Understanding Cyber Threats and How to Protect Your Business

In today’s cyberspace, there are many threats such as ransomware, phishing attacks, and data breaches. We all need effective strategies and solutions to safeguard our businesses from these evolving threats.

There are many strategies that can be put in place. This article is meant to start your thinking and discussions when evaluating your security situation. This is not an all-encompassing article. Depending on your specific situation, you may not implement these suggestions or implement additional items that are not covered.

Common things to evaluate when considering security are Firewall/VPN, Cloud and 3^rd party software, endpoint protection, DNS, Email scanning, network, backups, monitoring software, automated deployment, updates, training & communication, and auditing.

Firewall/VPN

Your firewall and VPN are your first line of defense between the internet and your network. Make sure you are using a modern device. Older hardware may not be updated and protected from the latest types of attacks. In fact, the common attacks are probably available on websites showing people how to attack your hardware. Make sure your VPN is also patched and modern. Old software is as bad as old hardware.

The authentication for your VPN should use your network’s account list. Having two places to update when a team member joins or leaves the organization is one place too many. If turning the person off at the network level also turns off their VPN access, then fixing one spot fixes both.

Even if you are using modern technologies, make sure they are properly patched. As issues are found, vendors make patches available to plug the holes found. It is up to you or your MSP to apply these patches to keep your hardware updated and secure.

Only traffic that should be allowed through the firewall is allowed. If there is a port open, why is it open? Does it still need to be open? A software that you used two years ago may have needed a hole in the firewall. If you are no longer using that software, close that hole so no one can use it to attack your network. If you do have to open a hole, can you tighten access down? For example, even if you must open port 8080, can you lock it down to a specific IP or IP range? Then only traffic from that specific IP address/range will be allowed through the firewall. This minimizes your exposure.

MFA

Multifactor authentication (MFA) is the process whereby you log in with your username and password, then a code is sent to or generated on a device, and you enter that code as a further validation that the username and password are entered by you. The idea is to combine something you know (the username and password) with something you have (the device that generates/receives the code). These codes often time out within a minute so even if an attacker gets an old code, it will be useless.

MFA is a good step for securing logins to your network and elsewhere. Often dongles can be used for MFA as well as a phone. Today many people have a cell phone, so using the phone for the MFA means one less thing for the team member to carry (or forget to carry) and is a natural device to use. You may get push-back from team members about having an authenticator app on their phone or getting a text message to their phone. This may require a discussion between team members and management to educate each other on the concerns and come up with some compromise.

Cloud/3^rd Party Software

Are you using cloud or 3rd party software? Does it require login? What are the password policies? Is it the same login as your network or another password? Using MFA? Is that outside software or cloud installation secured? What are their backup and disaster plan policies? These are all questions you should ask when looking at outside software. Some software will integrate with your active directory. This provides you with control of system access. If someone is terminated from your company, but terminating or locking their account in your network, they are terminated/locked out in the outside software as well. This provides quicker response and one less thing to remember when adding and removing team members.

By understanding your vendor’s backup and disaster policies, you will learn if they align with your requirements and expectations. The time to find out the vendor only does weekly backups is not when you need to restore to yesterday.

Endpoint Protection

If you’re not familiar with the term endpoint protection, think of virus scanning software like Norton Anti-virus, but more. Endpoint protection software does typically include virus scanning software, but should also include malware scanning, usage pattern analysis, and defensive capabilities.

Scanning for viruses and malware is something we are all familiar with. A file is sent that matches a pattern or name for a virus and the file is subsequently quarantined or removed from the machine. Some modern endpoint protection has the capability to remove or roll back the installation of a virus/malware. If the software is quarantined, you still will want to remove it so that it can’t be activated in another way.

Usage pattern analysis is when the software monitors what the computer is doing and if something odd happens (for example 500 emails are being sent within a minute when normally the computer only sends 10 emails a day), it reports and responds to the issue. In this way, even if the computer were infected by an attack, the endpoint protection will do something to limit the effect on the network.

That “do something” would be the defensive capabilities mentioned above. Some endpoint protection will isolate the machine and prevent it from having network access. This way, whatever is infecting the machine cannot spread. The software may allow a remote session to connect for the purpose of removing the offending files and then let the device back onto the network.

Modern software may also use cloud-sourced information. This can be a great step in responding to new threats more quickly. What happens is when an issue is found, the endpoint protection reports it to their cloud database. After so many reports from different sources, the issue may be flagged in the cloud and the information pushed out to all endpoint installations. In this way endpoints are constantly “learning” as the attack landscape changes providing you up-to-date protection without having to have the incident happen on your network.

DNS

The obvious item is: make sure your DNS is secured. Only the proper people should be able to make changes to your DNS records. Review who can make changes and ensure the proper people are able to access and no extra persons are in the list.

As well, there are records you can implement to ensure you are playing “nicely” on the internet. Implementing SPF, DKIM, and DMARC records provide information to email recipients to validate that an email from your domain came from a server you trust. If you have certificates, you may want to put in a CAA record.

Depending on other services you provide and use, there may be additional records you should implement to provide the best information for others to validate communication is from you.

Email Scanning

An easy way to attack a company is by sending malicious software via email. The recipient clicks on the attachment and boom, now the attacker has a way into the network. To counter this, use an email scanning software or hardware device. This type of defense scans every email coming to your email server and looks for malicious attachments and links. Yes, you should make sure the hyperlinks in the email are good too! It is very easy to have a link displayed that goes to a bad spot. By the way, how many of you clicked on that bogus link in the previous sentence? Many email scanners will look for these and remove/quarantine the messages.

Your users should be allowed to report that a message is a problem. Educated and vigilant team members are a great defense, use them! Bob may notice an issue that got past the scanner. If Bob can report the questionable message, your IT team can deal with the potential threat much faster.

Does your email scanner remove the message from all mailboxes if it is found in one inbox? Sure it’s one thing if Jane reports the problem, but if it is recognized as a problem, is the message removed from everywhere? If not, you only protected Jane and not your entire team.

Some scanners will also use cloud- or crowdsourced information. If enough people report an email as suspicious, the scanner reports it to a cloud database which can then “push” down to all scanners that a particular email is bad and prevent it from coming in to your mail server or being removed from every inbox if it is already on the server. Now you have access to more people looking at a potential issue than just your team!

Backups

Ensure you have quality backups of your information. This may include software you use so that you can redeploy it, files, and databases. These backups should be tested on a regular basis. The time to find out that you’re missing something from the backup, or that the backup doesn’t work is not when you need to recover from a ransomware attack.

If possible, make your backups immutable. That means that once the backup file is written, it cannot be changed, it can only be read. This way even if you are attacked by ransomware, the malicious software cannot encrypt your backups. You’ll still have some work, but at least your important information can be easily and quickly recovered.

Machine Monitoring & Management Software

If you’re not monitoring your servers, how do you know they are running? There are several options out there that will look servers, websites, and even specific applications to ensure that they are responding properly. When a problem is found, the monitor will send an alert.

If you do get compromised, getting a notification like this will at least tell you that something is amiss. The faster you can respond to that outage, the better off you will be. If you are lucky, you’ll be able to contain the attack and prevent it from affecting more of your network.

Make sure you are getting the alerts you intend and that your alert system works. Sending a text message to a phone that is no longer in service won’t help you when you experience an outage.

Automated Deployment / Policy Enforcement

There are options out there to handle deployment of software and policies to your network. Some work specifically with Windows or Apple devices; some handle a combination. With these applications, you can control what software is deployed on your network and to whom, apply patches to the machines, and roll out software updates in a controlled fashion. If there is a critical patch that affects all your Windows desktop machines, getting that updated quickly is vital to your security. If you can deploy that en masse quickly, then you have lowered the duration of your exposure.

Look for software that can also deploy policies and enforce them. For example, you may want to have a policy that screen savers activate after 5 minutes of inactivity and the user must log in after the screen saver is deactivated and that your user cannot change that policy. Automatic deployment of these policies can help make all devices consistent across the network and reduce the chance that someone forgets to secure a device properly. If there’s an issue found, fix it in the policy software and deploy it to all machines instead of implementing the policy one-by-one.

There is also a new feature where you can specify what devices are in your management and when that device comes online, it will automatically get the proper policies and software. Getting a new machine properly installed just got easier to configure when it arrives. In fact, it doesn’t even have to arrive at the office. When the team member gets the device, it will automatically configure itself when turned on!

Updating Software

Attacker take the easiest route to get into your systems. If your hardware and software are patched and up to date, they will be harder to break into than something that is 10 years old and has never received a patch. In the latter case, there is ample information on the internet about how to break into such devices. It may take time to keep everything updated, but it will help protect you. This applies to firewalls, routers, switches, servers, workstations, and any other device that has network access.

Team Member Training & Communication

Your team members are probably the most important line of defense for your business. Vigilant and educated team members can spot a problem, notice if something is not acting properly, and will report the issue to get it corrected. Some simple things that you can educate your team about:

• Make sure they know what site they are going to. Is that site for business or not?
• Hover over links (in emails and on the web). Notice where that link is going to before you click on it. Although the text says “Microsoft.com”, does the link really go to IJustGotHacked.Com?
• If there are new policies in place, make sure your team knows about them.
• If there are problems, let your team know so they can help work around the issues.
• See if your email protection can run simulations/trainings to regularly check for team members who may need education in looking for and handling suspicious emails.
• Changing passwords – why is this important? What is a strong password? Why shouldn't passwords be reused? Where can I store all the passwords I have?

Policies

Besides software policies that you implement on a device, you may also need company policies to handle potential attack vectors. If you allow personal phones within the building, are they allowed to join the company network? Are team members allowed to use removable drives? Who has administrative rights to machines? These are things that should be regularly reviewed to handle the changing landscape of cybersecurity threats.

Regular Audits

You should regularly review all the practices/policies/defenses that you have in place. Do any of them have risks? Are all the appropriate protections in place? Are they all patched?

Review your network security for inactive accounts, group membership, suspicious accounts or groups that were created without your approval. These could all point to someone having access to your network monitoring activity to see how much information they can collect.

Regularly run disaster plans to make sure all involved know how to handle the disaster and recover from it. Make sure the process is documented. Disasters often happen outside business hours. If you are tired, you don’t want to try and recover from memory. A documented plan allows you to easily follow steps so nothing is missed or forgotten. Running these simulations also gives you an opportunity to find things that have changed. Perhaps there is new software or machines that are documented and should be part of the plan. Perhaps your location has moved, and you have different procedures do to the new environment. Testing is the way we find these issues and then update your documentation.

Closing

As we said at the start, this article is not meant to be all-encompassing. Use it as a jumping-off point for your discussions about your own security. If you aren’t implementing something above, do you have a reason? If so, no worries. But if you haven’t at least thought about and discussed the points, perhaps you should make sure they don’t apply to your situation.

Be aware that security is always a constant race between the protections we put in place, and the techniques and technologies that are used for attacking. For each new attack, we must develop new protection. For this reason, your BEST protection is your team members. If your team is vigilant and watching for issues, problems will be found faster, allowing you to respond more quickly. That quick response may be the difference between someone seeing a questionable email and having your entire server array encrypted by ransomware. People adapt to changing environments and can analyze a situation.

Good luck. Stay vigilant. Keep learning.

Links

• Cyber Security
• Email Protection
• M365
• Managed IT/ERP
• Machine Management and Monitoring
• SQL Backup Whitepaper
• SQL Training

References

• Common DNS Records
• Essential email DNS records and how to set them up

- last updated February 4, 2025