Stand With Ukraine

3 Simple Steps to Improve Your Freelance Business’s Security

2020-04-09

All too often, security advice is aimed at large companies who can afford to spend hundreds or thousands of pounds on security procedures. What follows is hopefully advice that anyone can follow.

That being said, if you can afford to hire a security professional, do so. They will be able to target advice at your business specifically.

I work as a security consultant. I am often tasked with trying to break into a website or computer system to identify a client’s risks. A huge proportion of my successful attacks would have been unsuccessful if the following procedures were followed.

As a small business, your aim should be minimising risk - you don’t want to be the low hanging fruit. The hard truth is, if a nation state or highly skilled hacker targeted you, you are likely to fall. What you want to do is make it hard. Stop the “bored teenager in their bedroom” from being able to get into your systems.

Use a Password Manager

We all hate passwords. Unfortunately, they are a necessary evil until we come up with something better. My advice to all of you is use a password manager. A password manager is a program that generates random passwords and remembers them for you. This way, you never have to re-use passwords, and you have no excuse for not changing default passwords.

We all hear that re-using passwords is bad, but why? Websites get hacked. This often results in your email address and password being leaked. If that is the case, and you use the same combination of username and password on other sites, an attacker is going to be able to log in using your credentials. Don’t take my word for it, put your email address(es) into this website to see if it has been leaked. Unless it is a new email address, it has probably been in at least one breach. If it hasn’t, there is a good chance that it will be in a future leak. My point is, passwords get leaked, and if you re-use them, you are giving hackers the key to your other accounts. Password managers generate random, unique passwords for every site you visit. That means, even if one account is compromised, your other accounts won’t be.

A common criticism of password managers is that if your password manager is hacked, all your accounts are compromised. Normally, however, this is not the case. Any reputable password manager will encrypt all your passwords with a single, strong password that only you know. This means that even if the provider is compromised, your passwords will stay safe.

I would suggest looking at Dashlane or LastPass. Both are mature projects that have browser extensions and mobile apps.

You will need to remember one strong password for your password manager. I suggest a passphrase rather than a password. That means 4-6 random words, joined with special characters. They are generally much easier for humans to remember, but harder for hackers to guess. If you’re interested, read about how to create a stong password here.

Once you’ve signed up, use it. Go through all of your online accounts and generate new passwords, using your password manager.

Don’t Ignore Your Updates

Updates are another necessary evil. Updates often include security fixes, and if you ignore them, your computer or website will be vulnerable to whatever the update fixed. Once hackers learn about security problems, normally this is only a matter of days (at most) after the update, they can scan the internet for vulnerable devices - they don’t have to be targeting you.

The WannaCry attack in May 2017 crippled many organisations, including the NHS. Microsoft released an update, fixing the vulnerability that was exploited 2 months earlier. If people had updated their systems in a timely manner, hundreds of millions of pounds would have been saved. It was reported to have cost the NHS alone £92 million pounds. All because an update wasn’t applied.

If you can enable automatic security updates, you should. It is very rare that an automatic security update from an established vendor will break anything. Even if it does, the cost of not updating could be far worse. Most websites management systems and computers will have this option. If it doesn’t, it is up to you to make sure that they are done in a timely manner.

Don’t Trust Emails

Emails have changed the way we do business. They allow us to communicate with people quickly and effortlessly. Because of this, we don’t treat them with the scrutiny we should.

It is very easy for an attacker to send you an email and make it look like it is coming from someone else. Attackers do this to trick you into disclosing sensitive information in a process called phishing.

Often, the attacker will have made a website that looks exactly the same as a login screen you use. He or she will direct you there using a link in an email and when you fill in your username and password, they will be sent to the attacker, rather than the website you were trying to log into.

Another common scenario is an email attachment that contains malicious code. This could be as simple as a Word document, but hiding a virus that could give the attacker access to anything on your computer.

My advice, treat emails with caution. Unless you are expecting an email, don’t click on links or download attachments. If you receive an email, and the link asks you to sign in, make absolutely sure that you are on the website that you think you are on. If in any doubt, don’t fill in the form. Go to the website as you normally would, through your bookmarks or by typing in the website address.

If you receive an email with an attachment, especially one that you weren’t expecting, you should be very cautious. Even if you trust the person who sent the email, you can’t be sure that their computer or email account hasn’t been compromised. If you can, phone them and confirm that they (and not a virus on their computer) sent the email.

In Summary

The above should prevent a lot of low-skilled attacks. They are some of the first things I look for when attempting to break into a computer or website. These won’t make you immune to attack, but they will make you more resilient.

So:

  • Use a password manager, that way you can set strong passwords for everything, without re-using them.
  • Do your updates, that way known vulnerabilities can be fixed before they are exploited.
  • Don’t trust emails, this will make it much harder for attackers to trick you into giving up sensitive information.