1. Enforce Multifactor Authentication on Office365/Online Accounts
Multifactor authentication (MFA) is a key component in preventing hackers from gaining access to devices, networks or sensitive information. MFA increases the security of user logins for cloud services, requiring more than just a password (ACSC, 2020).
If you have MFA switched on and your password becomes compromised, a hacker cannot gain access to your data without the next level of verification, providing a significantly stronger defence for your accounts.
For example, when a user logs in to Microsoft 365 they are required to acknowledge a phone call, text message or app notification after correctly entering their password.
2. Using Correct Password Policies
The National Institute of Standards and Technology (NIST) sets the information security standards and helps organisations meet regulatory compliance requirements.
Several current NIST password best practices are:
Strength in numbers: Recent changes to the guidelines suggest an 8-character minimum length, but encourage users to set passwords up to 64-characters.
Remove the reset: Traditionally, many platforms required users to change passwords every few months, however, according to the new NIST standards, this is no longer best practice. Reset periods are more detrimental than constructive, as users struggle to come up with strong new passwords.
Complexity isn’t everything: Like the new reset recommendation, NIST explains that overly complex passwords can lead to poor password behaviour. Users forget their complex passwords and end up creating weaker ones.
Limit the attempts: NIST recommend allowing users a maximum of 10 password attempts before they are turned away – enough to aid a forgetful user, but not enough to enable a brute-force hacker.
3. Using a Secure Password Manager
Passwords can often be bothersome and difficult to remember. Typically, by the time you’ve learnt it, you need to change it again.
It may seem significantly easier to use one password across all sites, but this puts your accounts at risk of ‘credential stuffing’; where a hacker takes the credentials from a breached site, and usesthem to access your data on other sites.
Using a password manager takes the inconvenience out of creating and remembering strong and unique passwords.
A password manager is a virtual book of your passwords that requires ‘master key’ access specific to you. It not only stores everything, but also helps generate stronger, more secure passwords; in turn, preventing password theft and credential stuffing attacks (Whittaker, 2018).
4. Regular dark web and compromised password scans
The dark web is a network of sites that cannot be accessed through a traditional search engine. Using encryption software to hide their location, a vast portion of the dark web is dedicated to the buying and selling of stolen data including personal and financial information.
A dark web scan combs through the databases of stolen information and will alert you if your data is found, enabling you to take steps to mitigate further catastrophe (Rafter, 2020).
5. Installing and Updating Next-Generation Antivirus Software
Legacy antivirus systems lock your business into a reactive state, meaning you’re only able to defend against known malware and viruses catalogued in the AV provider database. Legacy AV systems take an average of three months to deploy, often relying on physical hardware to be installed on-premise with further tuning and configuration required once installed.
Next-generation antivirus (NGAV) is cloud-based, and utilises a combination of AI, behavioural detection,machine learning and exploit mitigation, meaning any known or unknown threat scan be anticipated and immediately prevented. As a cloud-based solution, NGAV takes just several hours to implement. With no further hardware or software to procure and no infrastructure to deploy, the pain and costs of on-going maintenance are eradicated (Crowdstrike, 2019).
6. Testing Backup and Data Recovery processes
It’s a well-known fact that regular data backups protect against the risk of storage system failure (Edwards, 2020). Less well-known however, is the fact that backups can fail. Without regularly confirming that backups are running successfully, in the instance your backup fails, your business has not only lost vital data, but also wasted storage, money and time.
Scheduling regular backup tests is essential to ensuring your data functions in the event of a system failure. As a general rule of thumb, backups should be reviewed weekly and/or monthly with checks to systems, apps and files to ensure data is valid and accessible.
Testing backups can be an arduous task.Automation should play a key role in your backup strategy; not only will it ensure greater data consistency and validity, it will also save time and effort.
A full restore of a backup to a test environment is also recommended annually to ensure data is not corrupted and will be available when needed. If any issues are detected, the problem can be fixed before your business loses valuable data.
Want to make your business’s digital environment more secure but aren’t sure where to begin? REDD can help. We offer advanced security services, protection and monitoring, including all aspects listed above, as part of our NextGenMSP services. Contact us today to see how we can help you.
Use digital to put your business in the best position it can be, get better vision or just start saving money. Use digital best practice. Use REDD.Get in touch