Simple steps your small organization can take to defend itself against cyberattacks

Respected security researcher Dan Wallach from Rice University has published a short (18 page) guide to securing small organizations against three kinds of cyberattack: Untargeted, ​remote ​(spammers, ​phishers, ​ransomware ​griefers, ​etc.); Targeted, ​remote ​(spear ​phishers); and Targeted, ​in ​person ​(immigration ​agents, ​police, ​criminal ​trespass).

It's an essential guide for an increasingly overmatched nonprofit and small business sector who have to contend with adversaries who can avail themselves of sophisticated attack tools, even when they, themselves are not particularly sophisticated.

If ​there's ​one ​thing ​we ​learned ​from ​the ​leaks ​of ​the ​DNC ​emails ​during ​the ​2016 ​presidential ​campaign
it's ​this: cyber-security ​matters. ​Whether ​or ​not ​you ​believe ​that ​the ​release ​of ​private ​campaign ​emails
cost ​Clinton ​the ​election, ​they ​certainly ​influenced ​the ​process ​to ​the ​extent ​that ​any ​political ​campaign,
any ​small ​non-profit, ​and ​any ​advocacy ​group ​has ​to ​now ​consider ​the ​possible ​impacts ​of ​cyber-attacks
against ​their ​organizations. ​These ​could ​involve espionage ​(i.e., ​internal ​secrets ​being ​leaked) ​or sabotage
(i.e., ​internal ​data ​being ​corrupted ​or ​destroyed). ​And ​your ​adversaries ​might ​be ​criminal ​hackers ​or
foreign ​nation-state ​governments.

If ​you ​were ​a ​large ​multinational ​corporation, ​you'd ​have ​a ​dedicated ​team ​of ​security ​specialists ​to
manage ​your ​organization. ​Unfortunately, ​you're ​not ​and ​you ​can't ​afford ​such ​a ​team. ​To ​help ​you, ​this
document ​summarizes ​low-cost ​tactics ​you ​can ​take ​to ​reduce ​your ​vulnerabilities ​using ​simple
techniques ​like ​two-factor ​authentication, ​so ​a ​stolen ​password ​isn't ​enough ​for ​an ​attacker ​to ​log ​into
your ​account. ​This ​document ​also ​recommends ​particular ​software ​and ​hardware ​configurations ​that ​move
your ​organization ​"into ​the ​cloud" ​where ​providers ​like ​Google ​or ​Microsoft ​have ​security ​professionals
who ​do ​much ​of ​the ​hard ​work ​on ​your ​behalf.

HOWTO: ​Protect ​your ​small ​organization ​against
electronic ​adversaries
[Dan Wallach/Rice University]