Aiming for watertight IT security is a tall order. If organisations like the German Parliament, British Airways or Ticketmaster can’t get it right, what hope for the rest of us? In fact, once you start looking at IT security the whole thing becomes so daunting that many smaller companies just give up and hope for the best.
Some good news: what if we were to tell you that with no more IT skill than, say, a proficient MS Office user, you could easily block most of the cyber threats faced by the average business? If you are facing a determined attack from the underworld or a foreign government, maybe these steps won’t quite do the job but, otherwise, read on and learn how to avoid leaving the front door wide open.
To give a sense of the IT skill level involved each step has been assigned a skill rating from 1 to 10 where 1 = a person who knows how to use a computer, 6 = a first level IT support desk person and 10 = an IT guru.
1. Keep your staff aware of the issue (IT skill level 1)
One of the most useful things you can do is to make sure that your staff are aware of the threats you face. We have learned over the years not to take awareness for granted. It might seem blindingly obvious to you to ignore, or at least mistrust, an email from someone you don´t know that insists that you should log into a website to retrieve some important information. But don´t be so sure this is equally obvious to everyone: think about new starters or people that may not be as busy as you might wish.
So what’s the easiest way to up general knowledge about security? Include it as an item in staff meetings. All you need to do is remind people of the dangers, encourage staff to talk about their own or their friends’ near misses or security disasters and, most importantly, make sure that people know roughly what to look out for and who to ask if they are unsure.
2. Extend the secure protocols you already have (IT skill level 1)
All businesses have defined protocols for handling their core business activities, e.g., a contract must be signed before we start work, or only managers can make purchases over a certain value. Now consider some common scams: someone in Accounts receives an email supposedly from the MD asking for money to be transferred immediately in order to conclude an important deal. Or maybe a customer is sent an email supposedly from you asking for your bank account details to be updated (to the scammer’s account). It is trivially simple to design some protocols to avoid this kind of fraud. For example, make it a well-publicised policy that senior people will never ask by email for money to be transferred and, in the unlikely event they have to, any such request will be confirmed by voice or text and must be authorised by two senior people. Advise your customers at the outset that any important information relating to their account with you, such as changes to payment instructions, will only ever be advised by snail mail. If you look at your own business, it is usually easy to spot the vulnerabilities and design simple procedures to plug them.
3. Use anti-virus software (IT skill level 3)
It’s cheap, easy to install, easy to use — and you must have it. All your computers, yes even Macs, need anti-virus (AV) software. You might argue that Apple mobile devices (iPhones and iPads) don’t need AV protection, but Android devices used for business certainly do. And AV software is so cheap, why leave out Apple devices anyway? You don’t want to be the business that proves that iPhones do need AV protection after all.
But which one should you use? Have a look at a comparison website such as this to find the right software for you. Key points to consider are:
- Does it have a good reputation for catching the latest threats and some way of spotting other suspicious activity on your computer?
- Will it impact negatively on your computer’s performance?
- Can it warn you off dodgy websites?
- Does it allow you to see if all your computers are protected without having to look at each one?
Don’t use ‘free for home use’ software to try to protect business. Apart from breaking the licence terms, you won’t find the features you need.
Once the software is installed, the key thing is to make sure it is kept up to date. You can drill this into staff, but they won’t believe you, so pay special attention to the method provided to let you get an overview of the status of each machine. The best way is if there is an online console that shows you the protection status of your equipment in real time.
4. Don’t forget about other network equipment (IT skill level 3)
PCs and people don’t cover all the security vulnerabilities on a standard small business network. Network devices like routers come with default passwords, and these should be changed. Think about it: your router is the gateway that provides a path to the Internet for your staff and, if not secured, it also provides a path from the Internet to your users. Read the leaflet that comes with any such device, so you know how to change the password. If, like most people, you have long since thrown away that leaflet, you will be able to find a copy online by using the device name and model number to search.
What about printers? If it connects to your network, it can be accessed using its default password unless you change it. It would take a clever hacker to target you via your network printer but why take the chance? And don’t forget that many modern printers store a copy of everything they print (until they run out of space) so take special care when disposing of printers.
5. Don’t share passwords (IT skill level 1)
It’s amazing (to us) how many reasons people find why they must share their passwords. For example, giving a colleague access to their emails when they’re off sick or on holiday. In fact, with a bit of careful planning, and OK maybe some IT help, systems can be designed to cater for these business requirements without the need for password sharing.
So, what exactly is wrong with password sharing? Assuming you don’t freely share your Facebook password or smartphone PIN you already know what’s wrong with password sharing. In a business environment, if password sharing is not discouraged staff get the firm impression that your IT security counts for less than even their social media accounts. For many small businesses, passwords are about the only technical security controls they have. At least protect these. Any server access controls, e.g. restricting access to financial information, are completely dependent on secret passwords. There is a little bit too much to go into here (maybe a post for another day) but if you want to foster an environment in which security is even vaguely taken seriously, make password secrecy sacrosanct. If you’ve decided some degree of password sharing really is essential, then the way to do it is via a business class password manager and never an Excel spreadsheet (even if it’s password protected!).
6. Make sure your data is backed up (IT skill level 3)
You might not think of backups as a form of security — but a reliable and regularly verified backup is actually one of your best defences.
Though it seems to have been overtaken by phishing emails as the most popular attack on small business, ransomware remains popular and devastatingly effective if you are hit. A ransomware attack works by encrypting your data until you pay a ransom. Unfortunately, the Bitcoin payment method demanded is often itself beyond the technical capabilities of many small businesses and you are not guaranteed to get your data back even if you do manage to pay. Though it won’t prevent the attack, knowing you have a good backup takes the pressure off. Backup is a big subject but there are a few key points to bear in mind in respect of ransomware:
- Backups must be verified. The easiest non-technical way to do this is just make it a routine task to attempt a file restore.
- Backups must keep multiple versions. Imagine you only have one backup copy: if your files are encrypted and then backed up before you spot the attack, then that too will become inaccessible.
- Backup destinations must be invisible to ransomware. You might need some IT help on this one, but you should backup to a dedicated device that is not visible as a network share or attached drive. The logic here is that if the ransomware can see it, it can encrypt it.
Ideally have more than one backup destination: one in the office for quick restore and one online for emergencies.
7. Use two-factor authentication whenever it is available (IT skill level 2)
Two factor authentication (2FA) is quite a simple concept: instead of relying solely on passwords to authenticate access to online services, security is based on both something you know (your password) and something you have (your mobile phone or an online banking card reader). While banks have been using 2FA for years, it is now becoming available for most online services, such as finance packages, CRM, HR and other systems. Enabling 2FA is usually as easy as ticking the relevant box on your account settings, then following some simple steps to register your smartphone as a second authentication factor.
On the smartphone itself all that is required is a one-off download of an authenticator app from your chosen app store. This app can then be used with all the services you chose to protect with 2FA. Some services such as MS Office 365 require help from IT to enable 2FA but, once enabled, the user experience is as straightforward as for any other service. The obvious advantage of 2FA is that if the wrong person gets hold of your password it’s not going to help them unless they have your phone and PIN too.
8. Don’t use admin rights when they are not needed (IT skill level 2)
This one tends to irritate people. It’s something to do with the language used: a lot of users don’t like to be thought of as users when they know there is (what can be seen as) a higher IT authority in the form of an administrator. Why can’t I have admin rights to make changes to my own computer? I often wonder if this whole problem could have been avoided if, back in the early IT years, we had come up with the term ‘IT Labourer’ rather than ‘IT Administrator’. The sensible and secure approach is to use an account for your day-to-day work (i.e. 99% of your work) which does not have admin rights. Why? Because an attack can only piggyback off the account you are using, so any intruder would be restricted from making deep level changes.
Some people, usually the more senior or technically capable (and therefore more dangerous in IT terms), still tend to take these account restrictions as a personal slight. The best solution in this case is to provide such users with a second, top secret account, which does have admin rights and is only to be used for the very rare tasks that require admin rights. After a while, the need to log out and back in to exercise the elevated account rights tends to reduce the burning need to do so. This keeps the network much safer for everyone.
9. Just accept that computer operating systems need updates (IT skill level 3)
This is another one that can irritate users. Microsoft always seems to be asking to update Windows. Even Apple updates its systems every now and again. And some updates are so demanding that they insist on restarting the computer. If you don’t have IT support to manage your updates, our advice is to accept the default computer configuration, i.e. apply updates as they are released. Do not switch off the update feature; instead just accept that you may well have to restart once a month, sometimes more, if an urgent update is released.
There’s a reason why it’s so important to apply updates immediately: as soon as a security patch is released, this alerts the criminals to the existence of the security vulnerability the patch is intended to remedy. The race is then on to release viruses and other malware to exploit the vulnerability before the patches are applied. People who don’t apply updates make themselves part of a steadily reducing pool of targets. Bear in mind that pretty much all attacks you might ever be subjected to are automated — for example, just by looking out for PCs online displaying specific vulnerabilities. Accept the minor inconvenience of an occasional restart to keep yourself out of the victims’ club.
10. Have a Plan (IT skill level 1)
And finally, devote a little time (easily covered in a one-hour meeting) to figuring out what to do if you do get hit. For example, cover how and to whom staff should report if they suspect something suspicious might be going on with your IT system. Make sure it’s easy for them to do this and that they know they won’t be blamed (too severely) even if they did click on that dodgy link. It is important that you are alerted to problems and staff shouldn’t be scared to speak up.
Here are some points to consider in building a basic action plan:
- Consider what you should do immediately (e.g. disconnect devices from the network) and who you should call for help.
- Consider if any security incident could put you in breach of the GDPR or legislation specific to your industry and work out how to stay compliant. E.g. do you have a responsibility to report a breach to the Information Commissioner’s Office (ICO) or, perhaps, to any clients whose information you store in your IT system?
- Consider a basic disaster recovery plan, e.g. assigning some individuals to work from home on devices that are insulated from the network.
- Have a policy as to whether you would pay a ransom to recover your data.
There is a lot more you could include in your ‘incident response plan’ but this is more than enough to get you started. Review the plan once a month (a 10-minute exercise) and, if you ever have to use it, make sure to keep some notes so that you can update it afterwards in light of anything that didn’t work or that worked very well.
Need more help?
Hopefully you’ve found these ten steps useful in the quest to keep your data and systems safe. Still unsure? If you’d like more help with your IT security, book a call with one of our team today.