In the recent world of business IT, no subject been in the spotlight more than IT security. Hardly a week goes by without a report on an exploit, bug, hack, or breach being reported. Such reports range from factual representations of the event, through technical descriptions unfathomable to most business owners, to outright scaremongering articles describing the worst case scenarios and how the world as we know it is about to end (or at best, be stolen and sold off to the highest bidder).
This article is none of those things.
This article could be described as a short dip into the rabbit hole of IT security, or as I like to call it, a selection of easy wins that can be applied to give you a fighting chance at remaining secure and compliant. This is by no means exhaustive and by no means will it suit every business 100%, if you wish to look further into the rabbit hole, please do give us a call and I will be happy to escort you.*
- Inventory Everything
If you don’t know how many computers you have, who has them, and what data is present on them, how can you ever expect to keep your data secure? Keep a detailed inventory of the devices allowed on your network, and who has login rights to those devices. Keep a detailed inventory of the software allowed to run on your network and consider blacklisting everything else. Finally understand where your business data is stored and processed, and who is allowed to access it. By knowing where your data can flow, physically and logically, you have taken the first step to securing your business.
Quick Win: Employ a good Managed Service Provider who uses a remote monitoring, maintenance and inventory tool. - Manage your Updates
Software is born with bugs, lives with bugs, and dies with bugs. This is the unfortunate truth. Software authors like Microsoft and Adobe are constantly releasing updates to fix bugs and patch security holes. As soon as a vulnerability is patched by the software author, it becomes public knowledge. If you don’t patch your holes, you risk having them targeted. By proactively managing the patching on your network you go a long way to securing your business.
Quick Win: Employ a good MSP who proactively updates your systems. - Secure your Gateway
If you do not have a business grade firewall, consider getting one. They are designed with security in mind and far outpace domestic routers as far as security is concerned.
If you already have a business grade firewall ensure that the configuration is secure and documented, and only those who absolutely need administrator access have it. Your firewall is only as good as the configuration running on it, and if you don’t know who has the ability to change that configuration you don’t know if it is secure from one day to the next.
Quick Win: Invest in a good firewall and make sure that its configuration is secure, documented and well managed by your administrator or MSP. - Outbound Controls
Most people think of a firewall as blocking unwanted inbound traffic, i.e. stopping the hackers getting into your network. But what if they do get in? No inbound defence is 100%, and if your inbound defences fail, how are you going to stop the thieves from stealing the data from your business?
Quick Win: The latest generation of firewalls include intelligent outbound controls, consider upgrading your firewall to include this feature. These are often called Next Generation, Next Gen Firewall, Unified Threat Management or UTM systems. Alternatively outbound controls can be configured on most older “traditional” firewalls, but this tends to be more labour intensive and complex. - Need to Know Access
Separate different levels of information access. I am not talking about a complicated security or permissions structure (that is further down the rabbit hole*). I am talking about simple things like providing a guest Wi-Fi network so that your customers can get internet access, but do not get access to your corporate network. Things like restricting permission to the “Accounts” folder to those in your Accounts team, likewise for HR, Directors, and even Sales or Engineering. By restricting data access to those who really need it, you reduce the flow of data around your network and make it inherently easier to control and more secure.
Quick Win: Use groups in Microsoft Active Directory to control data access to those who really need it. Your MSP or administrator should know how to do this effectively. - Encrypt (everything)…..
OK, the reality is you probably don’t need to encrypt everything, but if data is leaving the safety of your network (or risks leaving it) it really should be encrypted. Laptops must be encrypted because they are so easy to steal or lose. USB sticks must be encrypted for the same reasons. Emails should be encrypted, especially if they contain confidential information.
Inside your network, the necessity to encrypt is often driven by the physical security measures in place and the sensitivity of the data you store. Servers or desktops which are stored in unsecure areas, or store highly sensitive data should be encrypted; the exact situations when you use encryption will come down to your own risk assessments (this is covered further down the rabbit hole*).
Quick Win: Enterprise encryption solutions such as Sophos SafeGuard allow you encrypt files, folders, and whole computers. They allow your MSP or administrator to manage the encryption from a central server, and they utilise built in encryption technologies such as Microsoft Bitlocker and Apple FileVault to help encrypted machines run as fast as possible. Often these solutions will integrate with cloud services to extend your encryption into any cloud providers that you use. - Make Security Relevant
Security is about Technology, Processes and People. Without the involvement of your employees and colleagues, any attempts to improve the security of your data will be flawed. In order to make the best of any technology or process improvements that you make, your people must see the security measures as relevant and important to them in their day to day roles. Consulting your employees early, explaining why you are making the changes you are, and seeking their input to help lessen the impact that your new processes have on them will all help get your people on your side.
Quick Win: Lead from the front, set the example. As the boss, if you are seen to be embracing security on a daily basis by restricting the applications on your PC, using secure USB sticks, and limiting your usage of the internet to business use; your employees are more likely to tolerate these things being imposed on them. If you are seen to be flouting your own rules, not only will you be compromising your own security, you will have a hard time getting anyone else to buy into your vision of a secure business environment. - Write Policies
So many small businesses do not have a data security policy / IT security policy which focusses on the use of technology to gather, access, process, distribute, and protect data. Writing a policy forces you to analyse the flow of data in your business and often highlights risks that had previously not been considered. For example, allowing employees to email confidential data to their own personal Gmail accounts (quite common in small businesses!), or taking backups home on unencrypted USB drives. Consulting your employees when analysing the flow of data and writing your security policies will further cement their buy-in, and vastly improve the success of any security exercise. There isn’t really a quick win here, this is the part of the blog where I shamelessly promote the benefits of having a data security review and developing in depth policies to improve the data security within your business.
*First consultation is always free, if you are interested in looking more closely at the IT security in your organisation, please get in touch and I would be happy to discuss it with you in more depth.