Connect with us

IT Security

Five Basic (And Cheap!) Tasks That Will Dramatically Improve IT Security For Small Businesses

First off, let me address your burning question that I know you’re thinking right now: “Why should I should care about IT security for my business? I’m too small to be a target – I have nothing to steal”.

The quick and simple answer to this question is that every IT system has something of value – from your businesses intellectual property that can be sold to foreign competitors through to using your business web server to host pay-for-view websites for pedophiles.

The next question I guess you will ask is; “IT security is far too expensive and provides no ROI, so what’s the benefit to my business?”.

Let me approach this question from a different angle. Part of my role as a professional IT security consultant involves helping businesses recover from IT security breaches. From my experience, the cost of recovering from a breach is 100 times more expensive than being proactive and implementing some basic security controls – five of which I will present in this post.

As an example, if you accept credit cards as payment and your business suffers a breach that results in credit card data being stolen, you will more than likely face some very expensive remediation tasks set by your acquiring bank under the PCI DSS standard, which includes the five tips I provide in this post.

So with the questions answered and your interest in IT security slightly piqued, let me introduce these five cheap and easy to implement tips that will dramatically improve your businesses IT security position.

The five tips are based on the Australian Department of Defense’s “Top 4 Strategies to Mitigate Targeted Cyber Intrusions”, which are said to mitigate at least 85% of intrusion techniques when fully implemented.

IT security is a daunting prospect for most small businesses, mostly because it appears complicated and expensive. Small businesses focus on the old proverb of “spend a dollar to earn three” and IT security does not directly appear to add anything to revenue. Of course, this way of thinking is dangerous because when you do suffer a breach, it’s far more expensive in terms of cost, time and brand reputation to fix and recover.

However, I am not here to be another IT security professional warning you about impending doom – let’s just focus on getting some security in-place that will dramatically help your IT status while not draining funds and time from your immediate focus, which is to earn revenue.

Below are five recommendations that will dramatically reduce your chances of an IT breach when implemented correctly. Just to recap; it’s far costlier to recover from a breach than being proactive and applying some basic IT security changes to your system.

1. Remove All Local Admin Rights From Your Staff’s Computer Accounts

I am guessing that your staff have local admin rights to their work computers – meaning they can install, update and remove whatever software they want from their work computer. You may not even be aware of this and think it’s just the norm. However, having “local admin rights” also allows the user to turn off services, such as the local firewall and anti-virus software, making their computer very vulnerable to attack.

One issue that is very common is staff downloading software from the Internet to help with tasks. Often, the software is free and easy to download but, in many cases, it can contain additional malicious software such as ransomware and “backdoors” that allow hackers to steal data and take control of your computers. Free software containing viruses and other nasties is not rare: the Internet is filled with the stuff.

By removing the “local admin” rights from your staff’s computer accounts you will stop this from occurring.

I know this is a pain because every time someone wants something installed they will need the person with local admin rights to install the software; however, this is a major step for protecting your computer systems from a breach.

For information on how to remove local admin rights from a version of operating system, just search Google – for example, “how do I remove local admin rights from Windows 7?

2. Patch Your IT Systems

Patching operating systems and software applications is not hard – it’s a matter of setting up a patching schedule and sticking to it.

This is very important because patches often address a newly discovered security vulnerability. There is a constant race between the software vendors and the baddies as to who finds a vulnerability first. If the vendor wins the race then a patch can be released to fix systems before the baddies can take advantage of the vulnerability. But if the business does not apply the patch in a timely manner (normally a maximum of a month after patch release) then the baddie can still take advantage.

Baddies are constantly scanning computer systems around the world for vulnerabilities – this is an automated process so you may think no one cares about your business or you’re too small to be discovered but that’s not the focus for the baddie. Any system can be of value – from stealing IP to using your system to host a web server for questionable or even illegal purposes.

A monthly patching schedule is what most businesses adopt – it’s not so regular that it causes constant disruption to your BAU processes but not so lengthy that it increases the risk of a breach because a critical security patch was not installed quickly enough.

One approach is to patch a subset of computers in your work place such as the less critical systems (not the system containing the payroll application!) at the end of each month and let the systems run for a week. If no issues occur, like the new patches causing crashes, then patch the remaining systems. Of course, make sure each system is backed-up first before applying any major patch.

3. Use Unique And Strong Passwords

You have heard this advice from everyone, right? Never use a password more than once and ensure its “strong” – meaning the password is at-least 7/8 characters in length and uses numbers, letters (lowercase and uppercase) with some symbols for good measure.

I don’t want to bore you and say the same thing as everyone else. Oh wait, I just did!

Instead I will provide a very common example of why you should use unique passwords, at least for your most important accounts.

It’s well known that people re-use passwords and the reasons why are obvious. A rough count on the number of accounts I have that are accessed with a password weekly such as websites, email accounts, bank accounts is 40!

Hackers also know that people will reuse their passwords, including passwords used for online bank accounts and other sensitive accounts. All the hacker needs is one breach from an online service that has poor security to steal the user accounts database containing your password. The hacker can use social media to locate more personal details about you, such as where you live, what services you use, locate a complaint you made about your bank via Twitter and then attempt to access your online bank account and other sensitive accounts.

It is also very easy to work out from social media where you work (thanks, LinkedIn) so the hacker can try to access your work systems using your stolen password. A business will often allow remote access to their computer systems (such as email and CMS) for their staff so the hacker can attempt to use the stolen password without even being physically present at your office.

You may ask why would email be a target? Well, say the email account that has been accessed by the hacker is Bob’s who is in-charge of payroll. The hacker can read through Bob’s inbox and find out if the business uses a third party payroll system and if so send the third party an email changing bank accounts for a subset of employees for their salary. The new bank account details are of course managed by the hacker.

Implementing a password vault that your staff can use such as LastPass can help enforce the use of unique and strong passwords for business systems, including third party systems such payroll, invoicing, CMS, etc. Password vaults often allow a user to log into a system without showing the password, making it painless to use strong and unique passwords since the user does not have to manually type one in or write it down so they don’t have to access the password vault again.

As a final note, I would like to address the task of forcing passwords to be changed every 30 days or less. Personally, I don’t like it as it forces the user to think up a new password every time. Ultimately people end up using slight variants of the same password to make the change quick and memorable.

Unfortunately, hackers know this and will use software that automatically tries variants of passwords using pattern algorithms based around the password’s structure. So even if the hacker doesn’t have the exact password you used for your bank account and work systems, your human mind will cause a pattern to emerge when selecting a variant, which the hacker’s software will use to guess the password.

Instead of forcing a staff member to change their account password every 30 days or so, I would encourage the creation of a strong password they can remember (tips on how are here) and only force a change every 6 months or after a security breach. Don’t take my word on this topic as the mighty NIST goes even further and recommends a password is not changed unless it’s compromised or forgotten.

4. Think Before You Click

This is probably the hardest of the five tips to implement as it relies 100% on human behavior.

The “Think before you click” statement addresses the need for people to think first before clicking on a URL to visit a webpage or email attachment. Often viruses and other nasties enter the business environment due to people not thinking before clicking, such as payroll staff clicking on an email attachment named “invoice” or HR clicking on an attachment named “CV”.

It is very hard to work out if an email attachment is malicious or a URL takes you to a web page with a malware payload but it’s important to try as anti-virus software is not as effective as it used to be. These days, relying solely on anti-virus software to stop all nasties such as ransomware from infecting a computer is very risky.

So, what do you do?

Well, the first thing is to still use anti-virus software as there are many nasties that will be detected, but not be 100% reliant on it to block everything.

Next, discuss with your staff how a malicious email could be detected by using key indicators such as who the sender is, the tone and style of the email content, the quality of the English language, if the email just doesn’t look right, etc…

Here is an example of how this works.

If your business sells car parts to the local community and you receive an email with instructions in poor English to open the attachment for an overseas order and the sender’s email address looks strange then it is probably a good bet that the email attachment is malicious.

There are no guides or rules that will guarantee you will be able detect all the emails containing virus-infected attachments or dodgy URLs. It’s up to each business to determine how their customers, prospects, services providers, etc. communicate with them.

If the email is written with poor English and encourages you to open the attachment for an overseas order and your business only deals with the local community then you should treat that email with suspicion.

Likewise, if an email comes in suggesting you click on the URL provided in the email and the URL looks strange to you then that’s another email to be suspicious of.

Or another email states your PayPal account has been frozen and to click the link to reset your password but the URL in the email doesn’t look like a normal PayPal secured URL then that’s another one that should arouse suspicion.

5. Change Default Passwords On Devices And Software

Do you remember the scare about a year ago about people accessing baby monitors over the Internet and yelling at babies through the baby monitors?

How can this happen?

Its actually very easy and very common if you do not change the default password to access the settings on a device. Most Internet-enabled baby monitors, or any webcams and security cameras for that matter allow access via the Internet.

The device normally comes with a default password with the account – a great one is admin for the username and admin for the password. Many people don’t change the password from the default, which means anyone who bothers to search Google for the default password for a device knows the password!

But how can they find your baby monitor, webcam, security camera on the Internet?

Easy!

By using a free service, which is often referred to as “Google for devices”.

There are a few examples but the main device search website is https://www.shodan.io/ and its job is to search the ENTIRE internet looking for devices connected to the Internet and then provide helpful information about each device.

So if you want to search for baby cams that are accessible on the Internet in the USA then you can use Shodan to search. Then it’s a simple matter to access each baby cam’s login page (which Shodan helpfully provides) and try admin/admin or whatever the default credentials are.

For a business, it doesn’t just stop at security systems and webcams; it also includes firewalls, routers and other network devices which are far more serious as these devices allow access to your network! http://routerpasswords.com/ is a very helpful website that records all default accounts and passwords for most network devices and its free and public to use.

The way to think of this is that it provides a handy front door to your computer systems for anyone with Internet access!

The lesson to remember is when you install a new device or software application, you should identify the default accounts provided and change the default password!

Summary

Congratulations on getting this far. I can see you are serious about increasing the IT security of your business and that is a very good thing!

In summary, the five tips are:

  1. Remove local admin rights from general user’s accounts – for general user accounts do not grant local admin rights as this will allow your staff to install any software they want, which often results in malicious software being installed as well.
  2. Patch regularly – patch at least monthly and any critical security patches should be installed as quickly as possible.
  3. Use strong and unique passwords – avoid reusing the same password, especially for your business systems, and use strong passwords. I use this site to generate strong and unique passwords: https://strongpasswordgenerator.com/
  4. Think before you click – train your staff to think before clicking on an email attachment or URL within an email (or via chat applications, etc.). Teach your staff what a legitimate email should look like based on your business and relationships with external entities. Also, if a URL looks strange to you then don’t click it without researching first or ask a workmate what they think about the URL.
  5. Change default passwords – any device added to your environment probably comes with a default admin account and default password. Treat all default passwords as publicly known. Change the default password ASAP, especially before it’s connected to your network. This also applies to any software installed.

Next Must Read Post for Small Business

Do you accept credit cards for payment? If you do then you need to read this post-> Do I Need To Be PCI Compliant?

BusinessArticles is the popular online Hub for quality business articles. We publish unique articles and share them with our social followers.

Continue Reading
Click to comment

Comments?

IT Security

How Compliant is your Small Business?

person on computer

Operating a small business doesn’t mean you can be complacent with how you’re protecting customer data and the prevention of the real threat of credit card theft.

Hacking gangs are alive and well hence the tightening of data protection rules  in the western world including the European Union’s GDPR.

Data Protection

So there’s two major compliances to work on immediately if you’ve not done so already.  Doing the basics  to ensure your business is in compliance with data protection laws including the GDPR even if you’re not in Europe is a must-do and here’s how you can get started if you’ve not done it already.

Every website collecting email addresses and more, need to comply with the requirements for protecting customer data.  There’s more that’s needed too see (Website policies) further on in this article.

PCI Compliance

There is also a pressing concern for all businesses, eCommerce and particularly those in the retail sector to commit to  PCI compliance.  You might be wondering what it is and is your operation too small to be bothered with it right now.

A really good explanation of what PCI DSS is and why any business transactions using credit cards needs to comply can be found in this article on BusinessBlogs.

Self Assessment

Smaller businesses can do a self assessment and why you might sigh with relief, don’t get too comfortable, you’ll still need to know exactly how to do a PCI self assessment and how to get set up so when your business grows it’s got everything in place for external assessments.

PCI and Networks

The real difficulty lies in understanding how sensitive data moves along your network which is a must for assessment.  The wireless LANs and other connectivity points like USBs and bluetooth can be penetrated hence they need to be monitored and secure.  This is where a PCI compliant specialist comes into their own not only for your self assessment but also when using external PCI auditors for your compliance.

Website Policies

Earlier on we mentioned protection of customer data and laws like GDPR.

Any business with a website that collects customer data can not avoid the basics website features that allow for transparency of how customer data is collected, utilised and shared with privacy and cookies policies.

This really is the norm now and it’s the entry level for all websites so all website developers will implement it, so it’s just the older sites and the Do-it-yourself crowd who need to be aware of the requirements.

Website visitor expectation is they’ll see the pop up that asks for acceptance of re. your website cookies policy and they’ll take the necessary action.  Without it, your business is not perceived as being secure and visitors may take no further action i.e. they’ll exit your site.

All websites should also be using the SSL (HTTPS), and be mobile ready.  Plus have all the bells and whistles in place to manage customer data collection and management for protection of customer data.

Summary

Ignorance is not bliss and it will be hurting your business if your website is not on top of it’s compliance requirements.   Get curious, find out what you need to know and when you need to take action to keep the hackers out and the visitors in.

Continue Reading

IT Security

Why Shopping Cart Abandonment?

online shopping

Shopping cart abandonment is not decreasing. Buyers add stuff to their shopping cart, however exit without finishing the purchase. The term ‘buyer’s remorse‘ needs to coined another way to describe why online shoppers abandon their shopping carts.

Relinquishment is an electronic business term used to portray a condition wherein a visitor on a page leaves that page before completing the pined for movement. Occurrences of betraying, are the place shopping cart abandonment happens the most! The reasons change from site to site and they’re explained well in the infographic created by Fullestop. We’ve added it to this post for you.

Web business destinations attempt to decrease their cart abandonment rate; however it’s a losing battle with a high level of customers still slipping past. Honestly, shopping case surrender rates if all else fails are actually rising. Business Insider reports that $4.6 trillion worth of stock was left in spurned trucks in 2016, up from $4.2 trillion out of 2013.

Reasons behind Shopping Cart Abandonment

For the retail part, these were the most widely recognized explanations behind the surrender:
• 34% were ‘quite recently looking’ i.e. not prepared to purchase.
• 23% had an issue with transportation.
• 18% needed to look at costs.
• 15% chose to purchase in-store.
• 6% relinquished because of an absence of instalment alternatives.
• 4% encountered a specialized issue.

Distinctive edifications have been offered trying to state why buyers leave shopping bushels. Most, by far, of the reasons, take after the ones in this present reality shopping process. The basic enlightenments behind shopping wicker container betraying have been seen as:

Perplexity with astound costs: in the far-fetched event that it’s not clear how to influence a purchase and you to leave your prospects with no other individual, expecting that “they’ll appreciate it”, you’re in for an epic dissatisfaction. Correspondingly, if they are out of the blue given some extra costs that they didn’t expect, you were showing the portal yourself.

Alert or secure site: An alert about the website can without much effort change over into fear. The starting point for a business is website security and assuring customers the website is safe and secure and this includes their shopping cart and when it comes to credit card data, what information is requested from purchasers.

Most electronic business purchasers are careful about revealing their own particular information, especially with respect to MasterCard inspirations driving interest. Purchasers are already nervous and it’s not long before they end up plainly suspicious especially if an overabundance of information is requested from them.

shopping cart abandonment infographic

Continue Reading

IT Security

How To Protect Your Business From Cyber Attacks

dealing with toxic co-workers

There is no getting away from the fact that cybercriminals and hackers are everywhere these days. Business owners need to remain vigilant and take precautions if they don’t want to become the victims of crime. The information in this article will educate all readers about the basics of protecting their operations and ensuring information theft doesn’t occur. The last thing any entrepreneur wants is for a hacker to steal their customer payment details because that often results in bad press and a lot of headaches. With that in mind, use the advice below to ensure you leave no stone unturned when it comes to securing your company.

So how do hackers break into my website or computer network?

There are many ways in which hackers might attempt to breach your security tools and gain access to your website or office computer network. However, some methods are more common than others. In recent times, business owners report the following strategies when hacking attacks occur:

  • The hacker will upload specialist tools to your website that allow them to create multiple backdoors. That means that if you identify the first vulnerability and fix it, the criminal can still gain access using a variety of different methods.
  • The criminal will use malicious Javascript code to your website template and use it to infect the computers of anyone who visits your domain. However, they won’t do that every single time someone clicks your link because that might expose their efforts. Instead, the hacker will randomly attack computers so their strategy is harder to detect than it otherwise would have been.
  • Some online hackers will attempt to download all user accounts and then use specialist tools to break through password encryption. Alternatively, those criminals can just steal the contact information like email addresses before selling the data to spamming organisations.

Well, how do I stop that from happening?

Protecting your computer network:

You have lots of options on the table when it comes to protecting a computer network against hacking attacks. In most instances, it makes sense to build a relationship with an IT Support company that can offer assistance if the worst occurs. However, there are lots of preventative measures you can take in advance. Considering that, be sure to read the following information carefully and put the tips into action as soon as possible!

  • Invest in digital and physical firewalls – You can get those items online for little money these days. Just be sure to conduct a lot of research and read reviews from other business owners before committing.
  • Keep all software updated – Software developers release updated versions of their products all the time to help combat security vulnerabilities. If you don’t have the latest version of the program, you might expose your company to hackers.
  • Provide employee security training – It’s vital to offer all employees training on the best practices for maintaining maximum security. For instance, business owners should ensure their workers never connect personal smartphones to the business network. Likewise, the team members should never access their social media accounts in the workplace. However they should follow an IT Security expert and learn from their views and news. That could create security concerns.
  • Use strong and random passwords that contain numbers and letters – There are lots of random password tools that anyone can use if they want to ensure hackers can’t guess their way into the network. It’s worth investing in one of those programs as soon as possible.
  • Don’t connect unknown devices to your computers – As mentioned a moment ago, connecting smartphones and other media to your computer network could create problems. If hackers already have access to that device, they will have no issue when it comes to penetrating your system.
  • Encrypt all sensitive data or store it in the cloud – Cloud storage providers use some of the most advanced encryption tools and strategies possible. So, business owners shouldn’t have to worry too much if they keep their sensitive data secure using one of those services. However, it’s also vital that you encrypt information on your office network too!
  • Never use unsecured WiFi networks – If you connect your computers to unsecured public networks, hackers can break into your system in a matter of sections. Indeed, there are low-cost computer programs that even teenagers could use to steal your information if you make that simple error.

Protecting your website:

Business owners also need to follow the correct strategies when it comes to ensuring their websites don’t become vulnerable to hacking attacks. The list of tips below will assist you in making sure your site has the most robust protections possible. Failure to implement the advice from this section will mean you stand a much higher chance of becoming a victim than those who pay attention.

  • Keep all software, and website plugins up-to-date – Hackers will look to exploit the vulnerabilities that developers work hard to solve with their software and plug-in updates.
  • Use complex passwords – Again, you can find programs that create random passwords without breaking the bank.
  • Don’t allow users to upload files – Unless there is no alternative, allowing users to upload files is a recipe for disaster.
  • Only use HTTPS to deliver private information (payment details, etc.)
  • Use the best website security tools – There are new programs and plug-ins hitting the market every single day. So, business owners just need to keep abreast of the latest advancements and invest at the right time.
  • Always use a secure online payment gateway – Consumers expect to see that little padlock in the left-hand cover of the address bar when they enter payment information. Ensuring the page is secure should help to protect against hacking attacks. However, it should also mean you miss out on fewer sales.

Now you know all the basics of protecting your business from cyber attacks; you just need to put that advice into action. There is no time to delay because criminals work around the clock to steal information and profit from their crimes. So, sit down with your most dedicated team members as soon as possible before discussing the matter and designing your strategy. As stated only a moment ago, sometimes company bosses will benefit from the expertise of professionals. With that in might, weigh all the pros and cons and then work out if you have enough money in your budget to pay for assistance. If you don’t, just follow the advice from tips post!

Continue Reading

Trending