A "12 step" Program for small business security

If you’re a small to midsized business and you wing it when it comes to network management and security then it’s not a question of if you will have a disaster, it’s merely a question of when. Why? Because malware, accidents and disasters are all waiting in the wings to pop out and make your life hell and cost you lots of money. Now I won’t lie to you, getting insulated from the bad stuff isn’t cheap, but if you think security and reliability is expensive, try fixing a disaster. Here are 12 steps that will, in the long run, make your business safer. Think you’ve got this covered? How many have you got in place?

The importance of people

It’s crucial to have someone looking after your network who knows what they’re doing; we’ll call him “Kevin.” For many small businesses this is an ad hoc position taken on by whoever knows the most about computers. While that may seem to work, if this person has a full-time job, such as being an accountant or running production, they won’t necessarily be keeping everything locked down and updated. If you can’t afford a dedicated IT person then contract with a local computer service company. Get recommendations from other local businesses, and make sure you have a service plan and that the service provider can deliver emergency support because when you get hit by malware, a hacker, or simply a disaster such as fire or flood, you’re going to need Kevin.

Lock down your network

Your first line of defense is a firewall. While you can run firewall software on your computers, a separate firewall device has one great advantage: Your users might accidentally, or sometimes on purpose, disable or weaken firewall software on their machines. Another advantage is that a separate firewall front-ending your network ensures that all devices, including printers, scanners, media players, BYOD devices, internet-enabled refrigerators and so on, are shielded. Which firewalls should you chose? Network World has many reviews that will help you identify a product that fits your needs.

Keep the bad code out

Install anti-malware protection. I know, I know, this is obvious … or at least it should be obvious, but various surveys have discovered statistics such as 1 in 10 PC users are unprotected while around 75% of Mac users also don’t bother. Now if you’re really careful about what you click on and what software you install you can be perfectly safe, but we’re talking users who aren’t computer nerds and are just trying to get their jobs done. There are plenty of choices and many have a free version; let’s be clear, you should pay for a supported version with workgroup manageability and ideally run multiple anti-malware products on each machine.

Password management

A recent Ofcom study revealed that “Four in 10 Internet users say they tend to use the same passwords for most websites,” and according to Dashlane, in July 2015 “the average user has at least 90 online accounts.” I don’t know about you, but I can hardly remember what I had for breakfast, so remembering a slew of passwords is just not going to happen. The answer is to either become your own password manager or use software for the same purpose. To become a human password manager you need to create a formula for passwords or use a system like Qwerty Card. When it comes to software, my favorite is LastPass which offers free accounts as well as group and enterprise password management solutions.

Two-factor authentication

If you use cloud email services (for example, Gmail) at work or at home make sure to enable two-factor authentication (TFA). This provides a second layer of security that’s a huge barrier for thwarting hacking attempts. Even if your office email service is locked down and separate from your staff’s private email services, encourage (or even demand) that they enable TFA because a breach in their own email could bleed through and cause a breach in your business; all that’s needed is a little private information from the employee’s account and hackers can start spear-phishing or even get enough information to compromise company security directly. Ideally, staff should not be handling private email on company computers.

Drive encryption

Encrypt your computer hard drives. Windows, macOS (was OS X) and Linux all provide disk volume encryption support and should your laptop or desktop get stolen, disk encryption is going to make getting into your files really, really hard. Using Windows? If you’re on any Microsoft Windows Vista or later you’ve got (for free) Microsoft BitLocker built-in. Mac? Mac OS X 10.3 or later includes (for free) FileVault. Don’t like those choices, or you use Linux, Android, Windows Mobile, etc.? Wikipedia has a great roundup of the choices both free and paid for.

Everything encrypted

When you send email, encrypt attachments as well as the message body as a matter of routine. You don’t need NSA-level security; even just password-protecting documents is a good start. The idea is that if your documents should fall into the wrong hands, you’re making it as hard as possible for the bad guys to get access. You can use secure cloud services, Microsoft Office add-ons, or get serious and use a cloud access security broker.

Lock your devices

Make sure everyone in your organization uses the password or PIN feature, not just the fingerprint scanner to lock their smartphones, tablets and laptops. And make sure everyone’s devices lock after a reasonably short delay, such as five minutes. While this won’t keep the seriously bad dudes out, it’s a first line of defense. Also, most smartphones have some kind of “find me” feature with the ability to do a remote wipe which, while it can be difficult to actually retrieve a lost or stolen device, being able to remove the data could be crucial.

Physical lockdown

Look around. If someone comes into your office, can they pick up a computer, cell phone, tablet or other digital device and walk out with it? If thieves break into your premises, can they just pickup the desktops and cart them off? If you want to keep your digital content secure, devices have to not only be secured by passwords, they also need to be physically locked down and or put away. Additionally, if you don’t control access to your premises (key access doors, guest badges, etc.) then even in a small business you’re making a mistake.

Don’t skip the backups!

Really, in the 21st Century I shouldn’t have to say this, but use backups! Recovering from disk drive failures is the obvious reason, but there’s a new reason that is just as compelling: Ransomware. This particularly obnoxious form of malware encrypts your files and asks for a ransom of anything from a few hundred to several thousand dollars with no guarantee that you’ll ever get your files back. While you’ll still have to go through the pain and cost of restoring your systems, at least backups (if you’ve tested the whole restore process) will reliably recover your files.

Train your staff

Many organization do some or all of the foregoing recommendations, but when it comes to training their staff, they seem to think people just know what they’re supposed to do. I’m not talking about delivering simple orientation (“here’s your desktop, here are your passwords, now get to it”), I’m talking about teaching them about the why and how of security. How to avoid being phished. What data needs to be protected. Why good passwords and password management matter. And, most importantly, serious training will give them a sense of ownership and responsibility for keeping themselves and the company safe.

Plan, document and monitor

You have to know what’s on your network and have to have plans for maintenance and disaster mitigation. If you do everything ad-hoc, as many businesses do, things get overlooked. Backups don’t get tested, old user accounts are not deleted, staff access to digital resources is left wide open, and the configuration of firewalls, servers, printers, etc., have to be reinvented every time something goes wrong. Along with this goes monitoring. You need to know when resources are used and by whom and know when exceptions occur. Yes, it’s a total pain and I know what you’re thinking: “But that’ll cost us time and money!” But if the worst happens, not having monitoring in place will cost you even more time and money. Forewarned is forearmed, people!

By Mark Gibbs for Networkworld.com | Photos: Pixabay CCO