As an IT support and management company, Ascendant meets with a lot of small and medium business owners regarding their business networks. Our IT consultants routinely identify weaknesses on their business networks and make recommendations for improvement. Part of that network assessment is related to cyber security. However, when we discuss security with the business owners, we inevitably hear “we’re too small for all that cyber security.”
If you’re in this camp, you may not fully understand the complexities of network security and the related risks. Viruses, ransomware, and other malware do not differentiate between large and small businesses. In fact, small businesses tend to be at greater risk for these attacks. If your business relies on your network to deliver services or products, you have a responsibility to properly manage it.
Hackers have monetized their attacks and access to your data. How? Through a variety of means including identity theft, encryption of your data (and asking for a fee to decrypt the data), using your systems for attacks on other systems (Denial of Service), etc. Very few days go by without a high-profile company announcing their data, customers, trade secrets, etc. have been compromised; i.e. Equifax, Facebook, etc. What often doesn’t make the news are the smaller breaches targeted towards small and medium businesses.[/vc_colufmn_text]
Wanna Cry?
Today, the workstation and your users are your business’ weakest link in the cyber security chain. 2017 was the peak for ransomware which specifically targeted end-users and workstations. A very destructive ransomware virus called Wannacry, infected hundreds of thousands of PCs and held the owner’s data for a ransom fee. This ransomware destroyed large amounts of business data and did not discriminate between big and small companies. What really happened in the wake of this malware outbreak?
Most businesses did not pay the ransom fee, they simply lost their business data.
Sometimes all of it. Many small businesses found themselves MORE vulnerable to data loss because they did not have the proper backups/procedures in place to recover.
Still not convinced your small network may be a target? We are now in the age of crypto-mining malware. This malware attacks your systems and turns the compromised systems into mining “rigs” for untraceable crypto currency like bitcoin and monero. This malware steals the use of your CPU, memory and network resources to “mine” crypto-currency. The impact is slow systems, unreliable systems and a general lack of productivity.
We often hear, “I’ve never had any trouble with this in the past.” This is equivalent to a cardiac patient, surviving his first heart attack and saying “I’ve never had a heart attack before today.” Recognize your good fortune and do something about the current risks. Running a small business network is a responsibility. The first time you lose data, get hacked or employees experience identity theft, you will realize the costs of not managing this important aspect of your business.
The Security Minimums for Small Business
This is what every small business needs to protect their business network & data. Don’t tackle these measures alone. Engage an IT company who specializes in network security services. None of these measures will guarantee you won’t get hacked, but it minimizes your risks. Be realistic. Big companies spend millions of dollars on their network security and sometimes still get hacked. Treat the following minimums as equivalent to closing your door at night, locking it and setting your security panel.
Data Backups A backup is your best defense against data loss by encryption ware. Make sure your backup is running reliably (daily), the data is stored offsite in the cloud and test restoring your critical business data.
Change Your Passwords This is such a simple thing to do, it is often overlooked by companies. Simply changing your passwords every 30 days can significantly reduce your security risks. We routinely see businesses that never change their passwords. This increases your risk of exploit.
Stop Sharing Passwords Many attacks on network data come from within the network. If your users are sharing passwords, you’ll have no true accountability for who did what and when.
Install an Antivirus Despite what you may hear, anativirus is still valuable on the workstations and servers. Install one, monitor it and keep it up to date.
Outdated Operating Systems (Windows 2003 Server, Windows XP, Etc) Windows XP & Windows 2003 Server have no business on your network at this point. These aging operating systems are vulnerable and no longer receive security patches. Remove these outdated operating systems and replace them with modern operating systems.
Install a Hardware Based Firewall What’s a firewall? A device that permits only the network traffic you need to support your business and keeps all other network traffic out. A corporate firewall helps keeps the bad guys from accessing data and services on your small business network. By the way, your Internet modem/router is not a firewall. That’s why they call it a modem/router.
We often hear, “Windows has its own firewall, that’s good enough for us”. No it isn’t. The current Windows firewall is good as secondary protection for workstations and servers. However, the Windows firewall lacks the network packet inspection, web filtering, data loss protection (DLP), advanced threat protection (ATP) and other services of a modern, hardware based firewall.
Penetration Testing Now that you have a new hardware based firewall, you’ll need to test the firewall’s security. A penetration test will tell you what network traffic is allowed and make recommendations to improve the overall security. Do this testing on a regular basis (monthly/quarterly) and every time you make changes to your firewall’s configuration.
Workstation and Server Patching Microsoft releases security patches weekly for a reason. New security threats are emerging daily and targeting the largest installed base of computers available, Windows. Do not underestimate the value of patching and monitoring your systems for missing patches. Wannacry exploited a common unpatched Windows vulnerability.
3rd Party Patching Running Java, Adobe, etc.? These systems are common targets for exploit. These applications should be monitored and patched monthly.
Protect your Mail Domain Don’t go this one alone. A mistake here can stop mail flow on your business domain. You’ll need someone to help you install an SPF record. This is a record you place in your company’s DNS zone to make sure only authorized mail systems send email on behalf of your business.
Use A Multifactor Solution Using a multifactor solution will add an additional layer of protection from hackers that may have access to your password.
WIFI As convenient as wireless networking is, realize WIFI is not your friend. WIFI hacking is common and WPA2 encryption has been cracked since 2017. Update your wireless equipment regularly and make sure you have a firewall in between your wireless network and local network.
Need help with any or all of the above? Contact Ascendant Technologies, Inc. to schedule an appointment with one of our skilled technical staff.