Continuing our journey, we now have some idea on how malware gets on our system. Now we’ll explore how to defend ourselves from malware. Our focus is to minimize our attack surface which is a fancy way of saying taking steps to defend each of the different vectors that malware comes in through. I’ll tell you right now, the steps to take can seem tedious, annoying, or expensive. I can assure you they are worth it. According to a recent study done by Forbes, 1 in 5 small businesses suffer a cyber breach each year. 81% of all breaches happen to small and medium size businesses, and even worse, 97% of them could have been prevented with today’s technology. This is not an unsolvable problem, the good news is that the techniques and tools are already out there, we must adopt them. The inconvenience of adopting stronger security practices is well worth avoiding the harrowing process of picking up the pieces after a cyber breach. So let’s go over the steps to take to defend ourselves. We’ll focus on a few major pieces: Training, Software, and Practices

Training: No matter how sophisticated of a system we have with encryption, filters, software and the like, it all starts with user training. You and your company’s users are the last line of defense. An attacker will find a way to get some type of bait email through or some type of seemingly innocuous request through the spam filter or on the phone, and the user must smell the rat. It is no longer acceptable these days to say, “Oh I’m not good with computers” or to say “How was I supposed to know it was a fake email?” There are NUMEROUS resources available to not only educate yourself and your users to spot a fake email or link. Hover over a link to see where it’s really taking you. Is it actually, or is it somewhere sketchy like Does the email sender name match where it is coming from? Were you expecting the email? Is it strangely vague, like they’re applying to a job but they just say “the position” and don’t say what the job actually is? Test yourself and others on phishing IQ tests, like this one from SonicWall: On top of the online quizzes, have users take a training course. We offer a Security Awareness Training package that not only provides course training, but also sends test phishing emails so you know which employees are most susceptible and need extra training.

Software: While user training helps stop the bulk of phishing attacks that come through, software defense are an additional layer that are needed to help protect against threats users never see or helps to prevent a malware package from reaching the user in the first place. With email the most likely suspect, a robust spam filter is a must. Look for spam filter that inspects attachments for macros or checks if the email domains match any links within the email. It’s not enough to just check if the email came from a known spam server. For threats users don’t see, an advanced security software like SentinelOne is necessary for any business that handles sensitive information. For a more casual business, a robust antivirus is needed. We highly recommend Webroot. Depending on Windows Defender or other free versions simply does not provide the protection necessary. Webroot and SentinelOne also provide web filtering on your machine so any malware that tries to come through a legitimate website (like the Call Microsoft Scam on popular homepages). This helps users not have to deal with a pop up that refuses to close. Beyond something to detect and respond to threats, it’s important to keep an eye on security logs for devices to see if anything is trying to log in as an administrator that’s not supposed to (why is a PDF trying to sign in as an administrator and talk to my server?). Software like EventTracker automates this process of gathering logs and can alert you to any activity. This shifts your defensive strategy from reactive to proactive, so you can stop threats instead of discovering them later. Another action you must take is to keep up with updates to software products. They are a pain, and sometimes the update is worse than a virus. The solution to that issue is a patch management system. We have a system that tests patches before deploying so that if an update breaks a feature or breaks your PC, there is a delay before the patch is applied so the vendor can fix the patch and then you get the security coverage without the broken machine.

Practices: Software is a great back end defense, but another necessary piece is understanding where you are and what your risk is. Running a security assessment so you know where you stand is crucial: what machines are actually patched? What passwords have gone stale? What ports have I left open to the outside? Understanding and quantifying your cybersecurity risk is necessary for any business. With your risk quantified you can make decisions about what is acceptable and what is not. It’s also important to lay out how you will recover from an event if it does happen. You’ll never have a risk of 0% because that’s the world we live in. Anyone who promises a risk of 0% is lying! With that in mind, have a plan to recover. A robust backup system is key in getting critical systems back up in running. Backups are your true last line of defense and without them there may not be a way to come back.

The last, most important piece is passwords. It is almost impossible to defend against someone who can successful impersonate you using a password stolen from somewhere else. We highly recommend using a password wallet that handles password creation for you at different websites and for different programs. That makes it so if someone steals your LinkedIn password, they can’t log into your Dropbox or guess your Amazon password. You will have to remember your password wallet password, and the password to your computer, and for those, use an unrelated complex password. Capitals, lowercase, numbers, symbols, at least 10 characters. Yes it’s tedious, but with a wallet you only have to remember two. Make it a song lyric, a favorite poem, a funny slogan. Something somebody can’t guess easily if they knew you (or had enough time on social media to figure out enough about you). An additional step for protection you can take is to sign up for a Dark Web Research program that looks if your credentials were stolen somewhere and are for sale on a dark web forum. While it’s nice to know, right now if you haven’t changed passwords, it’s safe to assume your credentials are already stolen.

It is a scary world out there, but there are steps you can take now to protect yourself from most of the threats out there. It is worth it to invest in the tools to keep your company safe and it’s not reinventing the wheel. Sure, there will be hiccups rolling out the new policies and taking the time to survey your attack surface, but it is a necessary step in protecting yourself. As Ben Franklin says, an ounce of prevention is worth a pound of cure.