{"id":1818,"date":"2022-05-31T17:04:34","date_gmt":"2022-05-31T15:04:34","guid":{"rendered":"https:\/\/www.dsecbypass.com\/?p=1818"},"modified":"2022-09-27T08:28:29","modified_gmt":"2022-09-27T06:28:29","slug":"how-to-secure-my-small-business","status":"publish","type":"post","link":"https:\/\/www.dsecbypass.com\/en\/how-to-secure-my-small-business\/","title":{"rendered":"How to secure my Small Business?"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/05\/favpng_small-business-e-commerce-shopping-retail-e1654004453736.png” alt=”VSE small business” title_text=”VSE” _builder_version=”4.17.4″ _module_preset=”default” width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

VSEs\/SMEs and freelancers are often faced with a lack of resources and skills to secure their IT system. However, the stakes are high in the event of a computer attack: sometimes long and costly repairs, loss of turnover, loss of reputation.<\/p>\n

This guide aims to provide Small Businesses (SMBs) with practical and affordable advice to secure their business. It is based, among other things, on the work of the National Cyber Security Center (NCSC) and the recommendations of the National Agency for Information Systems Security (ANSSI).<\/p>\n

> Data backups<\/a><\/strong><\/p>\n

> Protect yourself from viruses<\/a><\/strong><\/p>\n

> Securing your smartphones<\/a><\/strong><\/p>\n

> Improving passwords<\/a><\/strong><\/p>\n

> Limit the risks of phishing<\/a><\/strong><\/p>\n

[\/et_pb_text][et_pb_text module_id=”sauvegarder” _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

1. Data backups<\/h2>\n

Backing up your data increases your resilience in the event of a computer attack: zero risk does not exist, so it is better to be prepared and be able to get your business back up and running as quickly as possible.<\/p>\n

\u2705<\/span> Identify which data to back up <\/strong> <\/p>\n

\n

These are the data essential to the proper functioning of the company: the documents, photos, e-mails, contacts, calendars and any other computer work file that are on your PCs, smartphones and tablets. Additionally, some companies may have file servers and specific hardware\/software configurations that also need to be backed up.<\/p>\n<\/blockquote>\n

\u2705<\/span> Secure your backups<\/strong><\/p>\n

\n

Do not keep backups in the same place as the data to be backed up: make several copies of them on hard disks \/ USB keys. Some solutions also allow you to host backups in the cloud. Depending on the criticality of the data, it is interesting to use both the cloud and the physical medium. Make sure backups are only accessible by authorized people, keep them offline when not in use, and separate copies in different geographical locations (in case of fire or theft).<\/p>\n<\/blockquote>\n

\u2705<\/span> Set up a process and make sure it is followed<\/strong><\/p>\n

\n

Determine a backup frequency (how much data can you afford to lose?). Make sure that the data is correctly saved: check for example that the modification of a document has been correctly reflected in the backups. The use of automatic backup solutions can facilitate this tedious and error-prone manual process, but it will still be necessary to regularly check the level of freshness of the backups and the ability to restore them.<\/p>\n<\/blockquote>\n

For more information on backups: https:\/\/www.cybermalveillance.gouv.fr\/tous-nos-contenus\/bonnes-pratiques\/sauvegardes<\/a>.<\/p>\n

    <\/ol>\n

    [\/et_pb_text][et_pb_text module_id=”virus” _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

    2. Protect yourself from viruses<\/h2>\n

    Viruses (malware) are software that allow hackers to infect your equipment in order to recover your data, make it inaccessible or control your PC remotely.<\/p>\n

    \u2705<\/span> Use an antivirus software<\/strong><\/p>\n

    \n

    Most operating systems offer free antivirus software included: you must ensure that they are activated. If the budget allows it, a commercial antivirus could be used in order to provide additionnal functionalities. These offer an automatic update and an automatic scan of the storage spaces that it will be good to activate. Make sure that as many devices as possible have an antivirus.<\/p>\n<\/blockquote>\n

    \u2705<\/span> Limit malware installation<\/strong><\/p>\n

    \n

    Make sure to install mobile apps only from official stores (Google Play<\/em>, Apple App Store<\/em>). In the same way, only install on your computers software from sources you trust. On PCs, do not use an administrator account for your daily work: prefer a simple user account and use the administration account when necessary.<\/p>\n<\/blockquote>\n

    \u2705<\/span> Keep your systems up-to-date<\/strong><\/p>\n

    \n

    This rule is one of the most important to improve your company’s IT security. It is essential to carry out updates (patching<\/em>) of the operating <\/span>system and any software as soon as patches are made available <\/span>by editors. Activate automatic updates wherever they are available: at the level of OS, business and office software, as well as IT equipment. If you go through a subcontractor, require this practice in your contracts. The software has an end of life from which the publishers no longer offer updates: then consider replacing them with a modern alternative.
    <\/span><\/p>\n<\/blockquote>\n

    \u2705<\/span> Beware of USB keys<\/strong><\/p>\n

    \n

    USB keys are a well-known virus transmission vector. In order to reduce the risk related to their use, it is recommended to activate the antiviral analysis of removable media and not to connect a USB key whose origin is unknown.<\/p>\n<\/blockquote>\n

    \u2705<\/span> Switch on your firewall<\/strong><\/p>\n

    \n

    Workstations are often equipped with a local firewall, pre-installed with the operating system: the default setting is often sufficient in the case of a small business (blocks any incoming connection). Do not modify the firewall settings of your internet box if you do not understand the ins and outs: this could expose your file shares or other sensitive services on the Internet. If the information system is more extensive, physical firewalls can be configured, in which case a specific guide<\/a> can be used. Calling on a qualified service provider in the latter case is strongly recommended.<\/p>\n<\/blockquote>\n

     <\/p>\n

    [\/et_pb_text][et_pb_text module_id=”mobiles” _builder_version=”4.17.4″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

    3. Securing your smartphones<\/h2>\n

    Mobile devices such as smartphones and tablets are often used in professional environments. When the budget is sufficient, the use of an MDM<\/a> (Mobile Device Management) can help administer its mobile fleet. Otherwise, the following three rules will limit the risks associated with mobility:<\/p>\n

    \u2705<\/span> Set up a complex PIN\/password to access it<\/strong><\/p>\n

    \n

    A complex PIN will consist of at least 8 digits. In addition, modern mobile devices offer unlocking by fingerprint or facial recognition: it is recommended to activate and use it.<\/p>\n<\/blockquote>\n

    \u2705<\/span> Ensure mobile devices and apps are kept up to date<\/strong><\/p>\n

    \n

    Enable automatic OS and application updates and educate your employees to do the same.<\/p>\n<\/blockquote>\n

    \u2705<\/span> Do not connect to unkown Wi-Fi network<\/strong><\/p>\n

    \n

    Public Wi-Fi (hotspots<\/em>) are convenient but generally insecure. Sometimes they may even be controlled by malicious individuals. Prefer your 4G\/5G connection which includes default security, even if it means sharing the connection with your computer if necessary. Using a VPN<\/em>can protect your phone when connecting to unknown Wi-Fi networks: be careful to use a company VPN<\/em>or a trusted third-party service.<\/p>\n<\/blockquote>\n

     <\/p>\n

    [\/et_pb_text][et_pb_text module_id=”motsdepasse” _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

    4. Improving passwords<\/h2>\n

    Passwords, if used and implemented correctly, are an effective and free way to increase the security of your business and your data.<\/p>\n

    \u2705<\/span> Protect your equipment with a password<\/strong><\/p>\n

    \n

    Whether for your smartphones, tablets or PCs, it is strongly recommended to configure a unique password, known only to you and complex. To generate this type of password, the CNIL<\/a>offers an effective method. Unlocking a device must require a password in order for it to be secure. Also make sure to enable encryption for these different devices when available: BitLocker<\/em>for Windows, FileVault<\/em>for macOS and other features often included in mobile OS.<\/p>\n<\/blockquote>\n

    \u2705<\/span> Use two-factor authentication (2FA) when available<\/strong><\/p>\n

    \n

    Two-factor authentication allows the user to be asked for a second verification of their identity (for example an SMS or a Google Authenticator<\/em> code) in addition to their password. Thus, even if the latter has been compromised, the attacker will have a much harder time taking possession of the account. Configuring this feature adds a very important layer of security, especially in small businesses where accounts are often shared and used on uncontrolled equipment (social network accounts, ERP access accounts or with suppliers).<\/p>\n<\/blockquote>\n

    \u2705<\/span> Use unique and complex passwords<\/strong><\/p>\n

    \n

    Faced with the multitude of services that require a password, we tend to use the same one everywhere or in various mutations. Attackers know this and use it to compromise all of your accounts (pro and personal) when they discover your password. In order to secure your important accesses, use a password manager like Keepass<\/em>: no need to remember your passwords which can now be generated automatically. A user guide<\/a> is made available by the government.<\/p>\n<\/blockquote>\n

    \u2705<\/span> Change all default passwords<\/strong><\/p>\n

    \n

    Smartphones (SIM card), PCs and other equipment are often delivered with default passwords from the manufacturer. It is better to modify them all<\/em>because they are also well known to hackers<\/em>.<\/p>\n<\/blockquote>\n

    [\/et_pb_text][et_pb_text module_id=”phishing” _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

    5. Limit the risks of phishing<\/h2>\n

    In a typical phishing attack, scammers send fake emails to thousands of people asking for sensitive information (such as bank details) or containing links to malicious websites. They may trick you into sending money, steal your details to resell, or have political or ideological motives to access your organization’s information. Phishing emails are getting harder to spot, and some will trick even the most attentive users. Regardless of your business, large or small, you will receive phishing attacks at some point.<\/span><\/p>\n

    \u2705<\/span> Secure your accounts to limit the impact of a successful attack<\/strong><\/span><\/p>\n

    \n

    The principle of least privilege is a golden rule in computer security: employees must be granted the privileges strictly necessary for their tasks. Applied to the risks of phishing, this rule implies that to limit the execution of a virus or the theft of an employee’s account, their rights must be limited: use of a non-administrator account on their PC, non-administrator accounts on business software, configuration of two-factor authentication when possible. This rule should also apply to senior executives of the company: an administrator account should only be used when an administration task is to be performed.
    <\/span><\/p>\n<\/blockquote>\n

    \u2705<\/span> Consolidate your way of operating
    <\/strong><\/span><\/p>\n

    \n

    Your company’s sensitive operations must have a clear and well-defined operating mode: creation of new computer accounts, bank transfers, password resets. It is important that managers, employees and potential partners are aware of these processes and that the interlocutors are clearly identified. Also pay special attention when you communicate: do you usually ask for passwords by electronic messages (emails, WhatsApp)? Do your emails have a well-defined graphical identity? A “classic” phishing email will not include the precise signature of the company, for example. Be careful, this does not mean, of course, that you should trust any email with the company’s signature.<\/p>\n<\/blockquote>\n

    \u2705<\/span> Know the obvious signs
    <\/strong><\/span><\/p>\n

    \n

    There will always be phishing attacks that will bypass defenses and the attention of employees. However, it is possible to apply a few simple rules in order to defuse the most obvious attacks:
    <\/span><\/p>\n