21 Feb The Ultimate Guide to Cybersecurity
If I were to ask you to list the most valuable things you own, what would you say? I guess this would be another way of asking the infamous “What would you grab if your house was on fire?” question.
As for me, I’d grab an old keepsake box filled with things from my childhood, a necklace from my boyfriend, my phone and computer (for pictures and writings!), and an old Iowa sweatshirt of my dad’s.
But I’d also have to say that my identity, social security number, credit cards, and bank accounts are valuable to me. While these things can’t exactly burn down in a fire, they can be stolen … and if I were to ask a computer hacker what he or she thought my most valuable possessions were, they’d probably quote the intangible.
That’s why we’ve compiled this guide on cybersecurity. Below, we’ll talk about why you should care about cybersecurity, how to secure your and your customer’s digital data, and what resources to follow to stay up-to-date with emerging tech.
Personal data is incredibly valuable. Hackers know it, and businesses know it. That’s why both go to great lengths to collect it — albeit one following a much more legal and moral avenue to do so.
Unfortunately, as technology and data collection practices progress, so do the methods that hackers follow to steal data. As business owners, we have a special responsibility to protect our customer’s data and be transparent with our practices.
Why You Should Care About Cybersecurity
In 2017, organizations providing online services (a.k.a. e-commerce companies) contributed to the largest number of compromised credentials: over 2 billion. 🤯
Small to medium-sized businesses (SMBs) are especially at risk. You might see corporations like Target and Sears topping the headlines as top data breach victims, but it’s actually SMBs that hackers prefer to target.
Why? They have more — and more valuable — digital assets than your average consumer but less security than a larger enterprise-level company … placing them right in a “hackers’ cybersecurity sweet spot.”
Security breaches are frustrating and frightening for both businesses and consumers.
Studies show that, after a company data breach, many consumers take a break from shopping at that business — and some consumers quit altogether.
But cybersecurity is about more than just avoiding a PR nightmare. Investing in cybersecurity builds trust with your customers. It encourages transparency and reduces friction as customers become advocates for your brand.
Keep your business ahead of the tech curve with the tips, systems & recommended resources in our guide to staying current on emerging tech.
Cybersecurity Terms to Know
But fear not. We’re here to break this topic down into digestible pieces that you can rebuild into your own cybersecurity strategy. Bookmark this post to keep this handy glossary at your fingertips.
Here’s a comprehensive list of general cybersecurity terms you should know.
Authentication is the process of verifying who you are and why you need access to an account or software. Many organizations use two-factor authentication, which we cover later.
A backup refers to the process of transferring important data to a secure location, such as the cloud or a physical, offsite server in case of a cyber attack or system crash.
A data breach refers to the moment a hacker gains unauthorized entry or access to a company’s or an individual’s data.
A digital certificate, also known as an identity certificate or public key certificate, is a type of passcode used to securely exchange data over the internet. It’s essentially a digital file embedded in a device or piece of hardware that provides authentication when it sends and receives data to and from another device or server.
Encryption is the practice of using codes and ciphers to encrypt data. This algorithmic technique changes important data to a “language” that’s only able to be read by certain software.
HTTP and HTTPS
Hypertext Transfer Protocol (HTTP) is how internet browsers communicate. You’ll probably see an http:// or https:// in front of most websites you visit. HTTP and HTTPS are the same, except HTTPS encrypts all data sent between you and the web server — hence the “S” for security. HTTPS is used for e-commerce websites and other places that you submit sensitive data online.
A vulnerability is a place of weakness, either digitally or physically, that a hacker might exploit when launching a cyber attack. Vulnerabilities might include the check-out page on an e-commerce site where users enter delicate information or an outside bank ATM where users insert debit cards and enter PIN numbers. Defensive cybersecurity measures (like the ones we talk about later) can help prevent attacks on these vulnerabilities.
Types of Cyber Attacks
- Brute Force Attack
- Distributed Denial of Service (DDoS) Attack
- Malware Attack
- Phishing Attack
A cyber attack is a deliberate and typically malicious intent to capture, modify, or erase private data. Cyber attacks are committed by external security hackers and, sometimes, unintentionally by compromised users or employees. These cyber attacks are committed for a variety of reasons. The majority are looking for ransom, while some are simply launched for fun.
Here are the four most common cyber threats.
Brute Force Attack
A brute force attack is when a hacker overloads a system or computer until they ultimately gain access. This is typically done by continually guessing passwords manually or through a computer application. Consider this type of attack the digital equivalent of beating on a door until it breaks. (This is why super strong passwords are so important, as we talk about later.)
Distributed Denial of Service (DDoS) Attack
A distributed denial of service (DDoS) attack is when a hacker floods a network or system with a ton of activity (such as messages, requests, and traffic) in order to paralyze and officially exploit the system. This is typically done through bots and botnets, which are networks of computers infected by viruses that allow a hacker to control and use them as bots for other forms of attacks.
Malware refers to all types of malicious software used by hackers to infiltrate computers and networks and collect susceptible private data. Types of malware include:
- Keylogger malware tracks everything a person types on their keyboard. Keyloggers are usually used to capture passwords and other private information, such as social security numbers.
- Ransomware encrypts data and holds it hostage, forcing users to pay a ransom in order to unlock and access the infected files.
- Spyware monitors and “spies” on user activity on behalf of a hacker.
- Trojan horses infect networks through a single entry point, often disguised as a legitimate download or link, and give hackers complete control of users’ computers.
- Viruses corrupt, erase, modify, or capture data and, at times, physically damage computers. Viruses can be unintentionally installed by compromised users.
- Worms are designed to self-replicate and autonomously spread through all computers connected to an infected network.
A phishing attack is when hackers disguise their identity and intent through a seemingly legitimate download, link, or message. It’s a very common type of cyber attack — over 75% of organizations fell victim to phishing in 2018. Phishing is typically done over email or through a fake website; it’s also known as spoofing. Additionally, spear phishing refers to when a hacker pretends to be a particular person or business, instead of using a general name or identity.
Cybersecurity Best Practices: How to Secure Your Data
Cybersecurity can’t be boiled down into a 1-2-3-step process. Securing your data involves a mix of best practices and defensive cybersecurity techniques. Dedicating time and resources to both is the best way to secure your — and your customers’ — data.
Defensive Cybersecurity Solutions
All businesses should invest in preventative cybersecurity solutions. Implementing these systems and adopting good cybersecurity habits (which we discuss next) will protect your network and computers from outside threats.
Here’s a list of six defensive cybersecurity systems and software options that can prevent cyber attacks — and the inevitable headache that follows. Consider combining these solutions to cover all your digital bases.
Antivirus software is the digital equivalent of taking that vitamin C boost during flu season. It’s a preventative measure that monitors for bugs. The job of antivirus software is to detect viruses on your computer and remove them, much like vitamin C does when bad things enter your immune system. (Spoken like a true medical professional …) Antivirus software also alerts you to potentially unsafe web pages and software.
A firewall is a digital wall that keeps malicious users and software out of your computer. It uses a filter that assesses the safety and legitimacy of everything that wants to enter your computer; it’s like an invisible judge that sits between you and the internet. Firewalls are both software and hardware-based.
A honeypot is a fake server set up for the sole purpose of enticing malicious software. It’s used as a decoy to lead hackers away from the actual high-value servers on the network. Honeypots are also valuable as businesses can watch their activity and learn about hackers’ techniques without actually falling victim to them.
Single Sign-On (SSO)
Single sign-on (SSO) is a centralized authentication service through which one login is used to access an entire platform of accounts and software. If you’ve ever used your Google account to sign up or into an account, you’ve used SSO. Enterprises and corporations use SSO to allow employees access to internal applications that contain proprietary data.
Two-Factor Authentication (2FA)
Two-factor authentication (2FA) is a login process that requires a username or pin number and access to an external device or account, such as an email address, phone number, or security software. 2FA requires users to confirm their identity through both and, because of that, is far more secure than single factor authentication.
Learn more: Duo
Virtual Private Network (VPN)
A virtual private network (VPN) creates a “tunnel” through which your data travels when entering and exiting a web server. That tunnel encrypts and protects your data so that it can’t be read (or spied on) by hackers or malicious software. While a VPN protects against spyware, it can’t prevent viruses from entering your computer through seemingly legitimate channels, like phishing or even a fake VPN link. Because of this, VPNs should be combined with other defensive cybersecurity measures in order to protect your data.
Cybersecurity Tips for Business
Require strong credentials.
Require both your employees and users (if applicable) to create strong passwords. This can be done by implementing a character minimum as well as requiring a mix of upper and lowercase letters, numbers, and symbols. More complicated passwords are harder to guess by both individuals and bots. Also, require that passwords be changed regularly.
Control and monitor employee activity.
Within your business, only give access to important data to authorized employees who need it for their job. Prohibit data from sharing outside the organization, require permission for external software downloads, and encourage employees to lock their computers and accounts whenever not in use.
Know your network.
With the rise of the Internet of Things, IoT devices are popping up on company networks like crazy. These devices, which are not under company management, can introduce risk as they’re often unsecured and run vulnerable software that can be exploited by hackers and provide a direct pathway into an internal network.
“Make sure you have visibility into all the IoT devices on your network. Everything on your corporate network should be identified, properly categorized, and controlled. By knowing what devices are on your network, controlling how they connect to it, and monitoring them for suspicious activities, you’ll drastically reduce the landscape attackers are playing on.” — Nick Duda, Principal Security Officer at HubSpot
Read about how HubSpot gains device visibility and automates security management in this case study compiled by security software ForeScout.
Download patches and updates regularly.
Software vendors regularly release updates that address and fix vulnerabilities. Keep your software safe by updating it on a consistent basis. Consider configuring your software to update automatically so you never forget.
Make it easy for employees to escalate issues.
If your employee comes across a phishing email or compromised web page, you want to know immediately. Set up a system for receiving these issues from employees by dedicating an inbox to these notifications or creating a form that people can fill out.
Cybersecurity Tips for Individuals
Cyber threats can affect you as an individual consumer and internet user, too. Adopt these good habits to protect your personal data and avoid cyber attacks.
Mix up your passwords.
Using the same password for all your important accounts is the digital equivalent of leaving a spare key under your front doormat. A recent study found that over 80% of data breaches were a result of weak or stolen passwords. Even if a business or software account doesn’t require a strong password, always choose one that has a mix of letters, numbers, and symbols and change it regularly.
Monitor your bank accounts and credit frequently.
Review your statements, credit reports, and other critical data on a regular basis and report any suspicious activity. Additionally, only release your social security number when absolutely necessary.
Be intentional online.
Keep an eye out for phishing emails or illegitimate downloads. If a link or website looks fishy (ha — get it?), it probably is. Look for bad spelling and grammar, suspicious URLs, and mismatched email addresses. Lastly, download antivirus and security software to alert you of potential and known malware sources.
Back up your data regularly.
National Institute of Standards and Technology (NIST)
Bookmark: The Computer Security Resource Center (CSRC) for security best practices, called NIST Special Publications (SPs).
The Center for Internet Security (CIS)
CIS is a global, non-profit security resource and IT community used and trusted by experts in the field.
Bookmark: The CIS Top 20 Critical Security Controls, which is a prioritized set of best practices created to stop the most pervasive and dangerous threats of today. It was developed by leading security experts from around the world and is refined and validated every year.
Cybrary is an online cybersecurity education resource. It offers mostly free, full-length educational videos, certifications, and more for all kinds of cybersecurity topics and specializations.
Signing Off … Securely
Cyber attacks may be intimidating, but cybersecurity as a topic doesn’t have to be. It’s imperative to be prepared and armed, especially if you’re handling others’ data. Businesses should dedicate time and resources to protecting their computers, servers, networks, and software and should stay up-to-date with emerging tech. Handling data with care only makes your business more trustworthy and transparent — and your customers more loyal.
Note: Any legal information in this content is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice or as a recommendation of any particular legal understanding.