7 IT Security mistakes small businesses make (and how to fix them)

INTRODUCTION

Many small businesses run lean and mean. I understand that, most small businesses started out as an idea, then grew over time without planning for IT infrastructure needs. We also know that technology is usually the last thing that gets attention when it comes to a small business. I’ve seen multi million dollar enterprises running a server room full of equipment off the shelves at Best Buy.

Sometimes a business can grow so fast that the server closet was just neglected and the next thing you know, the network goes down, or worse a security breach.

Look out for your customers

You have an obligation to your customers to make your best effort to keep their data safe (assuming you store customer data). In addition, your own information is just as valuable and important and although you’re likely to be the victim of a data breach at some point, there’s still many steps you can take to minimize the chances of it happening while also protecting your customer’s private information.

I’ve been in and out of businesses large and small. I’ve worked in businesses in big cities and small towns in very rural areas and I’ve seen the full array of crazy technology setups. When it comes to large companies there is often plentiful staff, a CIO, and maybe even an IT security department onsite. So many large entities have suffered breaches in the last decade that they’ve diverted considerable resources to try and protect themselves and their customers from any damage. Even if you’re a mom and pop shop working out of a home office, the same data security laws that apply to a Fortune 100 company apply to you. In Massachusetts, we have 201CMR17, which is very strict data security guideline that has been in place since 2010. Many business owners I’ve spoken with have never even heard of it. I’m here to tell you, ignore it at your own peril. If someone’s data is breached because you were careless and didn’t implement even basic security best practices, you’ll be in for a world of hurt when you walk into that lawsuit. You can read the law here: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

This isn’t a compliance guideline for the Massachusetts law although some of it will be covered in this post. The focus of this post is to bring attention to some of the most common security mistakes I see happening day to day in small businesses, explain why they are bad, and then provide solutions on how to fix them. You owe it to yourself and your customers to be diligent about cyber security in our modern era of incredibly complex and frequent online attacks.

IT SECURITY GUIDE MISTAKE #1

Sending confidential information through email – Don’t do this!!

The process an email takes from when you type it and send it, to when the recipient opens it to read it is very complex and far beyond what I can cover in this post. However, to try and break it down simply, think of an email like a post card you might send in the mail. Anyone who handles that post card could read it. Your kids might read it before you put it in the mailbox, a bored postal employee might have a glance at it as it travels through various post-offices and trucks. Once delivered, the person’s spouse might read it before they do. Email is the same way. Email is totally unencrypted and in plain text. When you send an email, it may travel through many internet routers before arriving at the destination email server. Parts or all of the email may sit cached on those routers or servers for a time. In addition, any third party (read; bad guy) who might be copying all the data traveling through a network can read anything in that email. In fact, they’re looking for it. They’re looking for emails with attachments. Putting data in a Word document or a pdf doesn’t protect that information in any way.

Email Encryption is the way to go

If you are in a line of work where you are constantly sending confidential personal information back and forth, you need to implement an encrypted email solution or you need to find another way to transfer that data. This isn’t just a suggestion, it’s federal law (HIPAA). If you are an attorney, real estate or mortgage broker, or work in the medical field and you are sending emails that contain tax, bank account, credit card, or sensitive medical data, it needs to be encrypted. This is how identities are stolen.

In addition, you never want to send passwords through email or even worse a username and password through email. If you ever receive an email from an entity or business that contains your password, immediately change it. If your password has been sent out through plain text email, it’s compromised.

SOLUTIONS:

A traditional fax (phone line) is considered secure, it is a point to point communication and the only way to intercept it is with a phone tap which is virtually impossible for any non-state entity to implement. E-Fax does not count, that is essentially and email and still sent out the same way an email is. A phone to phone fax is one secure solution.

Zix Corp – Offers a HIPAA complaint email encryption solution

Appriver – Also offers a secure encrypted email solution

There are also firewalls that can be implemented onsite which are capable of providing encryption services although they tend to be very expensive enterprise level models so that would likely be out of reach for a small business.

You can also collaborate using file services such as Google Drive, Sharesync, or Dropbox. You can set up a shared folder and collaborate with your clients by uploading/downloading from the shared folder. These services may or may not be HIPAA complaint, but it is a far more secure solution than sending the data through a plain text email.

IT SECURITY GUIDE MISTAKE #2

Businesses not running a firewall

This is another common mistake I see all the time. Smaller businesses just “don’t see it as necessary” or think they’re too small to ever be targeted by a cyber-attack. A lot of less experienced IT consultants tend to avoid them altogether because their configurations can be tricky and they can be difficult to troubleshoot of you haven’t had a lot of exposure to them.

What is a firewall?

Let’s start from the beginning here, a firewall is a devoted piece of hardware (sometimes referred to as a security appliance) that acts as a gatekeeper for your network. Its goal is to protect all the devices within your network by keeping suspicious or malicious traffic out while allowing all routine traffic to pass through.

Firewalls are able to identify common attack patterns like probing and port scans and reject those traffic sources. Many also have anti-spyware and anti-virus integration which allows them to scan all traffic as it passes through the network as an added layer of protection. The idea being that it may stop a malware infection from ever reaching a device on your network.

Picture your network like a house

You may not realize it, but your network is constantly probed and attacked. An easy way to picture what a firewall does is by imagining a house full of thousands of windows and doors. Without a firewall, all these windows are doors are open and there’s basically a sign out front that says, “we’re not home.” With a firewall, all these doors are shut and locked and a security guard is monitoring anyone who approaches and tries to knock or enter. Don’t get me wrong a firewall IS NOT the be all end all of network security, but it’s negligent not to have one in any business that deals with personal information or financial transactions. In Massachusetts, it’s actually the law that any business which deals in personal or financial data must have a firewall in place.

Licensing

This is the part that confuses many people not familiar with how these devices work. Most major technology vendors sell firewalls (Cisco, Dell, Juniper are some of the common ones) but without licensing the devices don’t do much. What the licensing does is connect the device to the global networks of whatever vendor you chose.  Once a device is licensed and connected they get constant threat definition updates which make the device much more effective at combating global cyber threats in real time.

Firewall Throughput

Another concern is throughput. This can be a speed bump on a busy network. One of the metrics used to evaluate firewalls is their throughput or how much data they can process per second. If you have a fairly large network or a very fast internet connection and you purchase a firewall with low throughput, it can put a major speed limit on any traffic going in and out of the network. Think of it like having a bunch of Ferraris that are forced to drive in the 30mph lane. That’s why it’s important to consult a professional to help you choose a firewall that’s not only appropriate for your current needs, but also a few years into the future, these aren’t the type of devices that get replaced very often, they’re also one of the most expensive single devices in your server closet, so make sure you get the right one.

SOLUTION:

Unless you really know what you’re doing, contact an IT Consulting firm and have them review your network needs to help you choose and install a security appliance that’s right for you. This isn’t a purchase to pinch pennies on, it’s going to cost a few bucks.

IT SECURITY GUIDE MISTAKE #3

Default credentials on networking equipment

This is a very common problem in small and even some larger businesses. This rule goes for everything from your Wifi router, to your smart printer, to your ISP modem, or your online security cameras. Perhaps you remember hearing about the Mirai Botnet last year (2016)?

Even if you didn’t know it by name, this was the attack that was responsible for disrupting large portions of the Internet including Spotify, Twitter, Paypal, and Amazon. The interesting revelation was that this attack was mainly carried out by IoT (Internet of Things) devices such as IP security cameras and DVR systems. In one instance, an Amazon IP camera was compromised within 98 seconds of being plugged in!

How it works

Here’s how it works; all these devices have default credentials to log in as an administrator. For example a new Netgear router might have a default username/password of:

Admin

Password

There are a lot of automated programs (or bots) out there scouring the internet looking for these devices. Once a device is located, it’s immediately compromised through its default username and password and can be used to attack a website or other online entity. In some cases they can be also be used to spy on you as we’ve seen with some baby monitors.

SOLUTION:

Change the default logins for any internet connected device in your home or office. If you’re a power user, you might be able to handle this yourself, just be sure and document your changes so if you ever do need to get into that device for some reason, you don’t have to factory reset it. If you’ve contracted with an IT vendor, ensure they’ve done this on your network, if they haven’t, ask them why not. It’s a very common attack vector and largest attacks in the history of the Internet have been a direct result of neglecting this step.

IT SECURITY GUIDE MISTAKE #4

Turning off Windows Updates; Running end of life Operating Systems

If you’re running Windows XP, Vista, or Server 2003 in your office, don’t! These are end of life products no longer supported by Microsoft. That means that security patches are no longer released for them and if they break, no one is going to be there to fix them. Let me put it another way, if you take an ethical hacking course, you practice on XP machines because they’re so easy to compromise. Running one in the wild is just asking for trouble on your network.

Windows Updates

Turning off Windows Updates is also playing with fire. Unfortunately, this can be a double-edged sword because sometimes the updates can break software running on your network or can brick a workstation, however my experience has been that once automatic updates are turned off, they never get turned back on. I often encounter machines that are plagued with problems which have been fixed with Windows Updates but the machines never received those updates. In addition, most Windows Updates are security updates which is the main reason you want to run them. The overwhelming majority of hacks and attacks out there today target Microsoft products, don’t be the one who infects the entire network because you didn’t feel like running updates one day. The Wannacry ransomware that caused a huge problem for Fed Ex and some hospitals among others this year had been patched through Windows update months before. If you were up to date on Windows updates, you had nothing to worry about no matter which version of Windows you were running (as long as it wasn’t an end of life product).

SOLUTION:

Remove or decommission any computers or servers on your network running end of life Operating Systems such as Windows XP, Windows Vista, and Server 2003. Implement a workable patch management strategy to ensure all the machines on your network are getting regular software updates (this includes Windows, Java, Adobe products, iTunes and any other third party software).

IT SECURITY GUIDE MISTAKE #5

Not encrypting mobile devices

What is encryption?

First let’s explain encryption for anyone who may not know what it means. Encryption is the process of encoding information in a way so that only authorized users can access that information. To put it another way, if your computer’s hard drive is encrypted and someone steals that computer, the thief won’t be able to access any of the data on that machine. Once again, we get into Massachusetts 201CMR17 on this topic. What the law says is that if you have any confidential personal information on your mobile device (this includes email) than the mobile device must be encrypted. I recommend doing it anyway even if you’re not mandated to by the state because it’s almost impossible to keep track of all the data you have stored on your computer and your phone. Why take the chance that if someone steals it, they might have access to personal pictures of your family or saved passwords in your browser? Maybe you might have something like your will saved on your computer. You wouldn’t want anyone seeing that.

SOLUTION:

Encrypting phones is easy, just set a password on your phone. I recommend setting a long password (but still one you can remember) and enabling the fingerprint unlock feature. iPhones even allow you to set a 10 try limit and then the device factory resets. This way, if you have a finger print set to unlock the phone and a fairly long password behind that, if someone steals your phone, they’d only have 10 tries to unlock it before the device would automatically wipe. One consideration though, is that you must make regular backups of your phone. If for some reason, you forget the code to unlock your phone, you will be out of luck and need to wipe the phone and restore it from a backup. With how many important things we store on our phones these days, you don’t want the take the chance of this happening to you.

Laptop encryption

Laptops are a little bit more complicated when it comes to encryption. Just setting a password on your computer does not encrypt the data. I hate to be the one to tell you this, but it’s insanely easy to reset a password on a Windows machine, that’s why hard drive encryption is so important. If the hard drive is encrypted and someone steals the machine and then resets the password using a known vulnerability, all the data on that computer will essentially be turned into hieroglyphics; Totally useless to anyone. If your company runs an internal server and Active Directory infrastructure, putting an encryption policy into place using Windows Bitlocker is very easy to do. The nice thing is that the decryption keys can be stored internally on the server so if the user ever gets locked out, you have an failsafe method of retrieving the decryption key. This has saved me many times. Where it gets a little trickier is when users are running home version operating systems in a business environment. The home based version of Windows does not support Windows Bit locker, so if you want to encrypt a home version of Windows, you are forced to use a third party tool. Many of these are paid tools and not really sold as individual licenses, which means, if you’re just talking about one or two machines you’re likely either going to have to upgrade to a Professional version of Windows to make use of Bit locker or consider a 3^rd party open source tool such as VeraCrypt.

Which encryption solution is best?

Veracrypt is fairly easy to use and works well, but remember it is open source so you basically have no support other than what you can find on your own. When you are working with full disk encryption, you are risking making all the data on the hard drive inaccessible if you don’t know what you’re doing. Make sure you do your homework before making a final choice. Personally, I prefer to use Bitlocker whenever possible, Veracrypt is my fallback in a pinch. It’s a little slower when you boot up the machine (this is to discourage brute force attacks), however, once a machine is on and logged in, you won’t notice any performance hit. I also like the ability to store the decryption keys within Windows Active Directory, it’s a nice safety net. This is definitely one of the more technical security steps on the list and not something I expect anyone to be able to delve into on their own, this might be a case where you seek professional help to make sure you don’t end up with an expensive paper weight instead of a functional laptop. A real-life example of when hard drive encryption paid off was when I worked for a large corporation in Boston. One of users who lived in the city was packing up his car in the morning when he realized he’d forgotten something in his apartment. He left his laptop in his car and went inside just for a minute and when he came back, his laptop was gone. It was loaded with proprietary company data including source code for our software. Luckily the device was encrypted so there was no fear of important company secrets being compromised.

IT SECURITY GUIDE MISTAKE #6

Not running anti-spyware software

Online security has become so complicated over time. Many people just rely on the old model of “just making sure they run anti-virus.” The reality is, you are very unlikely to encounter a computer virus in this day and age. I want to define in laymen’s terms the difference between a virus infection and a spyware infection and how protecting against each is much different.

The Difference between Virus and Spyware

Throughout the 80’s, the 90’s and into the early 2000’s everyone was afraid of the dreaded computer virus and in fact, it was a legitimate threat. Throughout most of that time, people’s online activities were very limited if they were online at all. A computer virus was something that you had to execute yourself, meaning in order to launch it, you had to execute a file somehow, you had to actively do something to become infected. A computer virus was only ever meant to break things, not to steal data or use your machine against targets on the Internet. So a computer virus might break Mircosoft Office or it might wipe your hard drive, but it didn’t steal your bank account information or use your computer’s bandwidth and processing power to take down a website.

That’s the difference between spyware/malware and a virus. Viruses are very rare today because users have become savvy to them. They know when they get a suspicious email and a strange file attachment, not to click on it. Many file attachments (such as .exe files) can’t even be sent through email because virtually every email provider on earth blocks them.

Spyware on the other hand is a different animal altogether. Spyware (sometimes referred to as Malware; the terms are interchangeable) is there to steal information from you or use your computer to attack other websites or servers. It’s a threat that started evolving in the early 2000’s but has really come in to its stride in the last few years. You don’t necessarily have to do anything to get a spyware infection.

Enter Malvertising

Most spyware infections come from what’s called Malvertising, which is when you go to your favorite website and it loads a banner ad (you know those flashy looking ads on the side or at the top of page)? Well sometimes those ads serve out infected code to your machine. Just the sheer fact that your web browser loaded that banner ad is enough to get your machine infected. They can also still come through email, browser plug ins, file share protocols, streaming audio or video or hijacked websites. In most cases, the user will be totally unaware that they’ve infected their machine. These infections can install browser hijackers (which change your home page or add toolbars to your web browser), to keyloggers (when send all your computers keystrokes to someone on the other side of the world), to the most severe threat right now which is ransomware (where your computer files are encrypted and a message is displayed asking you to send payment within a certain time frame or lose your files forever). This is what you want to protect yourself against.

The dinosaur anti-virus model

The legacy anti-virus companies (not going to name names here, but all the ones you’ve already heard of) haven’t done a very good job (in my opinion) of keeping up with these threats. I say that because many-a-computer has showed up at my doorstep running (insert legacy anti-virus company software here) and, although they made not have had any viruses, they (in many cases) have still had literally thousands of spyware infections. Even though the legacy anti-virus companies now advertise that their tools protect against spyware, my experience has been that if they do at all, they don’t do it very well. I still find their programs to be bloated and intrusive, they’re the most expensive solutions on the market and at the end of the day, they just don’t do a very good job of keeping spyware off your machines.

SOLUTION:

I’m going to make a personal recommendation here because I’ve been using it for a decade and it’s never failed me. I believe the best anti-spyware tool on the market is Malwarebytes.

It was a widely used tool when I was in corporate and I still use it to this day with great results. There are even some spyware programs that scan your computer and if they find Malwarebytes running, they won’t execute because Malwarebytes has been very diligent about tracking the source of these spyware infections (in most cases infected banner ads) and getting them removed. This of course creates more work for the cyber criminals who prefer to stay under the radar. It’s also about half the cost of what the legacy anti-virus providers charge for their products. Having said that you can certainly  research other solutions on the market, there are plenty out there, but just make sure you’re running one on all your machines. (Not a free version, but a paid version with real time protection).

IT SECURITY GUIDE MISTAKE #7

Not having current off-site backups

At first, this may not seem like a security issue and while it falls under multiple categories (such as business continuity, disaster recovery) it’s a security issue as well. I say this for a few reasons. One is the unthinkable, but what about a theft? The old saying goes, if all your backups are under one roof, then you have no backups. If you were to have a theft of all the computers or server at your office, think about what would happen to your business. Some people would go out of business, they’d lose everything. If you have current backups being stored off-site (cloud) then you know you have that security in an event such as that. What about another, what a fire? Even if the fire itself didn’t destroy your machines, the sprinkler system/fire department are likely to finish the job. Once again, if you don’t have off-site backups, not only are you reeling from an unexpected catastrophe but even after you recover, you’d still have to figure out how to pick up the pieces if all your company’s data had been lost. This isn’t a situation you ever want to be in. So that’s why it’s so important to make sure you have off-site backups.

The different kinds of data backups

All backups are not the same. You have file level backups (which just back up your files such as your documents and pictures) then you have image backups for bare metal restores.  Don’t confuse the term “image” here with a picture. What we are referring to here is the entire machine “image” meaning everything on the computer including its operating system, so that it could be restored exactly as is on another piece of hardware should the need arise. Generally, you don’t need image restores on workstations, unless there’s an absolute mission critical workstation in the office, but where you do need them is on your servers. Just restoring the files on a server is less than half the battle. If you’re running and Active Directory infrastructure, virtual machines, or a mail server, you absolutely, positively 100% need to be able to restore those machines exactly as they were before whatever failure you experienced. This is a different level of system backup which is more expensive and requires some technical expertise to recover in the event of a catastrophic failure.

SOLUTION:

There’s more than one solution here. It isn’t a one size fits all situation. If you have a larger company running multiple servers, you might have a tape backup rotation going. Depending on the size of your company you can also consider cloud backup solutions such as carbonite for business that offer both file level backups for workstations and full image backups for servers. If you’re a smaller company with no servers and just important documents, there are other cloud based file solutions you can consider such as Sharesync. This is the one of those times where I can’t say for certain what is right for your situation, you are welcome to contact us if you have any questions about what is the right solution for your company. Just make sure that you have some kind of off-site full back-up solution in place for your company. Onsite backups are good but it’s just not enough.

CONCLUSION

We hope you found this IT security guide helpful and it gave you some ideas for improvements you can make in your company’s cyber security strategy. It’s important to remember that Cyber Security is a moving target, it’s literally changing every day. A lot of people make the mistake of burying their head in the sand and just hoping that nothing ever happens to them. The reality is that we are in uncharted territory now in terms of Internet connectivity and the capability of hackers around the world to exploit the vulnerabilities that are always popping up. Larger companies are increasingly throwing more money at this which is driving the criminal element to make more an effort to target smaller businesses. In the end there aren’t too many places that do “everything right” in terms of security, but there are certain essentials that really need to be addressed to ensure that you are in compliance with state laws and that you are doing your best to protect your customers and yourself. We are available to help you implement solutions to keep your network safe.