other types of fraud, so it’s important for internet users to stay safe online by avoiding these scams.
Phishing is one of the most common cyber crimes, targeting people online and stealing their personal information. Cybercriminals use phishing scams in order to break into your email account and steal your passwords, credit card numbers, bank account numbers, etc.
There are many different ways you can avoid phishing scams such as:
- Do not click on links in suspicious emails or open attachments that you don’t recognize;
- Don’t give out any personal information over the phone or email; and
- Don’t share any sensitive information on social media sites like Facebook,
- Don’t open any invoices from suspicious or out of the ordinary places.
- Regularly running anti-virus software will help.
- Check the email address of the sender. Phishing attacks may have the correct name of a person you recognise, but the email more than likely will be incorrect. A sure fire way to detect a bogus email.
There are tools to help train and phish your own team members online by creating and sending fake spam emails. One of the key reasons for building Seamlss was to keep clients sensitive data off emails.
Change of bank details
It’s now more and more common in the financial industry for a scammer to claim that they are from a company, and will then ask you to send money to a new bank account. They do this because the bank account is not tied to your identity, and it is difficult for law enforcement to track you down.
Ensure you have a change of bank details verification process all team members must follow when this is requested. Foremost, all team members pick up the phone and talk to someone directly. Don’t use the phone number in the email, find one from your CRM or phone system. The process is there to protect you and your business reputation, but also your customers.
Check details such as where did the email originate, check who sent it, are you expecting a request or invoice of this nature or magnitude.
Ransomware
Ransomware is a malicious software that locks up personal files and demands a ransom to unlock them. It is one of the most dangerous forms of cyber attack because it can lead to data loss and victims are often left without any way to recover their files.
The first ransomware was created in 1989 by Joseph Popp, but it was not until around 2005 when ransomware became more popular with the development of Cryptolocker. The malware encrypts all files on the victim’s computer and then demands payment for a key to decrypt them. In 2014, CryptoWall ransomware was released which used Tor anonymity network to make it difficult for law enforcement agencies to locate the attacker’s server.
Cyber criminals are always coming up with new ways to rob you of your money, and ransomware is one of the most popular ways. In 2022, it is estimated that ransomware will cost businesses an average of $1.5 million per incident.
Ransomware has been around for a while now and it’s only getting more sophisticated, which means that the average business needs to take measures to protect themselves from this kind of cyber attack. One thing that companies can do is to invest in cybersecurity solutions like encryption software, firewalls and antivirus programs.
Quick simple safeguard is to turn on anti-ransomware solution in your OS, eg Windows. Grab the latest checklist from ACSC here and the ACSC Ransomware Prevention Guide or see more here.
#1 item to cover off in protecting your business
There is no magic wand to protecting your business with a tool or an app. The number one item to work on is your people and procedures. You have policies and proceedures for everything else, it’s time you implmented the basics for cyber security as well. Remember, people are the biggest risk to an organisation when it comes to Cybersecurity, so its best to inform staff of policies, procedures, and educate them around information security best practices.
Determine who and how you can manage devices and access for who can access what within your business for them to do their job. Use the principle of least privilege for access permissions, they can alway ask for more access later. Remember to delete accounts and/or change passphrases/passwords when an employee leaves.
Enable MFA/2FA on important accounts wherever possible, MFA is one of the most effective ways to protect your valuable information and accounts. Where MFA is not possible, use passphrases to protect accounts and devices or look for software that does have MFA. Passphrases are most effective when they are long, unpredictable and unique.
Using cloud software can reduce the need for regularly backups, but if you do need to, use a tool or create a process to backup your important data regularly. Test your backups regularly by attempting to restore data on a regular basis also. Always keep at least one backup disconnected from your device or place of work securely stored.
Train your staff in cyber security basics on cyber security risks and why you using the tools available. Provide updated cyber security training on a regular basis and even make it a part of your weekly or at least monthly meetings agenda. This may include updating their personal devices like their phones and laptops, securing their personal accounts with 2FA, and identifying scam messages. You can even use some online tools to test your employees defense and ability to follow processes implemented and discussed. TLDR – Add key policies, proceedures and review the essential 8
The essential 8.
Below to walk you through adopting the each of the Essential Eight strategies:
- Application Control
Application control regulates the programs that can execute within your environment and who can execute them. Specify which applications people can run on your computers and network.
- Application Patching
Updating & Patching applications keeps productivity systems secure and functional by ensuring you have deployed all available updates to software services where many are usually security patches.
- Configure Microsoft Office Macro Settings
Macros exist for a reason but are increasingly a source of exploits. Blindly turning them off altogether isn’t effective as it creates more overhead and issues when team members need to run them. The better strategy is configuring your Microsoft Office macros settings based on the origin, trust, and users of macros.
- User Application Hardening
User application hardening removes unnecessary and insecure features and settings to strengthen the security of specific applications. Do all team members need access to all areas of the data and applications or settings in applications.
- Restrict Administrative Privileges
Restricting administrative privileges safeguards the keys to the kingdom. This control addresses the principals of zero-trust and least-privilege, using the common sense that you should only ever allow access to those that need it.
- Patch Operating Systems
Patching or updating operating systems secures the platforms upon which we work. Whether you run Windows, Mac or Linux, you also need to consider the operating systems that run on the myriad of devices other than servers or desktops and laptops. Consider tablets, mobile phones, printers, routers, switches and firewalls.
- Multi-Factor Authentication
Multi-Factor Authentication adds extra assurance to access and identity management by using a combination of easy-to-use secondary identification systems such as apps, SMS codes or even biometrics.
- Regular Backups
Backing up your data regularly preserves critical business information and IP. A robust disaster and recovery strategy is crucial to ensuring business continuity in a world rife with security threats.
Stay safe out there