Security; Where to Start

We don’t have budget for that!   

Today with the rise of Ransom-ware small businesses are not likely to get a second chance, the cost of a single breach may be overwhelming.
We will investigate cost effective ways to increase security without breaking the bank.  

Path of least resistance:
People, your staff is BY FAR the weakest link and the easiest to exploit. A deep technical knowledge is not required to fool people.
You have won the Spanish Lottery! just click this link to claim your prize!  Most of us have seen this and know its a ruse. The percentage of people that fall for it is low but email is free, so attackers just send to more people.

-Filter email with a product that tests or removes links.  Gmail does a respectable job for free.
-Educate your staff not to be duped by Phishing scams.
-Test your staff with PhishSim       its free, online, nothing to install. Gamify the results, give out prizes. A single ransomware attack will be 10x more costly than any Tim Horton’s card you give as a prize.
-Name your guest Wireless “DontClickLinksInEmail”
-Mount a large monitor in the Lunch room and have Firefox cycle through Online Security Posters, Announcements, Events, Calendars, WHMIS Safety posters, etc.

  Update, Update, Update
-Upgrade to Windows 10.   still a free upgrade from Win7 (Google search it)    
-Set Windows PC’s to Auto Update.  You are going to get a lot of complaints about lost productivity, but that is preferable to Identity Theft. Make a policy and stick to your guns.
 -Set PC’s to turn themselves on at Monday 6am in the BIOS. then update themselves.   Teach employees to save their work and shutdown for the weekend.

  Browser Drive-By;   links in places other than email
-Stop using Internet Explorer; it’s only purpose is to download a secure browser.   see Firefox/Chrome  (Edge is now Chrome engine with Group Policies Yay!)
-Turn off Flash, and JavaScript for all sites except trusted ones using uBlock Origin plugin for Firefox/Chrome
-If you have a domain; use group policy set flash & javascript off by default. Whitelist trusted domains.

  Free software
-Teach users to download crap-ware at home.  No kitty-cat mouse pointers.
-Enforce this by blocking the download of executable files.  If your firewall can’t block downloads, you’re using the wrong firewall.
-SMBs should Consider using Windows 10 in S mode which only allows installs from the Windows store. (at least it is scrutinized a little)

  Don’t use a wireless router as your firewall.
-First recommendation is Invest in a Fortigate Firewall. If you are too small to afford one Investigate PfSense or OpnSense (OpenSource/free) each can turn an old PC into a secure Firewall that is 10x faster than any consumer router.

  Your Internet stuff
-Close inbound TCP ports.  Move services (email, website) off-site or to the cloud when possible.  There are lots of inexpensive website hosting or email services, let them take the risk. (see Proton Mail)
-reduce your attack surface. China and Russia are not your target audience, block them. Your Risk is substantially reduced when you slice off large portions of the internet.
-DNS the underpinnings of the web.  Use free tools like MxToolbox to check your DNS records.  Add an SPF record to ensure nobody is sending fake email that looks like it is coming from your company. Use a filtering DNS service like OpenDns or Quad9.

Cloud services
They are reachable by the entire internet so you need MFA for all of them. Start with your Email as it is used to reset the password for every other cloud service. Most cloud services will let you allowlist your public IP so you never need to use MFA at the office.
If a cloud service doesn’t support MFA replace it with one that does.
Prefer MFA that uses an authenticator app like Google Authenticator. SMS is prone to SIM swapping.

Cell Phones
Ensure all employees have a pin number that is required to change their phone or service. Keep copies of those in a central location.

Its a Journey
That’s a long list.  Do the parts you can and get help with the confusing bits.  Google search everything. Get a Co-op student, free and recently trained.
Money spent on security is money you won’t need to spend on breach cleanup.

Steve

sduncan