Every business faces potential security risks. I.T. security for independent consultants is an important practice to put into place.
This resource provides 12 actions for cyber information security that independent consultants can take to protect their privacy and data.
The information in this resource was provided by information security consultant Gary Chan of Alfizo in Episode 263 of our Unleashed podcast.
Please keep in mind that there is no “one size fits all” security solution — but these actions will help you keep your online data and sensitive information safe from cyber threats.
Contents
You can click any section to go directly there:
2. Know your legal, regulatory, and contractual obligations
5. Follow good authentication practices
10. Use encryption
Additional Resource: Remote IT Support
1. Back up your data
You should always be backing up your files. This is important not only because of a potential security breach, but also in case of computer failure or human error that could cause you to lose data. This allows you to restore your data to pre-crisis times.
Save at least six months’ worth of history
If you do unfortunately get ransomware that encrypts your data and you have only the most recent back-up file (rather than several months of back-up history), your backup will also be encrypted with the ransomware.
Use a separate back-up system from your computer
You should be backing up to a different place than the main PC that you use. There are two potential methods for this:
- Back up to another computer or hard drive
- Back up to the cloud with online solutions such as:
Chan says that it’s not a bad idea to even back up to both places: a separate, physical hard drive and the cloud.
“One of the real benefits of having physical hard drives, a separate physical device that is disconnected from your PC, is because even if you get malware, it’s not going to affect your backup.”
Back up regularly
Once you have the back-up system of your choice in place, make sure you back up regularly. This could mean every day or every week, depending on your usage and sensitive information. You can set your system to perform automatically scheduled backups, perhaps late at night after you are out of the computer.
2. Know your legal, regulatory, and contractual obligations
More clients are inserting information security clauses into their contracts. Fortunately, most of those requirements will likely be satisfied by following the recommendations in this guide.
Your obligations could stem from:
- Legal requirements. These depend largely on the type of data you’re collecting. If you are collecting, for example, financial or healthcare data, or perhaps social security numbers of employees or independent contractors, you have a legal obligation to store that information securely and keep it safe.
- Contractual obligations. A client may ask you to meet a particular privacy requirement.
It’s important to know what type of data you’re collecting, and what legal or contractual obligations you have. This will often be based on both the jurisdiction in which you live and work, whether that’s by country or state, as well as the type of information that you specifically have.
Please keep in mind that this does not constitute legal advice. If you have any questions about your legal obligations, please consult an attorney.
Additional Resource: Attorneys & Legal Services for Independent Consultants
3. Take awareness training
“I think it’s important for all of us to have a baseline understanding of security, especially since most of us get breached because of things that we do,” Chan says. “Not necessarily because [a hacker] found our machine.”
Cyber threats prey on security vulnerabilities.
“They send out a mass email, they see who clicked, who gave up their username and password. These are all sort of low table stakes that we can address through training.”
Chan’s company, Alfizo, has provided a free security awareness training program for Umbrex members:
Additional Resource: Free Information Security Awareness Training
4. Have email security
Use a commercial email security solution to quarantine malicious messages and spam. Free versions come with most email services, and you can purchase higher quality solutions for a modest monthly fee.
This is important to avoid threats from the phishing emails that we all get.
Office 365 and G Suite have a lot of spam and anti-phishing tools already built in. If your email solution does not come with built-in security, or you aren’t sure if it does, ask your provider if they offer security solutions as an add-on service.
5. Follow good authentication practices
This makes it substantially harder for hackers to break into your account. Chan says tighter authentication is one of the most important IT security practices to put into place.
There are two possible ways to do this.
Multi-factor authentication
This means that you not only enter your password to sign into your email or other accounts, but you have an additional security step such as:
- SMS authentication code sent to your phone
- An authenticator tool such as through Google or Microsoft
“I definitely recommend multi-factor authentication, because a lot of times hackers only have access to your username and password,” Chan says. “Having that extra step pushes you down the list of priorities, because these guys are just looking for the low-hanging fruit.”
Single sign-on solutions
These are services, called password vaults, that reduce the number of times you need to enter your passwords by saving them for you in a secure environment.
This allows you to automatically log in directly using the password vault, without storing your password on your computer or in a less secure way.
It is much easier than trying to remember your passwords for hundreds or thousands of different sites, or writing them down somewhere. These vaults can also generate extremely strong, random passwords for you and then store them so you don’t have to remember them.
Two recommended single sign-on password vaults are:
Additional Resource: Unleashed Episode 248: Using LastPass
6. Use anti-malware software
There are a number of anti-malware solutions on the market. Most computers come with built-in malware:
- Mac OSX products come with XProtect antivirus and malware removal technology.
- Microsoft Windows offers Microsoft Defender, which comes included when you purchase a Microsoft 365 subscription. It also offers Microsoft Defender for Business.
If you can afford it, purchase higher-end software to better protect against the latest threats, like ransomware.
Some recommended solutions include:
- Avast: In Chan’s opinion this is the best free product available.
- Cylance: The most effective one for home use, but it requires some technical ability.
- McAfee: Offers an AntiVirus Plus plan along with other privacy protection solutions.
- Norton: Their Norton 360 product comes in a number of different plans.
McAfee and Norton are amongst the most popular products. Most Internet service providers (ISP) offer either McAfee or Norton for free, so check with your ISP before purchasing anything.
Using one of these solutions should be sufficient for most independent consultants, Chan says.
“If you were a bigger business, I would probably say that it would make sense to invest in some higher grade ones. But for home use, I think whatever the internet service provider offers, or whatever you purchase, is probably sufficient.”
7. Use secure WiFi
There are a number of steps you can take to ensure that your WiFi network is secure.
Your own WiFi network
If you own the Wi-Fi infrastructure, use a good password (at least eight characters if not longer) and the WPA2 protocol.
Place all guests and customers on a separate guest network that you can create for that purpose.
Using other WiFi networks
When you are on an outside WiFi network — for example, in the airport or hotel when you’re traveling — you need to be more careful.
Remember that everyone who knows the WiFi password can potentially see your data. In addition, anybody can set up a network and publish the SSID to be the same as whatever that public WiFi is.
“So whenever you’re connecting to free WiFi at the airport, you really don’t know if you’re connecting to the official one or if you’re connecting to one that a hacker set up — and you won’t be able to tell very easily,” Chan warns.
The problem is even if there is a password, but you’re connecting to the fake network the bad guys set up, then they can see all of your information. The password only keeps people from being able to connect to that particular Wi Fi without it — it does not actually protect the data you use over that Wi Fi.
What protects your data is the fact that you’re using encryption, for example, between your machine and bankofamerica.com, for example. So if you’re connecting to another WiFi network, take a few precautions:
- Make sure you are logging into the official WiFi network.
- Use VPN (virtual private network) when on someone else’s WiFi.
- If you travel heavily, use your own mobile hotspot.
Use a VPN
A virtual private network extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
When you are browsing the internet from your own WiFi at home or the office, you are using your own private network. When using outside networks, a VPN will encrypt your internet traffic and disguise your online identity, making it more difficult for third parties to track your activities online and steal data.
The VPN will route your internet session from your location to a sort of middle-man location, and then to the destination you are visiting (for example, bankofamerica.com). It also encrypts the packets of information, so that even if there is a hacker who has access to the WiFi, your information is encrypted and protected.
There are a number of VPN services on the market you can buy for typically a few dollars per month. Although there are some free VPNs out there, Chan does not recommend using them.
One problem with a free VPN is that so many people are using it that the connection will often be extremely slow. A bigger problem is that some people offer a free VPN as a means to breach your computer — you connect to their VPN, and now they have access to your data.
Chan recommends Private Internet Access for a VPN.
Pay attention to security certificates
Websites with security certificates — which establish the identity, authenticity, and security of a website or web application — will begin with https, rather than http.
This is also known as a Secure Socket Layer (SSL) certificate. SSL keeps internet connections secure and prevents criminals from reading or modifying information transferred between two systems. When you see a padlock icon next to the URL in the address bar, that means SSL protects the website you are visiting.
You can set your browser preferences to block websites without an SSL, or to ask you first if you want to proceed to a website that isn’t secure.
8. Update and patch
It’s crucial that you keep your operating system and installed applications updated at all times, and install any patches released for it.
Most operating systems will allow you to choose auto updates, and a best practice is to leave this auto-update on.
Also, when an update is installed, reboot your computer immediately. Often people delay rebooting because they are in the middle of something, but that can be dangerous.
“As soon as a patch gets released, a lot of researchers and hackers will look at that patch to figure out how to reverse engineer it, to figure out the vulnerability,” Chan says. “And so those guys work pretty quickly. Because as soon as they’re able to figure it out, they know how to exploit the computer system. And that’s when they start coding and writing all these malicious applications to get to all of the computers that have not been patched.”
If you install a patch but don’t reboot your computer, it can render you as vulnerable as if you didn’t have the patch.
9. Secure mobile devices
When it comes to your mobile phone, a few best practices can keep it secure:
- Lock your devices when you are not using them.
- Require a touch or face ID, or PIN, to unlock.
- Set a period of inactivity at which the device will automatically lock (five minutes, for example).
- Have a way to remotely wipe mobile devices in case they are lost or stolen.
10. Use encryption
Encrypt everything that you don’t consider to be public information.
A good rule of thumb is if you wouldn’t publish the information to the internet, make sure it is encrypted.
There are several services you can use for this:
Veracrypt is a versatile and free solution that requires a bit of a learning curve, but can be used to encrypt your entire hard drive.
This ensures that even if your device were lost or stolen, someone might have your data but they would not be able to read it.
11. Secure assets on the internet
If you have a website, share files in the cloud, or have any other data on the internet, be sure to follow instructions specific to the applications you are using to secure your data.
All of the major applications come with some sort of manual or guide that explains the settings and things that you can do to make it as secure as possible — multi-factor authentication, for example.
This is important because many hackers won’t even try to break into a physical device. They know people store their information in the cloud, which is why they more often are trying to hack into your email or your file stored online.
Some secure storage solutions include:
Whatever you use, make sure that you have security settings at the highest level and make it difficult to log in, with multi-factor authentication and strong recovery methods.
If you have a contact form on your website and get a lot of spam, consider adding a firewall and contact form filter.
12. Buy cyber insurance
Invest in an insurance plan to protect your business against unexpected events and lost data.
It’s important to thoroughly review what such a plan covers. Some will only cover security breaches for yourself, while others will cover your clients and their information as well.
As long as you have meet certain requirements and demonstrate that you are implementing some level of due diligence for data security, you can obtain cyber coverage for your business up to a certain dollar amount.
For more details on cyber and other business insurance, see our resource.
Additional Resource: Cyber Insurance for Independent Consultants
