As the 2015 UK election heats up, the campaign managers and spinners for each of the parties – particularly the larger parties – have gone into overdrive. Their remit is complex: they need to work on ways to make their party and its policies and candidates look good (for which they need to be nothing short of magicians in most cases), while trying to find ways to rubbish all the others (should be easy, but things can blow up in your face as Defence Secretary Michael Fallon found with a personal attack on Ed Miliband).
At the same time, they have to try to stay one step ahead of the other parties’ strategists, playing a game of chess in which plots may be several moves away from execution. They need to see what’s happening right now, while trying to predict and outwit their opponents. They’re constantly juggling – while playing chess. I said they were magicians.
What are you on about?
Why am I banging on about elections, you say? The title says ‘8 ways you can implement IT security without risking bankruptcy’ – get to the point.
Yes, alright, ok – I’m making an analogy while trying to be topical. The way political campaign managers move in their mysterious ways is similar to the work you and your systems need to do to keep your business IT secure. You need to tread a fine line and juggle the advantages your technology brings to your business while mitigating the threats you face from hackers and other ne’er-do-wells. You need to open up your network and information to make it easy for your legitimate users to work in the way they need – with multiple devices on-site, on the road, working from home, while making sure that same access isn’t available to all and sundry.
It’s hard enough for large businesses to protect themselves – many employ a dedicated team of IT professionals or outsource to a third-party for large sums of money to keep their systems running smoothly and securely. And they don’t always succeed.
Ask anyone who has to look after a web server or other server connected to the internet, and they’ll tell you that unauthorised access attempts are no rarity – in fact, bombardment of the servers that host the sites on the web is almost constant. Some of these attacks are manual, but most are automated and carried out by bots that crawl their way around, identifying machines by their IP and attempting to access them by brute force attacks on web-based forms or command-line interfaces. Some of these bots also log information about each the servers and/ or the sites they visit, identifying the discernible information about each. Why do they do this? When a vulnerability is uncovered, it has specific hardware and software it affects. Insidious individuals can use a list of all IPs or domains logged as vulnerable and quickly exploit.
One such example of this was a vulnerability discovered in websites built using the popular and widespread Drupal CMS. In October of 2014, the team that develops Drupal uncovered an exploit possible in one version of the CMS. They understood the seriousness of the threat, and quickly published information to site owners about the vulnerability and the steps to defend against its expoitation. The advice they gave, such is the nature of the web, was that if the patch to Drupal was not applied within 7 hours of their statement, site owners should assume that they had been hacked and take appropriate action. For many, this assumption turned out to be true. There really were insidious individuals sitting with a huge database of sites they’d identified as being Drupal based, and they released their metaphorical hounds within hours of the vulnerability being discovered.
Great, so danger lurks around every corner. What chance have small businesses got?
Yes, it’s the dark underbelly of the shiny, fun world wide web. Your seemingly impossible mission, should you choose to accept it, is:
- Providing as much access to your infrastructure as possible to your employees while keeping it secured
- Making the company known to the world while mitigating against unwanted attention from hackers
- Pushing your digital information into the cloud while keeping it under control
As a small business, it’s not realistic to have an IT department looking after your technology, but there are ways you can protect your business:
- Keep your users informed, savvy and alert.
Your first port of call should be education: your systems and servers can be firewalled to the gills and impenetrable to dastardly types, but if your users are careless with their passwords or uninformed in the wise use of the web or connected devices, you could be left wide open to attack with aforementioned types using legitimate means to their dastardly ends. Implement a password strength policy with minimum requirements, and ensure that passwords to which more than one person may have access (if absolutely necessary) are regularly changed and known to only those people. Establish protocols and best practice advice for all users like locking screens on laptops even when stepping away for brief periods.
- Do users connect from other offices or locations?
Use a resilient VPN (Virtual Private Network) solution for secure branch office connectivity. Peplink specialise in these solutions and can take the pain away from setting them up. They offer solutions such as the Peplink Balance 210 Dual-WAN Router which connects 2 WANs and enables up to 50 users connected concurrently. It can be installed into an existing network without any need to re-configure firewalls or routers, so installation is quick and easy.
- Secure your WiFi to prevent unauthorised access
Wireless device makers like Aerohive have wireless solutions that provide strong security because enforcement is performed right at the edge of the network – where the wireless users first get access. Aerohive’s Access Points are designed with security in mind and will give excellent performance while helping you to maintain strong network security.
- Keep your viruses and malware away!
No matter how careful your users are (see point 1), viruses and malware do find their way through. Protect your users’ machines using strong and effective antivirus and malware defence. We recommend ThreatTrack’s Vipre which is their most robust enterprise and business solution that combines antivirus, integrated patch management, Mobile Device Management (MDM) and more to centrally manage and defend PCs, Macs, iPhones, iPads and Android devices. It’s a lightweight solution and stays out of the way of your day-to-day work. (It’ll even help you remove your old antivirus software …)
- Keep control of your shared documents
To run a business effectively, you need shared access to information, but often you need that information to go no further. This can be impossible to control when you are storing files in a shared drive or by email, or even by new cloud-based solutions such as Dropbox. An alternative is available in the form of WatchDox – a Dropbox-like service with added security. You can share documents but maintain control and even relinquish access whenever you like, so the owner of a document can be assured it will not end up in the wrong hands.
- Simplify your Network Access Control
Services like Macmon can dramatically reduce the time and effort in managing user access and permissions. It is easy to use, implement and establish.
- Users emailing or messaging about business via mobile devices?
Phones and tablets are not immune to attacks by viruses and malware, which can send sensitive information to malicious third parties without your knowledge. Software like Lacoon will protect your users’ devices and stop such insidious invasions.
- Access Control and Time Management
It can be difficult to keep track of who is where in your buildings, and the timings of movements by your staff and visitors – the physical side of IT security. Leading biometric technology manufacturers Anviz and ZKTeco offer cutting edge security and time management solutions providing multi-biometric and RFID time & attendance and access control solutions.
All these solutions are available and, more importantly, affordable to small businesses (particularly when compared with the cost of dedicated staff or third party outsourcing), and well worth investment when you consider the costs of not using them. You can lose time or efficiency across your whole staff, and lose money paying to rectify the effects or fallout of a security breach. Biggest of all, however, is the loss of confidence or reputation that can result from sensitive information falling into the wrong hands. Prevention is better than cure.
Please contact us if you would like to discuss simple ways to protect your business.
Call to enquire