OnlyConnect Systems Ltd

Follow us on Twitter for updates.

IT Security in a Small Business

Everyone knows security is important. Most people know their security is not as good as it could or should be. A lot of people do not really worry about security until something bad happens; maybe it never will.

Perhaps you are thinking, "We are only a small business. We cannot afford highly secure systems so we have to take our chances." That is an understandable reflection; yet it misses the point that some of the biggest security problems are easily avoided. No, your office will never be as secure as a dedicated datacentre, but you can still take common-sense precautions.

What follows are some observations which are intended to be helpful rather than unachievable.

Security software is not the answer, or is only a small part of the answer

It is natural to assume that if security is a problem, then buying security software is the answer. Install the latest and greatest from the likes of Symantec, Sophos, Avast or Mcafee, and all will be well.

If only! There are multiple reasons why security software is often ineffective. In the case of malware, one of the issues is that malware is Darwinian, that is, only the fittest malware survives and reproduces. What is the fittest malware? For a start, it is malware that can get past most security software.

Think back to the most destructive malware outbreak of 2017, WannaCry. This malware encrypted your documents, demanded a ransom to decrypt them, and did not decrypt them even if you paid up. Most security software failed to prevent it from spreading.

However, WannaCry spread via a Windows networking bug, and you were protected if you had installed a patch issued by Microsoft in March 2017 (WannaCry came out in May). The lesson here is that keeping your operating system and server applications up to date is just as important as running anti-malware software.

Microsoft provides free security software for Windows. In Windows 10 it is completely built-in. It is not the best if you go by tests of how much malware is detected; but it is reasonable, it does not require a subscription, and it is non-intrustive, well integrated, and works according to Microsoft's best practices for security software.

I am not suggesting that Microsoft's free solution is necessarily the right one for your business, but it is worth considering.

The password problem and why you should use a password manager

Passwords! Bad passwords (easily guessable, or left at vendor defaults or even blank), remain a major source of security issues. Many of us also require lots of passwords, for all the web sites that demand them, and if we use the same or similar passwords for many purposes, and one of those sites gets hacked and the passwords are stolen, then we are in trouble.

A difficulty is that it is humanly impossible to remember all the passwords that we need, unless they are all the same (BAD). Changing passwords regularly makes this worse.

The only solution that works is to use a password manager. Store all your passwords there, let it generate new passwords for all your logins, and protect the password manager itself with a long password that you can remember - such as a phrase "4RedRabbitsEatGreenLettuces!" You will not even know your passwords any more, but you will be much more secure.

What about logins to the network? Personally I do not rely on a password manager for this. I use another unique password that I can remember. Or you might store the password in a manager on your smartphone, and use a PIN to log into the network.

Long passwords are good, so are passwords that use non-alphabetic characters. The reason is that brute-force attacks (that try multiple passwords one by one until they succeed) take longer. Of course you should also protect against brute force attacks as far as possible, for example with network policies that lock out users after a certain number of failed attempts.

Avoid sending passwords in plain text - or asking others to do so

Here at OnlyConnect we have a strict policy. We do not send passwords in email, other than temporary passwords that can only be used once. The reason is that emails often pass through the interent in plain text, so the passwords can be stolen.

Do you update your business website using FTP? Beware: FTP is still often used with passwords sent over the internet in plain text. Check with your provider and switch to FTPS, SCP or some other secure file transfer system.

Do you ask your customers to log into a web site you run? If so, make sure they do so over SSL (HTTPS) so the passwords are encrypted.

Guard your email

Email is a huge source of malware. Therefore a high priority is to filter out email-bourne malware on the server, before it reaches the user.

There is another aspect to email security though, which is equally important. The fact is that many passwords can be reset via email: you click lost password, and a reset link is emailed to you. If you have access to someone's email, you can greatly compromise their security.

Therefore protecting access to email accounts is of high importance. Usually this is the same as the network password mentioned above.

Train users to be wary of clicking links in emails

Even if you have excellent email filtering software, it is hard to achieve 100% protection against emails with bad links. Emails that spoof banks, travel companies, retail sites, IT vendors like Apple, Google and Microsoft: these are commonplace and can be hard to spot.

Train users to be wary of clicking links. Understanding whether or not a particular link is safe is not easy for most users.

Sometimes you have to click a link in an email, so it is hard to make this advice absolute. However at least make users understand that links in emails are suspect, and any that demand username and password very suspect.

Consider disk encryption for laptops

When you log into a computer, you give a username and password and it feels like your stuff is protected. You should be aware though that if your data/documents are on the hard drive (or SSD drive) and not encrypted, then accessing that data is trivial. For example, you can simply remove the drive and attach it to another PC.

The solution is to encrypt the drive. If you use Windows, there is an easy and free way to achieve this, using the feature called Bitlocker. Note that Bitlocker encryption is strong, so be sure to retain the key somewhere. Print it out and keep it in your drawer, or use the built-in support for storing the key in Active Directory or OneDrive. Now if someone removes your drive and tries to read it, they will not be able to do.

Another solution if you would rather not encrypt the entire drive (and Bitlocker does occasionally demand your key for no apparent reason, usually at an inconvenient moment) is to use a utility to create an encrpted folder, such as the free Veracrypt.

Plan for your security to fail - and check your backups

I attended a security round table once and will never forget one part of the discussion. Asked whether you could completely protect your network, all the assembled experts said no. If some entity with the right resources determines to break into your network, they will succeed. Maybe they break in at night and steal your server. Maybe they bribe the cleaners to steal laptops. Maybe they use social engineering, impersonation, or exploitation of recently discovered vulnerabiities discovered in Linux or Windows.

If your security is breached and your data deleted or encrypted, the best protection is good backups. Not forgetting that a backup is only as good as your last test restore. The best backup is off-site and offline, at least for your most critical data. Cloud backup is also a good solution for most scenarios, easy to implement and inexpensive.

Of course this does not address the problem of protecting secrets. If your business is highly dependent on particular secrets not being stolen, you should get advice from a security expert (if you have not already). For most businesses though, it is not so much secrets but business continuity or fraud that is the main risk.

Run up to date software - like Windows 10

I have written elsewhere on this site about Windows 10. The point is this though: Windows 10 is the most secure version of Windows (or Server 2016 on the server), and older versions are progressively less secure. Windows XP is a security disaster, for example; if you have to use it (for example to run a factory machine which requires it) try to keep it off the network and blocked from the internet.

Monitor your network

It is OK having sound security policies; but how do you tell when something is wrong, for example if Windows update has failed and is not applying patches? Or anti-virus signatures are out of date?

Having some system for monitoring the network helps. Business security software often comes with some kind of dashboard, or you can use Microsoft InTune, a cloud-based service, for monitoring PC health and sending alerts.

Control what you expose to the internet

Any server or service exposed to the internet will be attacked. Firewalls are effective protection, but of course there are often good reasons to allow access to your network over the internet. These include access to documents when staff are out of the office, web applications for your staff or customers to use, or access to your PC desktop at work when you are away.

Use of cloud computing services may make this less necessary, since you can always get access to business documents if they are stored in the cloud. If you do need remote access to your internal network though, it must be done with care. A VPN (Virtual Private Network) is a way of offering users secure remote access - but check that it only open when needed, since when the VPN is open, the remote computer is in effect part of the internal network, so if it gets compromised the whole network is at risk.

Weak passwords are of course more dangerous if they allow access to the network from the internet. There are scripts out there which randomly try usernames and passwords against any login they can find; you do not want them to succeed with your network.

Another thing to watch for is insecure devices connected to your network. For example, many cheap security cameras actually themselves pose a risk. They connect to the internet so you can view their video stream remotely, but with poor security so that determined hackers may be able to connect in.

Is your router secure?

Cisco's Talos Intelligence Group has posted about malware infecting routers including models from Linksys, MikroTik, NETGEAR and TP-Link. It's alarming because of the sophistication of the attack, which is likely to be nation-state sponsored and controlled. Nothing apparently bad will happen immediately, but your internet communication may be intercepted and the controllers of the malware can shut off your internet connection at any time. You can clear an infection by saving the configuration, resetting to factory defaults, patching to the latest firmware, and restoring the configuration. Knowing you are infected though is currently difficult. Cisco recommend doing it anyway.

Fix the most obvious things

Security is complex and complete protection impossibe. The good news though is that getting the most obvious things right greatly improves your situation. Fix problems with passwords, keep your operating system and server applications patched and up to date, protect your email, test your backups; and you are already ahead of many other businesses.