ESET Security Evangelist Tony Anscombe takes you through his tips and tricks for business cybersecurity.
Business Cybersecurity Tips & Tricks - 2FA
To add a layer of security to any online platform, a username and password are generally required. However, additional safety has become a must. The use of 2FA - two factor authentication, has become best practice, when protecting anything mildly important. This second factor, is an additional code generated from something physical that you have with you, a card, token or mobile phone. It can be referred to as simply ‘something you have and something you know’.
Without realizing it everyone frequently uses a form of two factor authentication. Your ATM card is protected by a PIN and to get money out of the cash machine you need to have the card and know the PIN, something you have and something you know.
To protect sensitive information such as customer data or access to company bank accounts online services, use two factor authentication to confirm your login or for transaction confirmation. For example, you can login to your business bank account through a web browser but as soon as you try and transfer monies then the bank can send a one-time password to your mobile phone or a token, you then need to enter the code into the browser to authenticate.
Do AV companies create viruses and malware?
Of course they don’t!
Anti-Virus companies absolutely don’t need to create the viruses. The world is full of cybercriminals and spy agencies doing enough of that already. While many of us love a good conspiracy theory, this is one that is just not true. There are hundreds of anti-virus companies all of which compete and whose employees continually move around for career progression.
If any one of these companies created malware then someone somewhere would spill the beans for competitive advantage so they could make more money themselves.
Business Cybersecurity Tips & Tricks – Encryption
Is encryption too complicated for your business? The answer is NO. It just sounds complicated.
Encryption is not new. It all started with the ancient Greeks sending messages by substituting letters that could only be decrypted if you knew the secret key. It could be as simple as shifting each letter of the alphabet to the left or right by a certain number of positions - the key.
As only the intended recipient of the message knew the key; to everyone else the message looked complete gibberish. Sounds simple, right?
But today, you may hear people talking about public and private keys, asymmetric encryption, AES, SSL and so on. Sounds complicated, right?
The Greek system required both ends to know the key. Today’s encryption does not. Imagine an envelope that you can lock with a key. So rather than me sharing the key with you I send you the unlocked envelope.
You place a message in the envelope and snap it locked and send it back to me. I can unlock it as I have the key. This is kind of how public and private key encryption works. Starting to sound simple, right?
Updates and Upgrades
Computers, tablets, smartphones and others such as IoT devices (Internet of Things) are complex and have both vulnerabilities and weaknesses that we may not be aware of.
However, we are continually bombarded with messages toupdate, upgrade, patch and download new versions of apps and operating systems. The attitude of ‘don’t fix something that isn’t broken’ means that many updates are not deployed on company networks to avoid the inconvenience of scheduling and possible compatibility issues.
Keeping operating systems and applications up to date is one of the best ways to protect devices from being hacked. Cybercriminals seek out vulnerabilities in software and exploit them to gain access to devices and company data. Installing the recommended patches, updates and upgrades helps fix the vulnerabilities and keeps devices secure.
There can be additional reservations about installing updates. For example, will all the business critical applications that rely on the software work after the update? The need to test the compatibility of the update should be a priority, especially when an update is marked as a critical security patch, and without it there is a higher risk of cybercriminals penetrating the layers of defense used to keep the company assets protected.