November 30 has marked Computer Security Day every year since 1988, but 2020 likely marks the most important time for cybersecurity in the past 32 years. The COVID-19 pandemic has increased our reliance on technology to support nearly every aspect of our businesses. Cyberattacks have increased at an unprecedented rate, preying on the chaos and uncertainty of the last 10 months. In March, coronavirus themed phishing scams grew by nearly 700%. Over the summer, ransomware operators shut down entire companies and even endangered human lives. Worse still, companies big and small have slashed cybersecurity spending as the effects of stay-at-home orders and economic uncertainty take hold.
The result is that when it comes to cybersecurity, most organizations are now forced to do much more with much less. To help our fellow business owners and IT heroes accomplish this, we’re sharing some of the lessons we learned when building our Small Business Cyber Defense package. We knew we had to pack maximum value into something that was both effective and affordable, and to do that we put months of careful research into everything from price to performance. Here’s a couple of quick Do’s and Don’ts to help you maximize your cybersecurity investments through 2020 and beyond:
Don’t: Spend lots of money on antivirus. Yes, your business needs A/V, but spending more doesn’t equate to more protection. In fact, cheap or free options often rival the protections offered by their more expensive counterparts. The reality is that every antivirus product on the market can be sidestepped by even a novice attacker. Some products may have easier management or integration that may warrant the cost, but if money is a concern, it’s best to reallocate some or all of what you’re spending on antivirus programs to other security mechanisms.
Do: Use a DNS-filtering service. DNS acts as the phone book of the Internet, translating domains like “example.com” into the numbered Internet Protocol (IP) addresses that devices actually use to communicate. While this service is normally provided by your Internet Service Provider (ISP), switching your DNS lookups to a service like Cisco Umbrella, DNS Filter, or WebTitan can dramatically increase security and performance. These services examine every request for security threats in realtime, and can block malicious requests well before they get a chance to infect your systems. Even better, they often require little to no configuration on end-user devices, and can protect devices that roam between networks.
Don’t: Rely only on your firewall. Firewalls are essential elements in protecting your internal network, but offer little to no protection for employees working from home. In fact, remote access VPNs offered by many firewalls are prime targets for hackers, especially during the pandemic. Compromising a remote access VPN effectively renders a firewall irrelevant, and gives a hacker free reign in the most sensitive parts of your network. In addition, hackers have spent decades learning how to bypass even Enterprise-level firewalls costing as much as $50,000 or more. Again, cheap or even free options like pfSense can be just as effective as pricy solutions.
Do: Use Multi-Factor Authentication (MFA). MFA adds an extra layer ontop of traditional username/password logins by requiring an additional factor like a smartphone, security code, or hardware token. This goes a long way towards increasing security no matter where your employees work from. Options like Duo Security use flexible implementations that can be carefully tuned to your environment. For example, you can require employees working from home to have antivirus protection and up-to-date software, even if you don’t manage their personal devices.
Don’t: Buy into Artificial Intelligence or Machine Learning Hype. Many security vendors will tout the artificial intelligence or machine learning capabilities of their products. This is almost entirely marketing fluff. While many products do use machine learning, it basically boils down to a form of pattern matching. A modern attacker’s tool kit is loaded with programs and techniques to avoid being recognized. AI may eventually play a huge role in cybersecurity, but for now it’s a pipe dream.
Do: Invest in Your Humans. Security Awareness Training is probably the biggest area where organizations of all sizes need to spend more. There is simply no substitute for a well-educated workforce practicing good “cyber hygiene” – leveraging good passwords, avoiding suspicious links, and so on. There’s plenty of good, low-cost options for quality training, including Wizer, Habitu8, KnowBe4, and Ninjio.
If you’d like help prioritizing your cybersecurity budget, please don’t hesitate to contact us today!