Aiming for watertight IT security is a tall order. If organisations like the German Parliament, British Airways or Ticketmaster can’t get it right, what hope for the rest of us? In fact, once you start looking at IT security the whole thing becomes so daunting that many smaller companies just give up and hope for the best. What if we were to tell you that with no more IT skill than, say, a proficient MS Office user, you could easily block most of the cyber threats faced by the average business? If you are facing a determined attack from the underworld or perhaps a foreign government, maybe these steps won’t quite do the job but, otherwise, read on and learn how to avoid leaving the front door wide open.
To give a sense of the IT skill level involved each step has been assigned a skill rating from 1 – 10 where 1 = a person who knows how to use a computer, 6 = a first level IT support desk person and 10 = an IT guru.
1. Keep your staff aware of the issue (IT skill level 1)
One of the most useful things you can do is to make sure that your staff are aware of the threats you face. We have learned over the years not to take awareness for granted. It might seem blindingly obvious to you to ignore, or at least mistrust, an email from someone you don´t know that has wound up in your junk mail folder and insists that you should log into a website to retrieve some important information. But, don´t be so sure that this is equally obvious to everyone: think about new starters or people that may not be as busy as you might wish. The easiest way to up general knowledge about security is to include it as an item in staff meetings. All you need to do is remind people of the dangers, encourage staff to talk about their own or their friends near misses or disasters and, most importantly, make sure that people know roughly what to look out for and who to ask if they are unsure.
2. Extend the secure protocols you already have (IT skill level 1)
All businesses have defined protocols for handling their core business activities, e.g., a contract must be signed before we start work, a signed purchase order must be received before we fulfil an order or only managers can make purchases over a certain value. Now consider some common scams: someone in Accounts receives an email supposedly from the MD asking for money to be transferred immediately in order to conclude an important deal, or a customer is sent an email supposedly from you asking for your bank account details to be updated (to the scammer’s account). It is trivially simple to design some protocols to avoid this kind of fraud, for example, make it a well-publicised policy that senior people will not as a rule ever ask by email for money to be transferred and, in the unlikely event they have to, any such request will be confirmed by voice or text and must be authorised by two senior people. Advise your customers at the outset that any important information relating to their account with you, such as changes to payment instructions, will only ever be advised by snail mail. If you look at your own business, it is usually easy to spot the vulnerabilities and design simple procedures to plug them.
3. Use anti-virus software (IT skill level 3)
It’s cheap, easy to install, easy to use and you must have it. All your computers, yes even Macs, need anti-virus (AV) software. It is arguable that Apple mobile devices (iPhones and iPads) don’t need AV protection as they are so tightly nailed down but Android devices used for business certainly do, and it is so cheap why leave out Apple devices? You don’t want to be the business that proves that iPhones do need AV protection after all. But which one should you use? Have a look at a comparison website such as this to find the right software for you. Key points to consider are:
- does it have a good reputation for catching the latest threats and some way of spotting other suspicious activity on your computer?
- Will it impact negatively on your computer’s performance?
- Can it warn you off dodgy websites?
- Does it provide you with a way to see if all your computers are protected without having to look at each one?
There are many more features that may interest you, but these are the key considerations. And don’t use ‘free for home use’ software to try to protect business. Apart from breaking the licence terms, you won’t find the features you need. Once the software is installed, the key thing is to make sure it is kept up to date. You can drill this into staff, but they won’t believe you, so pay special attention to the method provided to let you get an overview of the status of each machine. The best way is if there is an online console that shows you the protection status of your equipment in real time.
4. Don’t forget about other network equipment (IT skill level 3)
PCs and people don’t cover all the security vulnerabilities on a standard small business network. Network devices, such as the router supplied by your ISP, come with default passwords and these should be changed. Think about it, your router is the gateway that provides a path to the Internet for your staff and, if not secured, it also provides the same from the Internet to your users. Take the time to read that leaflet that comes with any such devices, so you know how to change the password: and then change it. If, like most people, you have long since thrown away that leaflet you will be able to find a copy online by using the device name and model number to search. What about printers? If it connects to your network, it can be accessed using its default password unless you change it. It would take a clever hacker to target you via your network printer but why take the chance. And don’t forget many modern printers store a copy of everything they print (until they run out of space) so take special care when disposing of printers.
5. Don’t share passwords (IT skill level 1)
It’s amazing (to us) how many reasons people find why they just must share their passwords – either with their colleagues or, for example, with an office manager. A lot of reasons relate to business efficiency or, for example, the need to access emails when people are off sick or on holiday. In fact, with a bit of careful planning, and OK maybe some IT help needed here, it is not hard to design your system to cater for these business requirements without password sharing. So, what exactly is wrong with password sharing? Assuming you don’t freely share your Facebook password or smartphone PIN you already know what’s wrong with password sharing. In a business environment, if password sharing is not discouraged staff get the firm impression that your IT security counts for less than, even, their social media accounts. For many small businesses, passwords are about the only technical security controls they have. At least protect these. Any server access controls, e.g. restricting access to financial information, are completely dependent on secret passwords. There is a little bit too much to go into here (maybe another blog required) but if you want to foster an environment in which security is even vaguely taken seriously make password secrecy sacrosanct. If you have thought it through and decided some degree of password sharing is essential, then the way to do it is via a business class password manager and never an Excel spreadsheet (even if password protected!).
6. Make sure your data is backed up (IT skill level 3)
Backup is not always thought of in terms of security, but a reliable and regularly verified backup is one of your best defences. Though it seems to have been overtaken by phishing emails as the most popular attack on small business, ransomware remains very popular and devastatingly effective if you are hit. A ransomware attack works by encrypting your data until you pay a ransom. Unfortunately, the Bitcoin payment method demanded is often itself beyond the technical capabilities of many small businesses and you are not guaranteed to get your data back even if you do manage to pay. Though it won’t prevent the attack, knowing you have a good backup takes the pressure off. Backup is a big subject but there are a few key points to bear in mind in respect of ransomware:
- Backups must be verified. The easiest non-technical way to do this is just make it a routine task to attempt a file restore.
- Backups must keep multiple versions. If your files are encrypted and then backed up before you spot it and you only have one backup copy, then that too will become inaccessible.
- Backup destinations must be invisible to ransomware. You might need some IT advice or help on this one, but you should backup to a dedicated device that is not visible as a network share or attached drive. The logic here is that if the ransomware can see it, it can encrypt it.
Ideally have more than one backup destination: one in the office for quick restore and one online for emergencies.
7. Use two-factor authentication whenever it is available (IT skill level 2)
Two factor authentication (2FA) is the idea that instead of relying solely on passwords to authenticate access to online services security is based not only on something you know (your password) but also something you have (your mobile phone or an online banking card reader). While banks have been using 2FA for years, it is now becoming available for most online services, such as finance packages, CRM, HR and other systems. It is usually just a question of ticking the relevant box on your account settings to enable 2FA and then following a few simple instructions to register your smartphone as a second authentication factor. On the smartphone itself all that is required is a one-off download of an authenticator app from your chosen app store. This app can then be used with all services you chose to protect with 2FA. Some services such as MS Office 365 require help from IT to enable 2FA but, once enabled, the user experience is as straightforward as for any other service. The obvious advantage of 2FA is that if the wrong person gets hold of your password it is not going to help them unless they have your phone and PIN too.
8. Don’t use admin rights when they are not needed (IT skill level 2)
This one tends to irritate people. It is something to do with the language used: a lot of users don’t like to be thought of as users when they know there is (what can be seen as) as a higher IT authority in the form of an administrator. Why can’t I have admin rights to make changes to my own computer? I often wonder if this whole problem could have been avoided if, back in the early IT years, we had come up with the term ‘IT Labourer’ rather than ‘IT Administrator’. The sensible and secure approach is to use an account for your day-to-day work (i.e. 99% of your work) which does not have admin rights. The reason for this is that if you are unlucky enough to pick up a virus or are targeted in some other way, the attack can only piggy back off the account you are using, so it will be restricted from making the kind of deep level changes attackers need, both on your computer and across the network. Some people, usually the more senior or technical capable (and therefore more dangerous in IT terms), still tend to bridle and take these account restrictions as a personal slight. The best solution in this case is to provide such users with a second, top secret account, which does have admin rights and is only to be used for the very rare tasks that require admin rights. After a while, the need to log out and back in to exercise the elevated account rights tends to reduce the burning need to do so. This keeps the network much safer for everyone.
9. Just accept that computer operating systems need updates (IT skill level 3)
This is another one that can irritate users. Microsoft always seems to be asking to update Windows. Even Apple updates its systems every now and again. And some updates are so demanding that they insist on restarting the computer. If you don’t have IT support to manage your updates, our advice is to accept the default computer configuration, i.e. apply updates as they are released. Do not switch off the update feature and just accept that you may well have to restart once a month, sometimes more, if an urgent update is released. The reason it so important to apply updates as they are released is that soon as a security patch is released, this alerts the criminals to the existence of the security vulnerability the patch is intended to remedy. The race is then on to release viruses and other malware to exploit the vulnerability before the patches are applied. People who don’t apply updates make themselves part of a steadily reducing pool of targets. Bear in mind that pretty much all attacks you might ever be subject to are automated, for example, just by looking out for PCs online displaying specific vulnerabilities. Accept the minor inconvenience of an occasional restart to keep yourself out of the victims’ club.
10. Have a Plan (IT skill level 1)
And finally, devote a little time (easily covered in a one-hour meeting) to figuring out what to do if you do get hit. For example, cover how and to whom staff should report if they are concerned that something suspicious might be going on with your IT system. Make sure it is easy for them to do this and that they know they won’t be blamed (too severely) even if they did click on that dodgy link. It is important that you are alerted to problems and staff shouldn’t be scared to speak up. Build a basic action plan that can be easily put into action, what should you do immediately (e.g. disconnect devices from the network) and who should you call for help? Consider if any security incident could put you in breach of the GDPR or legislation specific to your industry and work out how to stay compliant, e.g. do you have a responsibility to report a breach to the Information Commissioners Office (ICO) or, perhaps, to any clients or other individuals whose information you store in your IT system? Consider a basic disaster recovery plan, e.g. assigning some individuals to work from home on devices that are insulated from the network. Have a policy as to whether you would pay a ransom to recover your data? There is a lot more you could include in your ‘incident response plan’ but this is more than enough to get you started. Review the plan once a month (a 10-minute exercise) and, if you ever have to use it, make sure to keep some notes so that you can update it afterwards in light of anything that didn’t work or that worked very well.