Many small businesses neglect their IT security in a big way. Often no budget is set aside on a regular basis, employees aren’t shown best practices and until a virus or hack occurs it never even crosses minds.
It all starts with weak passwords. Many employees choose stupidly simple passwords, first name followed by year of birth, a child’s name, even ‘password’. All of these can be broken into with a brute force attack, this just churns through a dictionary and tries combinations until it gets in.
Passwords should be changed for everything on a regular basis, monthly or three monthly is good. They should also combine capitals, numbers and characters eg – @MyP455w0rd!
But to really think of an unbreakable password you should use a phrase you can remember well. Like: !McF1FadL17 – MycatFluffy1ovesFussesalldayLong – followed by the last digits of the year.
Checking the above password on howsecureismypassword.net (yes, that is a real site) it would take 485 thousand years for a computer to crack it.
The next danger is the employees themselves. 99% of people wouldn’t give their pin number to somebody ringing them up, claiming to be from their bank. But when spoof or phishing emails come through, it seems people can’t resist opening them or clicking on links.
Employees should be educated to spot these scams. It only takes one person to open a dodgy attachment, purporting to be from ‘The Bank Of England’ and then every file on your server becomes encrypted. Permanently. I’ve seen it happen many times.
There’s only so much anti-virus and anti-spam software can protect against, new threats often slip through until the safety net databases are updated.
It’s not just your computers though, phone systems are also vulnerable. The amount of times I’ve heard of hacked systems, bills running into the thousands and the company knowing nothing about it.
You need to make sure your phone system has all its ports closed on your firewall. If your phone provider needs remote access for programming changes, make sure only their external IP has access, or give them a VPN connection.
It’s all simple stuff, but it often gets missed.
Another big issue is hardware loss; how many times have we heard that the government has lost a laptop with however many thousands of confidential documents on it? The same thing can happen in a small business environment.
If you work on a laptop turn the hard drive encryption on. All professional versions of Windows now come with Bitlocker, Macs have FileVault.
These features encrypt the data on the drive so that if it were to ever be removed, the files cannot be accessed in another machine. You would need to open it with the corresponding software and provide the password to gain access.
This doesn’t stop at laptops though, what if your premises were broken into and a desktop unit was stolen? The same security should apply.
You can also take this one step further by applying a boot password in the systems bios, this will stop anyone who doesn’t know the password from ever using that unit again. Even if they change the hard drive.
A lot of small businesses end up letting employees bring in hardware from home – this goes back to the IT budget issue. With ageing equipment staff end up sick and tired of using slow, clunky machines, so they offer to bring in their own.
Business owners think ‘great, saves me some money’, that is until malware ridden laptops are linked to the office network, often harbouring dodgy software such as torrent clients. Do you really want a letter through the post accusing you of downloading Fifty Shades illegally, I doubt it?
So, in summary every small business should password, teach, encrypt and budget. Don’t leave it until it’s too late.
Guest Blog by Adam Tudor-Lane
Having spent a lifetime in the IT world, installing servers, whole networks and responding to the latest security threats, I now focus on web design, creative content and marketing for all manner of businesses.
Visit Adam’s website.
