Usually when people discuss network security and potential threats, they are talking about external threats. A hooded figure behind a keyboard may not be the most likely culprit out there. Perpetrators can be on your own payroll. While news of large companies being breached pop up regularly, the importance of internal data security for small business is not often covered. Yet, it is the leading threat and source of network security breaches in small business.
This article covers five important network security concepts to address in your business to create a strong and reliable IT environment for your business to operate day to day, and for you to sleep soundly at night knowing you will be better protected from the most malicious threats out there.
Who is a threat?
According to the Cyber Security Intelligence Index from IBM, 60 percent of all network attacks in 2015 were from insiders. A former Google Engineer worked to steal secrets from Google and give them to Uber. In small business, internal users steal access, client lists, research and more.
Businesses need to protect their investments, unfortunately sometimes against their own employees.
The often overlooked threat is the disgruntled employee who isn’t motivated enough to leave, but is disgruntled enough to internally sabotage the company. There is also the dejected employee planning their exit and their revenge by stealing data, research, client lists or all of the above to take with them or sell to competitors. Good IT policy and infrastructure must be in place to limit this type of risk or loss.
There also also hackers.
Hackers fall under several categories, one of which is a “grey hat” hacker. Grey hats are in the middle of white and black (white hats working for corporations to increase security, black hats being the malicious hackers). Grey hat hackers’ goals are often more associated with being able to do something (bragging rights), and the grey hat is also the most common internal security threat. Grey hats pride themselves on their ability to use social engineering to achieve their goals, even going as far as getting employed at their target.
“Approximately $1 trillion is expected to be spent globally on cybersecurity through 2021” – Forbes
In business today, IT investment is crucial. Your budget requires a line item for IT planning, including hardware replacement, software licenses, network infrastructure improvements and associated subscriptions, and network management by internal IT staff or a Managed IT Service Provider. Our team here at TUCU – a Toronto Managed Services Provider & IT Support Company, has compiled an overview of areas you can improve to reduce the potential of an internal security threat causing catastrophic losses to your business. TUCU wants to help you avoid that potential loss. Here are the top 5 most important areas to review for strong internal IT security for small business.
1. User Access Control
By definition, “Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization.” –TechTarget
Despite policy and rules, employee’s will still use business device’s for personal use, browsing the web, or downloading programs. This creates risk. If everyone can install programs on any computer in your network that means anyone can install a virus, or even ransomware. Viruses and ransomware spread through networks quickly, and usually target backups first. Your employees should only have as much access as they need. In IT security, this does not include access to installing anything on company devices.
Businesses must have a clear understanding of the “who and what”, in other words, who has access to what information. The “Just Enough Access” policy is designed to only grant access to the data that is necessary for daily business functions. This will reduce the risk of data loss exponentially.
The basic way to control access is to remove administrator rights that come standard with all new computers and allow installation of any software. Only select management personal and IT should have administrator rights on your network. IT or management should create a standard user profile on every computer which is assigned to the employee for day to day work. The administrator profile should only be accessed by management or IT when a software download or configuration change is required.
Another method of access control is assigning who has access to specific files or resources. Segregating data by need is wise. All employees need access to basic files such as the HR manual or the contacts list. Only key employees need access to more sensitive files or resources pertaining to book keeping, research, client contracts, sales leads and so on. Plan your network setup accordingly.
Common methods to control access include cloud services such as JumpCloud or a more robust user directory service such as Active Directory.
JumpCloud is very simple and lightweight, and designed for company’s without a server, working in the cloud. It allows you to control who can access company devices, and control what permissions that user has on the device.
Active Directory is more robust, requires a server, and takes longer to setup, but ultimately provides more security. You can control everything from what applications the user can access, to where the users files are stored, and automate many features of your day-to-day operations. Speak to your IT Consultant about the cost for a server and Active Directory to be setup in your business.
JumpCloud can be setup by an IT professional in approx 3 hours, while Active Directory may take a week. JumpCloud requires an agent be installed on the client device, and there are no hardware requirements. Active Directory requires a dedicated server, and possibly some upgrades to your network infrastructure.
By using a directory service, your business will be better protected from malicious software, malicious users, and potentially catastrophic data loss.
2. Whitelisting & Safe Browsing
Blocking risky sites to create “safe browsing” is an effective means to limit accidental installation of malware or ransomware. Safe browsing is important because employee’s will often spend time surfing the web at work. This isn’t just a waste of time, which is forgivable, but is also a network security risk as threats such as ransomware are sometimes hidden in downloads like video clips or pictures.
“95% of cybersecurity breaches are due to human error” Cybint Solutions
With the right IT setup, you can whitelist safe sites or blacklist sites or entire categories of sites so they can not be accessed from the company network devices. Speak to your IT provider about creating a safer browsing environment in your business.
3. E-Mail Phishing Awareness
One of the most common causes of data theft or loss is through e-mail phishing. Phishing is an attempt to collect data from a person by impersonating a company you do business with, or another employee within your own company. Educating your employee’s on how to spot a phishing attempt is the most effective way to prevent possible data loss or theft.
Even with a good company policy in place, some employees may be working with the phisher, or the phishing attempt may just be effective enough to trick them.
A common way to prevent phishing attempts from reaching your employee’s in the first place is by using a service such as Office 365 with Advanced Threat Protection. This would require you to move your exchange server to the Office 365 cloud. This upgrade will benefit you in many ways:
- Office 365 exchange is managed by Microsoft’s team of security professionals who can better manage an exchange server than any small business owner
- Office 365 offers more security and features than on premise exchange servers
- Includes Office 365 Advanced Threat Protection which uses advanced AI to predict potential phishing scams and filters them automatically
The cost of Office 365 Business Premium (which comes with licensing for all Office products) is $15.20/ user, per month at the time of this writing. Office 365 Advanced Threat Protection add on costs just $2/user, per month. Using Office 365 and ATP to help block phishing and virus attacks through e-mail is a smart investment for small business teams without internal IT employees.
Your exchange server and all email can be moved to Office 365 by an IT professional without much involvement from you. If you also opt for Advanced Threat Protection, it can be configured and applied to each user in approximately one hour. Speak to an IT consultant to get an estimate for moving all your existing email accounts with all past emails, contacts and calendars to Office 365. All projects vary in cost depending on number of users, accounts and volume of data to be moved.
4. Secure Bring Your Own Device (BYOD) Policies
Bring your own device (BYOB) is a popular trend among businesses, allowing employees to bring and connect their personal devices to the company network.
BYOD can save money on hardware purchases, but it comes with added risk that may not be worth the loss of control.
BYOD can increase the risk of network breach when employees install third-party applications that could be infected with malware.
BYOD can increase the risk of data loss in the event the device is lost or stolen and no remote wipe capability is in place.
Entrepreneur states “An estimated 4 percent of all mobile devices are already infected with malware, not only impacting the device owner but also employers.” In the IT security world, 4 percent is equivalent to a red alert.
If your company is using BYOD, there are some steps you can take to limit risk and ensure user devices meet your business security standards. Work with your IT partner to create a BYOD policy that:
- requires all personal devices used for work to be stored safely and password protected
- to have a Mobile Data Management (MDM) solution installed to partition company data from personal data, and remotely wipe company data in the event of employee exit or device loss
- or to create a thin client solution which allows employees to securely connect to company data through their personal devices
Common options for Mobile Device Management for employee’s who bring their own phone’s and laptops to work are offered via G Suite’s Work Profile or Microsoft’s InTune. Both options allow you to create a separate profile that can be fully managed, and even completely deleted remotely in the event of a security breach. Setting up either solution requires you to use the providers email solution – either Office 365 or G Suite email for work.
Setup of G Suite Work Profile would take approximately 1 hour for master account setup in the admin console + 15 minutes per device.
Setup of Microsoft InTune would take approximately 2 hours for master account setup in the admin console + 15 minutes per device. Microsoft InTune costs $7.70/ user per month at the time of this writing.
A common thin client solution is Virtual Hosted Desktop (VHD). You can use this to more safely allow employees to use their personal computers for work. A VHD creates a complete desktop image with an operating system in a virtual space. Any employee can access the virtual desktop remotely and perform work duties. This allows all business applications and data, along with connections to the machine, to be managed and monitored by your IT staff or managed IT service provider, which reduces your risk. Speak to your IT professional about better BYOD solutions or thin client solutions today.
5. Secure File Storage
While using USB drives or personal cloud storage may be convenient for employees, it can leave dangerous gaps in your IT security.
Personal cloud storage may seem very convenient for moving files from device to device, and employees will use their own cloud accounts because it is easier for them. The main issue with this type of storage is that it is also being used on the employee’s personal devices, which are not monitored or maintained by professional IT staff. An employee, or someone who has gained unauthorized physical access of the device, can easily steal company data or upload malicious code to the device and network without being detected.
Use of USB devices should be restricted or disabled by group policy.
You can have a policy that requires the USB key to be encrypted before anything can be written to it. This reduces risk in the event of drive loss or theft as the contents can not be accessed. This does not stop internal threat. An employee can steal data using a USB.
Additional policies can be applied to USB drives to prevent their use entirely. These policies can be applied on a per user basis, granting USB key access to only key employees that require it.
Use of personal cloud drives should be prohibited. Because employees are known to break the rules, and 87% of employees surveyed reportedly ignored company policy to not use personal cloud storage, you need a better solution. A common solution is to purchase a subscription to a service like OneDrive or DropBox for your business, which allows your team to use tools they are comfortable with and favour, but the data and account is owned and managed by the business.
The cost of these services depends on how much data you intend to save to the cloud, and how many users there are.
Using a cloud-storage service will ensure that if an employee does commit data-theft or deletes key data, your files are safe via notifications and recovery options, and the employee would be help accountable for their actions. Your business will be better protected from both external and internal threats, and your data will be safer in any major security event.
While this article highlights some crucial aspects of IT security, the most important step to having strong network security in place is having an IT expert setup, manage, and monitor your IT environment. It is hard enough for small business owners to keep up with the daily tasks of operations. Managing IT should be delegated to trained professionals.
“43 % of cyber attacks target small business.” Small Biz Trends
Toronto IT Services Providers: While most small business may not be able to keep a full-time expert on staff, companies like TUCU in Toronto exist to reduce your risk, defend and manage your network, and give you peace of mind. Hiring an IT managed service provider to consistently and thoroughly manage your network, provide recommendations, and help you form your IT security policies will help your business operate daily with less interruption or loss. Call us today for a free consultation and find out how TUCU can help support your business.