Preventing Small Business Security Issues in 2015
In our last post we talked about the growing security risks for small businesses and why digital criminals are targeting small business. In this post, we are going to talk about how to minimize your risk. Online criminals are going to go after the easiest targets first, so don’t be the easy target.
The first thing we have our clients do is to take a good look at their password policies. Long gone is the day when employees logged into their computers once a day with a user name and a password. Now they get in to the office, log into the computer they brought from home, connect to the office Wi-Fi, connect to a VPN, login to Office 365, login to an online CMS program or a WordPress site, or Facebook, Twitter, and any number of other client or partner sites.
Then they connect their phone, and their tablet. The average employee connects to anywhere from 10 to 30 sites on an average workday, and passwords have become harder to manage. Sites have different rules about what password combinations are acceptable and how often they must be changed. As a result employees typically default to the lowest common denominator and use an easy to remember password across all of the sites they use. This is the worst thing that you can allow to happen. Hackers use brute force to crack simple passwords, which could expose some of your systems. Worse, when other companies are hacked, the passwords that your employee used on a compromised site, could be used to easily login to yours.
What we recommend is that employees be trained on how to craft harder to crack passwords, and that you have a policy of not sharing passwords across sites. Better yet, use a password manager, something like LastPass that helps employees create unique passwords for each site, and automates the login to many sites using plugins, which actually makes using passwords easier.
Use Security & Antivirus Software, But Don't Trust It
The next thing we work with our customers on is setting up security software and making sure it's up to date. One of the biggest issues is that clients are leaving the equivalent of the back door unlocked and open by either not having good security software at all, or not keeping it up to date. The basic requirements are some form of anti-virus and anti-malware software on all endpoints (PCs, Laptops), and on your servers if you have them. Firewall software is also required to ensure that your connections to the internet are protected. Up to date means that the software is regularly patched, and the anti-virus / anti-malware definitions are updated frequently.
Once its setup it will help… but don’t trust it. Not 100%. Anti-virus companies can only update their definitions once they know about a virus and virus writers certainly don't notify them once they've released a new virus… of which there are hundreds of thousands of new viruses created every day. When a vulnerability is found in existing firewall software, hackers don't notify the vendors (usually) and some exploits are left in the field for years. And some malware and viruses take days to be discovered by antivirus software, and that's long enough to have your data stolen.
It's like your immune system. Once you've gotten the flu or a flu shot (a flu shot is better) you are immune to that flu. But next year's flu evolves and you are no longer immune to it. It's also why there's no cure for the common cold, because the common cold is actually many different types of evolving viruses. You need to assume that your IT systems are going to be hit by viruses and hacks that you aren't immune to. But you should be taking steps to keep your immunity as healthy as possible.
Set Up Intrusion Monitoring
We work with our customers to set up monitoring tools that help us identify unusual network behaviour, so that in the event that something does get through the likelihood that it will be caught will be greater. Good monitoring software works like your immune system to identify intruders, and then take action to lock down the areas that are being attacked.
Assume though that something or someone is going to get through. When that happens you want to make their job as hard as possibly. By ensuring that all data and files are stored, and transmitted using high levels of encryption will ensure that even if files are stolen or intercepted they will be useless to the hackers who get them.
Use Whitelisting Applications
Your employees are likely to try and download all manner of software on your computers. Often inadvertently, simply by playing a Facebook game or downloading an attachment with an embedded virus. You can setup software that prevents them from doing so, only allowing them to install the software that has been pretested and pre-approved – or whitelisted - by your IT consultant. This will keep them from unintentionally installing viruses and malware on your systems. Research shows that users have bad habits, and user training has a very limited effect, so whitelisting gives your tighter administrative control over your entire network and keeps all users and data safer.
Get Ready For 2015
Last year saw many high profile examples of companies being hacked, customer data stolen, and reputations tarnished. It costs businesses time, money, and clients when they get hacked and it hurts their clients by exposing them to hacking. Like a virus, security issues can spread from one company to another as weak passwords that are discovered at one company can be used to steal data from another. It's imperative that you protect yourself, your clients, and your partners by making yourself as immune as possible to security issues. Don’t be the easy target.