Cyber Security Awareness Month – 31 Tips for IT Service Providers

Since 2004, the National Cyber Security Division of the Department of Homeland Security and the non-profit National Cyber Security Alliance have sponsored National Cyber Security Awareness month every October as a way to encourage individuals and businesses alike to be vigilant of cyber risks and best practices.

While cyber security is critical to keep in mind year round, the month of October offers us an opportunity to re-think our strategies for online security. In observance of this, we have compiled a list of tips to help you make sure your cyber security — and your customers’ — is up to date.

The Basics

1. Know that none of us are immune to the threats. When you think of data breaches, you probably think of Sony, or Target, or Anthem, but in reality, SMBs are often targeted by cyber criminals as well. In 2014, about 60 percent of all U.S. cyber attacks were aimed at SMBs, according to the Internet Security Threat Report by Symantec.
2. Protect yourself from social engineering and phishing attacks. For the most part, you can do this by using good judgement. For starters, don’t open emails from untrusted sources, and if you see an email that looks like it’s from a contact but seems suspicious, give them a call rather than responding via email.
3. Set up an intrusion-prevention system and security software on all computers. We recommend a combination of antivirus software, firewalls, and spam filters.
4. Travelers should take extra precautions to guard themselves from cyber threats and protect devices they take on the road. This includes backing up all files, removing sensitive documents and information from their devices, ensuring passwords are in use and that antivirus software is updated.
5. Schedule a recurring meeting on-site with your customer so you can check to see if all their safeguards are working properly.
6. Don’t wait until something goes wrong. Be proactive by talking with your customers now about the threats to their business and how they can protect themselves. Check out this webinar that we held with My Digital Shield for tips on approaching your customers about cyber security.

Raising awareness

7. Use stats to communicate the importance of this topic to your customers. For example, roughly, 81 percent of all data breaches happen to small businesses, and 60 percent of SMBs that are breached go out of business within six months.
8. Teach end users how to protect themselves from attacks. For example, show them how to turn off auto-downloads for attachments and to save and scan attachments before opening them.
9. Show your customers examples of what an attack might look like from the end-user perspective. Examples like these ones make your guidance about safe behavior online more effective. Also, show them what it would look like if their system got infected by malware, so they know to alert someone right away if they see the warning signs.
10. Keep your customers informed about current threats with an email blast or webinar, or by including a cybersecurity section in your customer newsletter.
11. Schedule regular refreshers and tests with end users on best practices for password management and protecting themselves from phishing and keylogger scams. Encourage them to participate by offering rewards to people with the top scores.
12. Encourage your customers’ employees to share potential errors, such as accidentally clicking on a suspicious link, with others in order to minimize the amount of time between a potential breach and getting it fixed.

Staying Up-to-date

13. Failing to update operating systems can pose a serious threat. SMBs should be migrated over to secure, up-to-date OSs. For example, if any of your customers are still running Windows Server 2003, use it as a way to create a new service opportunity.
14. Having a firewall or antivirus software doesn’t mean a business is protected. An all too common mistake is not keeping up with subscriptions or updates on these tools. MSPs can help add value by checking in on their customers to make sure they’ve conducted recent updates.
15. Keep PCs and servers protected with regular AV scans. Monitor them to make sure that the definitions are current and up to date.

Protecting Passwords

16. Make sure you have a password policy in place — both within your own company and for your customers’ operations.
17. Stop writing down passwords and storing them right in plain sight! Teaching customers ways of generating secure but easy-to-remember passwords seems like a difficult task, but it can be a game changer for security threats.
18. Avoid password reuse. If hacker gains accesses to one of your accounts and all (or most) of them use the same password, you’re in trouble.
19. Set recurring expiration dates for passwords. If you don’t do this, you increase the odds of former employees accessing your system. The small inconvenience of having to reset passwords intermittently will be outweighed by the benefits of knowing only current employees have access.
20. Consider offering password management as a service. Not only does this address a need for your customers, it will cut down on support tickets, create brand loyalty, and increase your revenue potential. Check out the webinar we did with Passportal on this topic.

Backups Matter

21. Schedule regular backups. Some cloud backup offerings provide the advantage of sophisticated version histories, which is a critical component to successful restores. If you only back up a single version of your files, it is possible that your software has backed up an infected or corrupt file. By saving as many revisions as possible, solution providers have a better chance of restoring to a clean version of their data in the event of a cyberattack.
22. Schedule multiple types of backups. For example, Intronis offers image, file, and virtualization backup. Take advantage of options like these, and use at least two of those methods on each server you back up. Depending on the reason for the restore, one backup type may be more useful than another. According to one of our Partners, here’s a scenario where this works: You find a file is missing, and when you look to restore you notice it went missing beyond the two weeks that you keep on image backup. However, since you did file backup as well with say one month or one year retention, you’re able to restore the file easily. (Thanks for the tip, Eric!)
23. Dispose of old data the right way by effectively erasing files. We recommend complete physical destruction of devices such as hard drives, or leveraging a “secure delete.” According to the U.S. Computer Emergency Readiness Team, reformatting your hard drive, CD, or DVD may superficially delete the files, but the information is still there. Unless those areas of the disk are effectively overwritten with new content, it is still possible that knowledgeable attackers may be able to access the information.

Wi-Fi Wisdom

24. If your customer has a guest Wi-Fi, separate it from the company network. Our friends at My Digital Shield suggest separating it from the company network with two separate routers or a system that provides that separation for you. This will ensure that any threat that enters via the public Wi-Fi won’t cross over to the business system.
25. The FCC recommends making workplace Wi-Fi networks secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID).

Policing Policies

26. Keep an eye on permissions. When it comes to granting access to important data and applications, it’s not a case of the more, the merrier. You’ll want to speak with key stakeholders to figure out who truly needs access. Then, use that information to limit access accordingly, making sure that everyone knows who has access to what.
27. Implement data retention policies. Not only does this help support compliance in many highly regulated verticals, but it mitigates the risk associated with stolen data. Unneeded data can only be stolen if you keep it around.
28. Use encryption policies like military-grade 256-AES (Advanced Encryption Standard) encryption technology to secure customers’ data stored in the cloud, and use SSL (Secure Sockets Layer) encryption technology for their data in transit. To make your security policy even stronger, look for a data protection solution that uses private key encryption (PKE) technology.
29. Consider compliance. Levels of regulation vary from industry to industry, but it’s critical to think about how security policies can be leveraged to help with compliance needs. Service providers should help customers determine and understand what they are liable for, and factor that into security plans.
30. Have a disaster recovery plan in place so if something does go wrong you know what to do. This includes identifying the types of risks you need to prepare for, analyzing the potential impact of the threats, and testing and optimizing a plan. For tips on putting together a DR plan, check out this blog post.
31. Consider cyber insurance. This is relevant for both SMBs and MSPs alike, not as a replacement but as a compliment to effective security policies. Since your customers rely on you for IT support, it’s only a matter of time before someone decides that the MSP should be held responsible when things go wrong, as this post in MSPmentor points out.