So, you own and operate your own small business? Good for you! Small businesses are a huge part of the economy and provide work for millions of Americans. Small businesses are all the I’ve ever worked for. So I feel uniquely qualified to tell you the following. You and your data are in grave danger.
Now, more than ever, small to medium sized businesses are the target of cyber-attacks. These crooks know what you do: small businesses don’t have the capital of a large, multi-billion-dollar, international conglomerate, ergo, you cannot invest as heavily in your securing your data. So you have to invest in your security wisely.
What To Do
As I previously stated, small businesses are a fantastic place to work. Unfortunately, for you as the small business owner, your biggest liability may be the employees. The employee that opened the email that (on the surface at least) appeared to be a resume, but was actually a ransomware virus and has now brought the entire company to a standstill because all of the data is now encrypted and therefore useless. The summer intern who gives out the wireless password to a “visitor” has inadvertently opened the entire network to potential attack.
So you may be asking, “How do I stop this?”. Train your employees. Create an environment of caution.
It can be intimidating to tell a supervisor the email that you just opened doesn’t look right and there’s a bizarre message on your computer explaining that all the files are encrypted and being held ransom for Bitcoins.
Send out monthly newsletters, have lunch and learn meetings and discuss what a potential attack could look like. The sooner you are aware of a problem; the sooner it can be fixed.
Employees should know how to critique an email from an unknown source. Look for things like spelling and grammatical errors, symbols where letters should be, and file attachments from unknown senders.
Employees should know what constitutes a strong password: at a bare minimum, eight characters, mixing upper and lower case letters, numbers and symbols. The longer and more complex a password is, the harder it is to break.
Employees should also be trained on social engineering attacks. When the phone rings and the caller states they are from the IT department, and you don’t have an IT department, it’s probably not a good idea to give out passwords, much less remote access to your machine. Employees should be trained not to leave their computers unattended especially if the screen is not locked. Unlocked computers are an open door to those who would love nothing more than to wreak havoc on your network.
What to Buy
There is a myriad of products a small business can invest in for data security. Let’s look at the true necessities and go from there.
Firewall and Wireless
First and foremost, you need a firewall appliance. A firewall is a piece of equipment that sits between the internet and your internal network that can filter the traffic. No, that wireless router you bought at the big box store does not count as a firewall. This device needs to have some form of gateway antivirus, website blocking and tracking, inspecting both encrypted and unencrypted web traffic. The firewall may or may not come with built-in wireless, however, it should govern the wireless traffic.
Speaking of wireless, if you decide to implement it, there should be separate corporate and guest access. In other words, the wireless network allowing devices to connect wirelessly to the corporate network where your data is stored should be completely separate from the wireless that you would allow guests or clients to connect to. A client could walk into your business with a compromised computer, connect it to your network wirelessly or physically and unknowingly create a huge problem for you. The guest network should be completely separate with only access to the Internet.
Another investment that you will need to make is a backup solution. There are two kinds of people in the world when it comes to backups: those that do regular backups and those that wish they had. Don’t be the latter. It’s not uncommon for companies to lose years of work due to not having a backup solution.
What should you look for in a backup solution? Your best bet is an image based backup. The days of just doing file-level backups are over and done. Image-based backups take a snapshot of the system at that time and store it. The image-based backup gets everything, operating system, programs, files, and permissions etc. This drastically decreases recovery time.
In a file-level backup recovery, you must first replace the hardware, if necessary, reinstall the operating system, reinstall all programs and then restore the files from the backup. Not the case with image-based. Simply replace the hardware, if necessary, restore the image-based backup and you are right back to the point in time where the last good backup occurred.
These backups aren’t just useful in disaster recovery, i.e. natural disaster, fire, theft etc. They are also helpful if you happen to be the victim of one of the many cryptoware attacks. Once the time of the attack is discovered, simply remove the machine where the attack originated from the network and restore the backup prior to the attack.
The second part of the backup solution should include an off-site component. Technically according to best practices, it should include two off-site components: one local, one not local.
A local backup could be taking the backup drive to the safe deposit box at a local bank on a weekly basis. It could be as simple as taking a backup drive home every night or every week. The idea is to not have all of your backups in one place at one time. If your office burns to the ground one night and all of your backups were in the building you may as well not have had any backups at all.
There are several cloud backup solutions that offsite your data to their data centers and can assist in disaster recovery efforts. Typically, this involves either spinning up virtualized versions of your servers or files on their equipment in the cloud or shipping a drive to your location to restore your data locally.
Backups are a crucial part of your data security. The more money you spend up front, the less money it will cost on the back end to fix the loss of data. Now let’s move on to our last topic.
What Policies to Put in Place
Policies are one of the most difficult and time-consuming measures to implement for data security in a small business. Policies should be as detailed as possible to leave little room for doubt. Policies cover everything from who has access to what file shares, allowing users to connect their mobile devices to your corporate, or guest network or not at all. Here are few questions to consider when putting your data security policies in place:
Will you allow employees to store information from their workstations on removable media like flash drives or writable media like CDs or DVD’s? Allowing users to store proprietary data on external removable media (especially unencrypted drives) leaves you open to the possibility of data theft as they can easily be lost or stolen.
Will you allow employees to store and send information on cloud storage or file shares? Cloud storage is great (we’re big fans on OneDrive in particular), but only when it’s tightly controlled and everyone’s on the same system. Users should have the minimum access necessary to still be able to perform their job. The recent rash of cryptoware malware attacks preys on the open access that most users have to company file shares today.
Will you allow employees to access the network from outside the office? Permitting employees to access corporate networks from outside should be very tightly controlled. It does not take an overly skilled attacker to find a vulnerability to exploit on a less than secure remote access method. Remote access should always include connecting to a VPN over an open port allowing access to the corporate network.
Will you implement two-factor authentication methods like an RSA key or biometrics? Two-factor authentication is a great way of securing your network even further. Couple the two-factor authentication with hardware level encryption and the frightening specter of a stolen laptop becomes a lot less scary. Since the thief wouldn’t have the key to decrypt the drive even if they remove it from the stolen laptop, it becomes as useful as a paperweight.
Will you force users to change their passwords on a regular basis and require a complex password? Forcing users to change passwords on a regular basis helps to mitigate long-term dictionary password attacks. These attacks involve the perpetrator running a program that uses an enormous “dictionary” of common words to try and match the password. Best practices are to change the password every 30 days while not allowing for repeated passwords.
All of these decisions can have huge impacts on your company’s data security. Strict data security policies might seem annoying now, but they’re critical to your company’s security. But keep in mind, a policy doesn’t do anything if it isn’t enforced. Luckily, with data security, policies affecting computers and computer systems can be set within the programs, at the user level, making them much easier to enforce.
I hope that this article has brought to light the very serious potential that your company will be the victim of an attack of some sort. The bad guys of the cyber world are only getting more skilled and crafty in their attacks. It’s up to you to put measures in place to help keep them out.
Have questions about your data security? Contact us to discuss what you security measures you can put in place on your budget.
May was a busy month for Microsoft! Here’s a quick rundown of the some of the notable changes to Office 365 and other Microsoft programs.
SharePoint 2016 was officially released in May and it came with a lot of improvements. In addition to the obvious changes in the look and feel, Microsoft has made monumental changes to the way SharePoint functions from a collaboration aspect. Here are some of our favorite new features to watch out for in Sharepoint 2016.
Sharepoint 2016 will role out to Office 365 users over the next few months. Want to learn more? Check out these links:
Some other notable updates in May include:
Microsoft Flow: Microsoft actually introduced Flow at the end of April, but we like it so much, we wanted to include it here. Flow is a personal workflow tool that automates small tasks across programs. If you’ve ever used IFTTT, it’s very similar. Flow takes the small tasks that can add up to a lot of time, and makes them automatic. There are dozens of prebuilt Flows, like “When a task is created in Microsoft Project, create a task in Wunderlist” and “Save my email attachments to a Sharepoint document library,” or you can create your own. Check it out at: https://flow.microsoft.com/en-us/
OneNote Updates: Microsoft introduced some new updates to OneNote in May, making it more accessible. Our favorites include the ability to log in using your work account (instead of your Live ID) and the addition of embedded video (Just paste a link to a video and the video will embed itself inside your OneNote document!). iPhone and iPad users rejoice! There were also numerous iOS improvements released, so if you haven’t updated your app in awhile, now’s the time to do it. More details on these updates can be found at: https://blogs.office.com/2016/04/28/onenote-and-office-lens-april-roundup/
Skype for Mac: The Skype for Business for Mac preview is here! IT Admins can sign up their organization on the Skype for Business preview site. For more, including details about the roll-out phases, read this blog post: https://blogs.office.com/2016/04/26/skype-for-business-mac-preview-is-here/
Office 365 Usage Reports: Microsoft introduced new Usage reports for Office 365 (Sharepoint, OneDrive, Yammer and Skype for Business). We’re most looking forward to the Reporting Dashboard, which gives high-level overview of how many Office 365 users are in your organization and what services they’re using. There are also reports for specific programs, giving you more insight into how your users are working. More details: https://blogs.office.com/2016/04/08/new-usage-reports-for-sharepoint-onedrive-yammer-and-skype-now-available/
Reminder! Free Windows 10 upgrades end July 29! If you haven’t already updated your machine to Windows 10, it may be time.
Using a Customer Relationship Management (CRM) system can vastly improve the productivity of your sales team. There are a lot of very different CRM options on the market and figuring out which system is right for you can be daunting. When looking for a CRM, there are a few factors you must consider before committing to a system. Read More...
Using job boards in your hiring process can seem incredibly impersonal (and if you’re the one looking for a job, it can seem like throwing your resume into a black hole), which isn’t something you typically want when looking for a new person to your join your team. But we have a very real and very important reason for using one: security. Malicious emails designed to look like resumes are a very common way to send ransomware and other forms of malware. Read More...
One of our favorite productivity tips is to simply turn off your email. While vital to most businesses, email (especially email notifications) can be a huge source of distraction for many employees and logging out for a while can make it easier to get other work done. But turning off your email for an extended period of time may mean the potential to miss a notification when a meeting gets changed or cancelled. Thankfully, there is an obscure feature in Outlook in Office 365 that lets you set up SMS/text notifications when meetings are changed. Here’s how to do it. Read More...
Allen Brooks is a Systems Engineer at PTG. Allen helps manage PTG’s systems, enabling our teams to assist all of our customers in the most efficient way possible. He grew up in Williamston, SC and earned his Bachelors of science in Software Development at Southern New Hampshire University, where he graduated summa cum laude.
Before coming to PTG, Allen worked at the iCare Center at the University of South Carolina where he was a support technician. He has also worked in web development and design.
Favorite Piece of Technology
“My home media server because I built it from the ground up and I can access the media on it from anywhere in the world.”
Allen has been from sea to shining sea - literally! He recently took a cross-country road trip with his 92-year-old Grandfather, so his grandfather could check off a bucket list item: putting his feet into the Pacific Ocean.