Secure online banking accounts
One of the main targets for attackers are machines used to access online business account the better to empty them. This type of attack is now epidemic with thousands of pounds lost at a time. There is no easy defence against this but thinking laterally, one option is to use a dedicated machine running a minimal install to access these services.
Most SMEs taking this approach either use a Linux machine or a stripped-down PC but another option is to use a cheap Google Chromebook. Capable of being stripped back to a basic Chrome browser experience quite easily, they can't be infiltrated by executable malware the way other endpoints can. The only limitation is that some don't come with a physical Ethernet port, something we'd recommend. Note: online backing should always be used with a full two-factor authentication system setup (i.e. not authenticated via SMS) regardless of endpoint. Note also that Chromebooks are not invulnerable, simply a lot less vulnerable when used in this way.
Get serious about passwords
Everyone knows passwords should be long and strong and oft-changed but what does this mean in practice? How often is enough and how long and complex will make the grade? The most important discipline is simply to change passwords often that grant some kind of admin access. Doing this - and making them complex enough - will minimise the opportunity of attacks that do manage to get hold of them.
The only way to do this reliably is to automate the process using a password manager such as LastPass Enterprise, Centrify or Dashlane, although this also imposes 2FA security as an additional layer too. In particular, these automate regular password changes to a required standard of complexity. The underlying security of these products does have its complications, however, and one - LastPass - suffered a cyberattack of its own within recent times. The company was bought out by LogMeIn last month.
Patching of endpoint software is a major chore for most businesses, not helped by Windows' lack of a centralised patch manager. Windows 10 has also made big changes to the patching regime that some have struggled to understand.
While enterprises buy complex systems to manage patching to defined timetables and policies, small businesses can still try out free vulnerability and patching scanning tools such as Retina (for up to 256 IPs) or Microsoft's Baseline Security Analyzer (MBSA), the latter windows-only.
Disable admin rights
Admin right represent a major risk because it allows the user and software to do things that might put the machines in peril such as over-riding security settings or installing non-approved software.