Practical tips for cybersecurity in small and mid-sized businesses

Recent talk about the damage to large companies from cybercrime has mentioned dizzying losses worth millions. But now there has been a shift in those being targeted by hackers and cybercriminals. Not least because of the COVID-related digital working conditions in small and medium-sized businesses, the victims of cybercrime increasingly seem to be medical practices, small traders, agencies and medium-sized companies.

The effects are disastrous: Production losses and ultimately financial damages hit SMBs harder than large companies. In many cases, hackers are targeting corporate data by infiltrating ransomware into company networks and encrypting essential data. The extortionists then demand horrendous Bitcoin sums to hand over the decryption code.

The effects on entrepreneurs are extremely hard, as cybersecurity has often played a rather subordinate role until now. But it doesn’t have to come to this. As an IT officer, admin or specialist retail partner, there is a lot you can do with the tools available to you to assure a minimum level of cybersecurity for SMBs. We will explain how fine-tuning can help you.

Routers

  • It is often possible to manage a router by means of different protocols. Deactivate any unnecessary or unencrypted configuration protocols, such as HTTP or telnet. Use encrypted protocols such as HTTPS or SSH instead.
  • Similarly, you should deactivate any direct means of access to the configuration from the Internet. Instead, use VPN for router configuration, if the device has to be configured from the Internet at all.
  • A router usually has an integrated firewall. All unused ports in the router firewall should be closed.
  • End devices such as printers are often connected directly to the router. Block any Internet-based access to these end devices, and close insecure points of entry.
  • Check that your VPN meets the latest security recommendations: Use IKEv2 as the VPN protocol with AES-GCM and at least SHA-256 as the encryption algorithms. Protocols such as PPTP or algorithms such as MD-5 or SHA-1 are considered insecure and should be replaced by secure variants.

Switches

The same applies to switch networking: Block all unencrypted Ethernet ports that are not required, otherwise you may be leaving doors to your in-house network open to attackers.

  • Use VLANs to segment different networks for applications and/or departments. The ports you use for configuration should be in a management VLAN. Move the networks and devices used by end users into a separate VLAN. In this way you prevent unauthorized access to the configuration ports.
  • Ask yourself which Ethernet ports an end device is connected to. Open ports always present the risk that unauthorized persons on site can connect to your networks.
  • If it is unclear which ports will be used and when, you can incorporate authentication via 802.1X. In a smaller environment this can be done with certificates, although this can be complex and time-consuming. MAC address authentication can be used as an alternative.
  • Also remember to switch off any unnecessary or insecure remote configuration paths.

Wi-Fi access points

The simplest means for more protection in your Wi-Fi is to activate the latest WPA3 encryption standard.

  • You can also reduce the transmission power of your access points to a minimum so that the Wi-Fi is only used where it is needed, especially considering outdoor use.
  • You should also consider: Which SSIDs do I need? For particular user groups, specify when their SSIDs are scheduled to be active. End customer and private devices used by employees on the one hand, and company devices on the other, should use different SSIDs. These can be connected to the network using different VLANs. In addition, you can use the switches to configure the SSID so that the guest network only reaches the router, whereas the VLAN for the company devices provides more comprehensive access to the company network. The aim of this is to give users’ end devices Internet access only and preventing them from causing any damage.
  • PPSK/ LEPS: Use private pre-shared keys for users or, with LANCOM devices, use LEPS. Individually distributed PPSK network keys have the advantage that end devices only have limited permissions, and they can be better monitored.

Raising awareness of IT security

Cybersecurity only works within a company if the employees actively contribute to it. You should provide regular training on the subject of IT security: What are secure passwords and how do I deal with phishing e-mails? Vital: you should also stop the use of unverified USB sticks and the connection of private data media to the company network.

  • Keep things up-to-date and regularly install the latest security updates for software and devices.
  • Often centralized at larger companies, even SMBs need daily backups of their data.

Lastly: If possible, use a professional firewall. In the best case, you should rely on a UTM firewall that protects you even if malware has already affected your system. The LANCOM R&S®Unified Firewalls are an example of how small and medium-sized businesses can benefit from a made-to-measure overall solution for state-of-the-art security and Unified Threat Management (UTM).  

The responsibility for cybersecurity is becoming more widespread. The best approach is to work hand-in-hand with specialist resellers or IT administrators to develop an overall concept for identifying and eliminating any existing weaknesses. Until you can implement this, we recommend that you make the best use of the resources available to you in the short term.

No Comments Yet

Leave a Reply

Your email address will not be published. Required fields are marked *

When you leave a comment, the system automatically stores the following data:

    • your name or your pseudonym (mandatory information / will be published)
    • your e-mail address (mandatory / will not be published)
    • your IP address (the IP address will be deleted automatically after 60 days)
    • date and time of the comment submitted
    • a website (optional)
    • your comment text and personal data contained therein
    • I also agree that all personal data entered together with my IP address will only be checked and stored by the Akismet spam filter in the USA for the purpose of spam prevention. Further information on Akismet and revocation options can be found here.