Contact

Thank you for contacting us, we will respond as soon as possible!




Address:

Evert van de Beekstraat 1
1118 CL Schiphol
Netherlands

Route

Phone:

+31 (0) 20 799 1548

Email:

info@scyber.nl

Secure digital business

For small and medium enterprises, cybersecurity is an opportunity for taking advantage of the digital economy.

The cyber risks for entrepreneurs are diverse and range from paying ransom to regain access to their own files (ransomware) and the network, to the failure of production facilities, which endanger the continuity of the company.

The reality is that entrepreneurs face cyber threats and risks on a daily basis. A growing number of SME’s are part of the value chain in vital sectors and must defend themselves against cyber threats and invest sufficiently in cybersecurity.

Basic principles for secure digital business

The Digital Trust Center (DTC) in the Netherlands, has established a number of principles for secure digital business to help entrepreneurs to set up basic security. Entrepreneurs who follow these basic principles increase their digital resilience to cyber threats that can disrupt their business operations.

The basic principles are:

  1. Make an inventory of where your company is vulnerable to cyber threats.
  2. Choose the most secure settings for equipment, software and internet connection.
  3. Keep your devices and software up to date.
  4. Be aware who gives you access to which data and services.
  5. Protect yourself against viruses and other malware.

These principles are further explained below.

Principle 1: Identify vulnerabilities

An inventory of the vulnerable components for cyber threats within your company consists of various components. You not only make an inventory of what equipment, software, network connections and data you have and what the vulnerabilities are, you also map the technical dependence on suppliers.

An inventory also forces you to think about what to do in the event of a cyber incident due to the manifestation of cyber threats.

Here you look at:

  1. Availability (consequences IT no longer works).
  2. Integrity (consequences that data are not reliable).
  3. Confidentiality (consequences of data leaking out).

You determine the likelihood of a cyber threat occurring and the impact.This way you get a picture of the risks for your company.

Make your risks transparent first

Insight into risks makes it easier to increase resilience to cyber threats. Good insight into your risks means that you can make a well-considered choice as to where you can invest best in terms of measures and which risks you accept.

Should a cyber incident ever occur, the inventory will prevent you from missing out on something and it will become easier to distinguish between main issues and side issues.

If you want to better protect your house against burglars, you make an inventory of your most important possessions and where people can easily enter your house. It is also useful to think in advance who you should call in the event of a burglary.

Identify vulnerabilities

  1. Make an inventory of the IT components, vulnerabilities and make a risk analysis.
  2. Ensure that the inventory is updated every six months and also puts this in the agenda.
  3. Discuss the importance of and the content of the inventory with colleagues, employees, suppliers and / or buyers. Discuss everyone’s responsibilities, set agreements and ensure that they are met. The weakest link determines the strength of the chain.
  4. Prepare a fall-back and recovery plan for what you should do if you are struck by a cyber incident that means you can no longer use your networks, equipment, software, communication systems and data. Test this plan at least once so that you know it actually works.
  5. Determine what you can and cannot expect from an organization in the event of a cyber incident. Also add contact information, and any customer and contract details in the case of suppliers or help desk, so that you can act quickly.

Identify vulnerabilities

  1. Make an inventory of the IT components, vulnerabilities and make a risk analysis. Ensure that the inventory is updated every six months and also puts this in the agenda.
  2. Discuss the importance of and the content of the inventory with colleagues, employees, suppliers and / or buyers. Discuss everyone’s responsibilities, set agreements and ensure that they are met. The weakest link determines the strength of the chain.
  3. Prepare a fall-back and recovery plan for what you should do if you are struck by a cyber incident that means you can no longer use your networks, equipment, software, communication systems and data. Test this plan at least once so that you know it actually works.
  4. Determine what you can and cannot expect from an organization in the event of a cyber incident. Also add contact information, and any customer and contract details in the case of suppliers or help desk, so that you can act quickly.

Make backups

Make a schedule for backups. You use a backup to restore data if it is damaged by, for example, a system error, incorrect storage or a virus. Or if the device on which they are stored is broken, lost or stolen, for example. But also if you have changed or added important files.

Disconnect backups from your network, keep them in a safe place and possibly encrypt the files for extra protection. Date the backups made so that the chance that you restore an infected backup is smaller and practice restoring a backup.

Principle 2: Choose secure settings

Equipment and software suppliers often choose default settings. All settings are also often installed in ‘on’ as standard. This is very handy for quickly and easily installing new stuff or getting internet access. But as an entrepreneur you are very vulnerable to cyber threats if you do not change these settings from the first use. You then open the door for unauthorized persons.

Default settings are unsafe

The use of standard settings creates the risk that equipment, software and network connections can be accessed directly from the internet. It is a second job for automated programs to track these systems online.

Cyber ​​criminals can request or change the information stored in devices, software and networks. Depending on the type, the device can also be controlled remotely. Think of webcams and microphones that are served by a cyber criminal without your knowledge.

After delivery of your new house with standard locks, replace the cylinders of the locks so that you are better protected against burglars that often have the standard keys.

Choose safe settings

  1. Check the settings of your equipment, software and network and internet connections. Adjust default settings before connecting them to the internet and look critically at functions and services that are automatically “on” while you may not need or use them.
  2. Use secure, strong and different passwords. With a password you protect the fixed and mobile devices of your company. But also your business data in the cloud, wireless networks, e-mail accounts and social media accounts. Most passwords consist of a combination of letters and numbers, but there are also other options such as the use of a PIN code, Touch ID or security pattern.
  3. Set up extra security. Sometimes a password is not enough. Access to banking, company data in the cloud or the admin environment of the company network, require extra security. Check if additional protection is possible and set it up. Think of two-step verification and logging in with a token.
  4. Use a firewall. A firewall is a piece of software (or hardware) that builds a defensive wall between your company network and other networks. With a firewall you control and manage which connections are established between the network and other networks. In the simplest case, it’s about the connection between your corporate network and the internet. Within this connection incoming traffic can be analyzed to find out whether or not it should be allowed in the network.

There are different types of firewalls. The two most common are:

  1. The standard firewall on a computer. This is usually part of the operating system and can be used free of charge.
  2. A firewall for the entire network. The implementation and management of this requires specialist knowledge and entails costs.

Some routers include a firewall that can be used for network security. The possibilities for this vary per brand and model. Ask your internet provider or the router manufacturer about the options.

Check your settings

  1. Check monthly whether the settings are still correct.
  2. Check the settings for each new device, software and network.
  3. Make a trade-off between convenience and security. One key for your house, car and office is also not logical.

Principle 3: Perform updates

Manufacturers of equipment and software are constantly working to further develop their products. Updates bring the latest functionalities to the end users. Discovered vulnerabilities or better security are also offered via updates. So always install the most recent security updates immediately so that you are as secure as possible.

Vulnerabilities in older versions

If your devices and software are up-to-date, your company has the least chance of viruses and you remain protected against the most current cyber threats and risks. This is because a virus uses vulnerabilities in older versions of devices and software.

Car manufacturers are constantly investigating how they can improve the security of their cars. If they find out that their airbags are insufficiently safe, they will call you to the garage to adjust the airbags. For your own safety it is better to have such an update performed.

Perform updates

Check whether devices and software are up-to-date. If not, install the most recent security updates immediately. Switch on automatic updates so that your devices and software will always run on the latest version. Occasionally producers also release a so-called “patch”. These are often minor updates that address a very specific problem. Also don’t forget to install this directly.

Check your updates

  1. Consider replacing devices and / or software if supplier updates are no longer available. Or disconnect them from the internet.
  2. Check monthly whether devices and software are up-to-date.

Principle 4: Restrict access

In order to minimize the chance of accidents and abuse, it is important that everyone inside and outside the company only have access to the systems that match the work and the period for which access is required. Extended access rights should only be given for those who need it.

Prevent unauthorized access

By limiting and determining access rights per employee, you prevent people inside and outside your company from gaining access to systems and data that they do not need to perform their work.

In a hotel you want guests to be able to move freely between the different spaces and facilities in the hotel. However, you do not want them to be able to walk around freely in the kitchen with their access cards or to enter other guests’ rooms. Other restrictions apply to suppliers or hotel staff.

Restrict access

  1. Define for each employee which systems and data they should have access to to do their work.
  2. Then make sure that an employee can log in to the systems and identify himself as that employee with associated access rights.
  3. Use secure and strong passwords and realize logging in through two-step verification for important systems and data.
  4. Limit the physical access of employees to spaces where systems (such as servers) or devices (such as external hard drives and USB sticks) and documents are stored.

Check your access rights

Ensure that the access rights are adjusted if someone (from the inside and / or outside) receives a new position or leaves the company. In the case of a sudden (non-voluntary) departure of a system administrator, this is especially important. This also applies if we work with, for example, a new supplier or accountant.

Principle 5: Prevent viruses and other malware

Not a day goes by or you hear or read something about (new) viruses that cause inconvenience and damage to companies. The collective name for all software with a deliberately malicious effect is malware.

Some malware is intentionally distributed to damage systems or equipment, to steal data or trade secrets, or, in the case of ransomware, one of the best known forms of malware, to extort money from entrepreneurs by taking hostage systems and releasing them if payment has been made.

Damage due to malicious software

There are various ways in which malware can access a computer, smartphone or network. A user can open an infected e-mail (or attachment), visit an incorrect website or open an unknown, infected file via, for example, a USB stick. Whichever way, the malware infects the software it is looking for and often spreads itself as an oil spill to other devices and / or users.

By taking adequate measures to protect yourself against the effects of malicious software, you prevent malicious persons and / or outside organizations from causing damage to your devices, software or data via “faulty software”. You also prevent that they can take control of your systems and what they only want to cancel after payment of “ransom”.

If someone rings the doorbell with a package while you have not ordered anything, then you do not just accept the package.

Protect against viruses and malware

There are four ways to protect yourself against malware:

  1. Encourage safe behavior of employees. The cyber resilience of your company depends on the behavior of employees. Because even if you have installed all the updates, an antivirus program and firewall that protects your devices and network and the strongest passwords you can think of, if an employee does not recognize a phishing email and opens that one attachment or connects an infected USB stick, then all preventive measures have been for nothing.
  2. Use an antivirus program. An antivirus program scans your devices for the presence of malicious software (malware). A paid virus scanner is regularly updated by the supplier so that it also protects your company against the latest known viruses. With the use of an antivirus program you also protect your customers and other entrepreneurs. Many viruses use an e-mail program to spread themselves. Without knowing it, you can infect the devices of customers and other entrepreneurs.
  3. Download apps securely. You install an app on your tablet or smartphone. Your mobile devices may contain a lot of business information such as bank details, e-mails, customer details and other valuable company information. Prevent anyone from accessing this via an app. This is because apps are also used by cyber criminals to infect mobile devices with malicious software (malware) that ends up on your device when you download the app.
  4. Limit the installation options of software. Prevent or limit employees from installing software on company computers. This prevents infected programs from infecting your corporate network.

Use a sandbox

Use versions of applications that support sandboxing where possible. For example, most modern web browsers implement some form of sandbox security. A sandbox application is running in an isolated environment with very limited access to the rest of your device and network. In other words, your files and other applications are kept out of the reach of malware if possible. Sandboxing is therefore a good way to open programs and files that you do not trust.

More information?

Danny Onwezen is ceo of scyber and experienced consultant in the field of secure digital business for small and medium enterprises (SME’s). He will be happy to tell you more about the possibilities for improving your digital security and resilience.

Email: danny.onwezen@scyber.nl