IT Security

Five Tasks To Improve IT Security For Small Businesses

First, let me address your burning question. I know you’re thinking: “Why should I care about IT security for my business? I’m too small to be a target – I have nothing to steal”.

The quick and straightforward answer to this question is that every business and IT system has something of value – from your intellectual property that can be sold to foreign competitors to using your business webserver to host pay-for-view websites for paedophiles. Or you could be targeted for a domain name scam.

The next question I guess you will ask is, “IT security is far too expensive and provides no ROI, so what’s the benefit to my business?”.

Let me approach this question from a different angle. As a professional IT security consultant, part of my role involves helping businesses recover from IT security breaches. From my experience, recovering from a breach is 100 times more expensive than being proactive and implementing some basic security controls – five of which I will present in this post.

For example, suppose you accept credit cards as payment, and your business suffers a breach resulting in credit card data being stolen. In that case, you will more than likely face costly remediation tasks. Set by your acquiring bank under the PCI DSS standard, the remediation will include the five tips I provide in this post.

So, with the questions answered and your interest in IT security slightly piqued, let me introduce these five cheap and easy-to-implement tips that will dramatically improve your business’s IT security position.

Table of Contents

5 IT Security Tasks

The five tips are based on the Australian Department of Defense’s “Top 4 Strategies to Mitigate Targeted Cyber Intrusions”, which are said to mitigate at least 85% of intrusion techniques when fully implemented.

IT security is daunting for most small businesses because it appears complicated and expensive.

Small businesses focus on the old proverb “spend a dollar to earn three,” and IT security does not seem to add anything to revenue directly. Of course, this way of thinking is dangerous because when you suffer a breach, it’s far more expensive in terms of cost, time, and brand reputation to fix and recover.

However, I am not another IT security professional warning you about impending doom. Let’s focus on getting some protection to dramatically help your IT status while not draining funds and time from your immediate focus, which is to earn revenue.

Below are five recommendations that will dramatically reduce your chances of an IT breach when implemented correctly. Recovering from a breach is far more costlier than being proactive and applying some fundamental IT security changes to your system.

1. Remove All Local Admin Rights From Your Staff’s Computer Accounts

I am guessing your staff have local admin rights to their work computers – meaning they can install, update, and remove whatever software they want from their computer. You may be unaware of this and think it’s just the norm. However, having “local admin rights” also allows users to turn off services, such as the local firewall and anti-virus software, making their computers vulnerable to attack.

One widespread issue is staff downloading software from the Internet to help with tasks. Often, the software is free and easy to download, but, in many cases, it can contain additional malicious software such as ransomware and “backdoors” that allow hackers to steal data and take control of your computers.

Free software containing viruses and other nasties is not rare: the Internet is filled with the stuff.

You will stop this from occurring by removing the “local admin” rights from your staff’s computer accounts.

I know this is a pain because every time someone wants something installed, they will need the person with local admin rights to install the software; however, this is a significant step for protecting your computer systems from a breach.

For information on removing local admin rights from a version of the operating system, search Google – for example, “How do I remove local admin rights from Windows 7?”

2. Patch Your IT Systems

Patching operating systems and software applications is not complex – it’s a matter of setting up a patching schedule and sticking to it. This is very important because patches often address a newly discovered security vulnerability.

There is a constant race between the software vendors and the baddies to find a vulnerability.

If the vendor wins the race, a patch can be released to fix systems before the villains can take advantage of the vulnerability. But if the business does not apply the patch promptly (usually a maximum of a month after the patch release), the baddie can still take advantage.

Baddies are constantly scanning computer systems worldwide for vulnerabilities – this is an automated process, so you may think no one cares about your business, or you’re too small to be discovered, but that’s not the focus for the baddie. Any system can be of value – from stealing IP to using your system to host a web server for questionable or illegal purposes.

A monthly patching schedule is what most businesses adopt where it’s not so regular that it causes constant disruption to your BAU processes but not so long that it increases the risk of a breach. Ideally, install a critical security patch quickly.

One approach is to patch a subset of computers in your workplace, such as the less critical systems (not the system containing the payroll application!), at the end of each month and let the systems run for a week.

If no issues occur, like the new patches causing crashes, patch the remaining systems. Of course, ensure each design is backed up before applying any major patch.

3. Use Unique And Strong Passwords

You have heard this advice from everyone. Never use a password more than once, and make sure it’s “strong” – meaning the password is at least 7/8 characters in length and uses numbers and letters (lowercase and uppercase) with some symbols for good measure.

I don’t want to bore you and say the same thing as everyone else. Oh wait, I just did!

Instead, I will provide a prevalent example of why you should use unique passwords, at least for your most important accounts.

It’s well known that people reuse passwords, and their reasons are obvious. A rough count on the number of accounts I have accessed with a password weekly, such as websites, email accounts, and bank accounts, is 40!

Hackers also know that people will reuse their passwords, including passwords used for online bank accounts and other sensitive accounts. All the hacker needs is one breach from an online service with poor security to steal the user account database containing your password.

The hacker can use social media to locate more personal details about you, such as where you live and what services you use, find a complaint you made about your bank via Twitter, and then attempt to access your online bank account and other sensitive accounts.

It is also straightforward to work out from social media where you work (thanks, LinkedIn), so the hacker can try to access your work systems using your stolen password. A business will often allow remote access to their staff’s computer systems (such as email and CMS) so the hacker can attempt to use the stolen password without even being physically present at your office.

You may ask why email would be a target. Well, say the hacker who accessed the email account is Bob, who is in charge of payroll. The hacker can read through Bob’s inbox and find out if the business uses a third-party payroll system and, if so, send the third party an email changing bank accounts for a subset of employees for their salary. The hacker, of course, manages the new bank account details.

Use a password vault

Implementing a password vault that your staff can use, such as LastPass, can help enforce unique and strong passwords for business systems, including third-party systems such as payroll, invoicing, CMS, etc. Password vaults often allow a user to log into a system without showing the password, making it painless to use strong and unique passwords since the user does not have to manually type one in or write it down so they don’t have to reaccess the password vault.

As a final note, I would like to address the task of forcing passwords to be changed every 30 days or less. I don’t like it as it constantly pushes the user to create a new password. Ultimately, people use slight variants of the same password to make the change quick and memorable.

Unfortunately, hackers know this and will use software that automatically tries variants of passwords using pattern algorithms based on the password’s structure. So even if the hacker doesn’t have the exact password you used for your bank account and work systems, your human mind will cause a pattern to emerge when selecting a variant, which the hacker’s software will use to guess the password.

Instead of forcing a staff member to change their account password every 30 days or so, I would encourage the creation of a strong password they can remember (tips on how are here) and only force a change every six months or after a security breach. Please don’t take my word on this topic, as the mighty NIST goes even further and recommends a password is not changed unless it’s compromised or forgotten.

4. Think Before You Click

This is probably the hardest of the five tips to implement as it relies 100% on human behavior.

The “Think before you click” statement addresses people’s need to think before clicking on a URL to visit a webpage or email attachment. Viruses and other nasties often enter the business environment due to people not thinking before clicking, such as payroll staff clicking on an email attachment named “invoice” or HR clicking on a branch called “CV.”

It is tough to work out if an email attachment is malicious or a URL takes you to a web page with a malware payload, but it’s essential to try, as anti-virus software is not as effective as it used to be. These days, relying solely on anti-virus software to stop all nasties such as ransomware from infecting a computer is very risky.

So, what do you do?

Well, the first thing is to use anti-virus software still as many nasties will be detected, but not be 100% reliant on it to block everything.

Next, discuss with your staff how a malicious email could be detected by using key indicators such as who the sender is, the tone and style of the email content, the quality of the English language, if the email doesn’t look right, etc…

Example

Here is an example of how this works.

Suppose your business sells car parts to the local community and you receive an email with instructions in poor English to open the attachment for an overseas order. In that case, the sender’s email address looks strange. It is probably a good bet that the email attachment is malicious.

No guides or rules guarantee you can detect all emails containing virus-infected attachments or dodgy URLs. It’s up to each business to determine how their customers, prospects, service providers, etc., communicate with them.

Suppose the email is in poor English and encourages you to open the attachment for an overseas order, and your business only deals with the local community. In that case, you should treat that email with suspicion.

Likewise, if an email suggests you click on the URL provided in the email and the URL looks strange to you, then that’s another email to be suspicious of.

Another email states your PayPal account has been frozen, and you should click the link to reset your password, but the URL in the email doesn’t look like a regular PayPal-secured URL. Then that’s another one that should arouse suspicion.

5. Change Default Passwords On Devices And Software

Do you remember the scare about a year ago about people accessing baby monitors over the Internet and yelling at babies through the baby monitors?

How can this happen?

It’s straightforward and widespread if you do not change the default password to access the settings on a device. Most Internet-enabled baby monitors, webcams, and security cameras allow access via the Internet.

The device usually comes with a default password with the account – a great one is admin for the username and admin for the password. Many people don’t change the password from the default, which means anyone who bothers to search Google for the default password for a device knows the password!

But how can they find your baby monitor, webcam, or security camera online?

Easy!

The way to think of this is that it provides a handy front door to your computer systems for anyone with Internet access!

The lesson to remember is when you install a new device or software application, you should identify the default accounts provided and change the default password!