SOME BASIC IT SECURITY GOOD PRACTICES THAT SMBs CAN IMPLEMENT QUICKLY AND AT NO COST
Having good technology and best practice architecture is always a must when it comes to cyber security, but there are also some really cost effective and smart measures that any small and mid-sized business can take to significantly reduce risk when it comes to IT related security matters. Maybe surprisingly, most if not all of these good practice measures have very little financial cost and can often be implemented with your existing technology solutions.
This article will feature some of the quick wins that can have a huge impact to your company, and hopefully go some way to keeping the bad guys out, and keeping your data secure.
Having a company password policy that requires that your staff change their passwords every 60 days may seem like an added headache for everyone, but is by far and away one of the most straightforward and common sense steps you can take. Most technology systems can be implemented with a requirement to make the changing of passwords compulsory, and we highly recommend that you do this. Getting company users to change their passwords regularly has a number of benefits, but the main one is that it virtually ensures that you don’t get duplicate passwords throughout your organization, either among employees or more importantly, with employee’s personal passwords. Let me explain.
One of the common things that happens in today’s technology universe is that because of the sheer number of passwords people are expected to remember, people will often use the same passwords over and over again. Someone’s password for Gmail could be the same as their password for Amazon, could be the same password for Uber, could be the same password for their work login etc. etc.
If we take this a step further, could they also be using this password for the online ordering page on the mom and pop pizza store across the street, or for their local gym membership portal, or for any of the hundreds of online interactions they may have in any given year? If we assume that Google or Amazon or Uber go to huge lengths and spend millions of dollars protecting this password data, we can also assume that smaller online retailers don’t have anywhere near the level of IT sophistication or expertise to protect the password data they have. This is a huge problem if your employees use the same passwords at work as they do when ordering sushi from their local restaurant.
By simply making your staff change their work passwords regularly, you can pretty much ensure that any compromise they may encounter won’t affect your businesses security.
If we assume that your Wi-Fi technology is up to the job, and is running a good modem security protocol, there are some simple steps that you can take to make it better. Firstly, the Wi-Fi password for your company network should be long and complex, and not something that can be remembered by staff. Also, it should not be given to the staff to enter into their devices, but a designated staff member should be the one entering it for them. This will mean that you’ll be able to control what devices connect to the company network, and the network key will be tightly controlled.
Secondly, if your company permits the use of ‘Bring your own device’ (BYOD), an additional Wi-Fi network should be set up for users to connect their personal devices to (iPad, Smartphones etc.). This network can provide them with internet access, but should be fully isolated from the company network. Security around the password can be a little more relaxed for this network, however the password should still be rotated regularly and reasonably complex.
Thirdly, if your company expects visitors at your premises and you would like to offer them internet access, an isolated ‘guest’ Wi-Fi network should be created. The password for this network should ideally be changed daily, and most good Wi-Fi systems can automate this process for you.
MOBILE DEVICE MANAGEMENT
There are a lot of very good products on the market that are designed to manage corporate and BYOD mobile devices, protecting your company’s data and making sure the devices are used in line with your company’s IT policy. If you are mostly using these types of device to access corporate email however, there are some very good steps that can be taken at often no additional cost to the business. By leveraging your existing email platforms’ ability to manage these types of connecting devices, you can greatly reduce your risk cost free. Here are some tips.
Mandate a 6 digit PIN lock for the connecting device. This will mean that any smartphone or tablet that connects to your company email system will be required to have a 6 digit PIN before the account is set up.
Require administrative approval for any smartphone or tablet trying to connect to the corporate email system. This will mean that if someone tries to set up their device to receive email, it will not proceed until a system administrator approves the request. This will give you the opportunity to look at the device, make sure you are comfortable with it connecting to the email system and just as importantly, make sure it’s a genuine user request.
Configure your email system to have the ability to remotely wipe the device.
It is extraordinarily easy to read the data from a Windows computer hard drive, even if it requires a password to log into the PC. This means that if an employee loses their laptop, the data on it can easily be accessed by whoever has it. However, most Windows operating systems have the ability to encrypt the data on them, making it impossible to access by anyone, even when they have the hard drive. The process of encrypting a hard drive is straightforward, quick and has little impact on the overall performance of the computer. This is a really easy win.
A lot of online services such as online banking and accounting services are now implementing multi-factor authentication technologies, designed to further secure sensitive data. These technologies may add a small amount of complexity to your logon process, but also add a massive amount of security to your sensitive data. Speak to your existing providers and ask if the technology is available, and what it would take to enroll in these protocols. This really does make a huge difference to your overall security
TRAINING AND EDUCATION
As tech savvy as your staff may be, it only takes one lapse of judgement to click on the wrong link or open a bad email attachment. Regular staff training and education around cyber security will help to dramatically reduce most of the common threats your organization faces on a daily basis. In our experience, vigilance and well informed staff are about the best line of defense you can have, and not only will they be much less likely to introduce threats into your corporate network, but this training will also change their behavior when using technology outside your business, which is good for them and you.
Obviously there are a number of very good technologies that will greatly enhance your overall cyber security, and this article is not intended to detract from their implementation or somehow dissuade you from exploring them in your business. This article is simply intended to give you some points to think about that won’t cost much to implement, present great value to the business and hopefully make you a little more secure.
What our clients think ...