The Fundamental IT Defense Plan
Properly maintained IT security is necessary for the modern business. If your business utilizes email, connects to the Internet, or has employees that use mobile devices like smartphones and tablets, you need to have solid IT security in place. The following covers a lot of common elements required to protect your data and reputation. Keep in mind, depending on your industry, there may be additional compliances and regulations you need to follow.
A Brief History in IT Security (And Why it Matters to SMBs)
Over the past two decades, IT technology has altered the business topography making it easier to produce, collect, and collaborate on data. However, the use of modern-day, internet-connected equipment for any purpose opens your business up to threats. Whether you simply use email for business correspondence, or your point-of-sales solution integrates with your website’s ecommerce system, protecting your data and infrastructure from online threats isn’t something you want to skip.
Without going too deep into the nerdy details of cybersecurity, let’s take a brief look at where the world is at so far:
- In 1988, computer scientist and entrepreneur Robert Tappan Morris developed the first computer worm that self-replicated across the Internet. This worm single-handedly caused an Internet blackout.
- In the 1990s, computer viruses were quickly becoming widespread and were getting a lot of media coverage. You might remember the ILOVEYOU and Melissa viruses that infected tens of millions of PCs. None of these viruses really had any clear objective other than causing disruption.
- These viruses led to the development of Internet security companies and antivirus solutions. It also started to build awareness for online security threats, which only led to trickier types of malware and threats.
- Email was (and still is) one of the prominent ways viruses were spread, so businesses that relied on email were just as susceptible to online threats, however businesses started to have more at stake. If emails were compromised, the integrity of the business, or at the very least, the level of security of the business, would be questioned by clients and prospects.
- During the 2000s, internet threats started to become more organized and strategic. No longer were viruses just an annoying nuisance that spread haphazardly. Instead, many major threats were identified that had serious financial objectives.
- Starting in 2005, Criminal organizations were targeting retail outlets, syphoning credit card information. One of the first and largest was when 45.77 million credit cards were stolen from TJ Maxx, costing the company $256 million to repair damages.
- Finally, businesses were starting to take cybersecurity more seriously, because there were clear and heavy consequences for falling victim to an attack.
- Today, it hasn’t gotten any better. Over the past few years, huge brands like Sony, Target, Apple, Premera Blue Cross, Anthem, Chick-fil-A, Kmart, Dairy Queen, and even the US Postal Service have been targets of very successful, very aggressive, and very expensive hacks.
- With the massive popularity of mobile devices, smartphones and tablets are now being targeted more than ever. It’s estimated that 11% of all smartphone users get hacked each year, and that number is expected to rise.
- Don’t forget data theft. Laptops, tablets, and smartphones are extremely susceptible to this. Beyond the physical device being stolen, hackers can easily intercept data being sent from a mobile device over insecure Wi-Fi hotspots like those found in coffee shops, trade shows, and hotels.
Of course, these are all the big names we’ve heard in the media. Smaller companies don’t get the same publicity (thank goodness), but smaller companies are actually at a higher risk because they tend to have little to no defense. While a criminal organization might like to steal the data of 56 million customers from Home Depot, several hundred records from a small business can be done in a fraction of the time.
The points to take away from this are that cybercriminals are becoming smarter and more organized, and that it doesn’t matter how big or small your business is.
Protecting Your Business
To protect your business today, it takes several different approaches. There’s no single answer or software to purchase that will protect you from each type of risk. However, that doesn’t necessarily mean that throwing money and solutions is going to protect your assets.
Beyond the security measures in place, a sense of awareness needs to come into play. You and your staff need to keep security top-of-mind, and rely on an IT security consultant when questions arise.
Let’s start with the basics – the solutions on your network that should handle the heavy-lifting of your IT defense plan.
Backup and Business Continuity Planning
While data backup isn’t really a preventative security measure, it is a major player when it comes to your security plan, as well as a fundamental piece of your business continuity plan. A managed, properly monitored backup solution is basically the last line of defense. If all else fails, at least you can restore your data. It should be hoped that you never need to come down to this, because if you are compromised, much of the damage is already done, but if you are compromised and your data is gone, there’s little chance of survival.
Your backup solution should store data securely offsite, and backups should be ran regularly, several times per day. Other features to look for in a good backup solution would be fast restore times (image-based backups instead of file backups), versioning, and virtualization capabilities.
A staple of traditional IT security, having antivirus properly installed and managed across your entire network will prevent the millions of different viruses and basic threats that cause computer downtime and other issues. Antivirus isn’t going to prevent more targeted attacks, but all businesses should have it in place.
Although there are plenty of great free antivirus solutions for home users, your business will want a solution that is centrally deployed and managed to ensure virus definitions and other updates are always in place, and that scans are ran regularly.
Equipping a centrally controlled firewall will block incoming attacks. Not to be confused with the software-based firewalls that piggy-back on many antivirus suites, a business-class firewall typically sits on your network between your other devices and the wild Internet.
As mentioned before, email is one of the main ways threats get into your business. Although most email clients have decent spam filtering, junk email is still getting into your organization. Utilizing a separate spam filter solution blocks these threats from getting delivered.
Secure WPA2 Wi-Fi
Unsecure Wi-Fi can give a user full access to your network and your data. Although this only opens you up to localized threats (the user has to be within range of your company Wi-Fi), ensuring that your routers are locked down and secure is a best practice. Many modern routers have this functionality built-in, it just needs to be properly configured.
Secure VPN Access
Data theft is a huge problem when traveling. Wireless hotspots, like those found at airports, coffee shops, and hotels can be very insecure. Hackers can easily intercept your data without your knowledge. A VPN (Virtual Private Network) solution lets you access your company files and applications securely without transmitting sensitive data. This also means that sensitive data doesn’t need to be stored on the device.
Mobile Device/BYOD Policies
With the widespread usage of devices like smartphones and tablets, employees are becoming much more likely to use these devices for work. This can improve communication, collaboration, and productivity, however there are downsides certain precautions aren’t put into play. Your organization needs to develop a BYOD (Bring Your Own Device) policy with specific rules corresponding to the storage and transferring of company data on personal mobile devices. These policies need to be read and understood by all employees, and enforced by the organization.
While you don’t want to be so strict that you prevent engaged users from utilizing their own smartphones or tablets for work, you need to enforce the protection of your data (and your clients’ data). Setting up the ability to remotely wipe a lost or stolen device, or revoke the access to company email if the employee quits is a good start, while establishing document management solutions like cloud hosting or a VPN provides even more incentive to follow best practices.
Depending on your business, there may be other regulations and compliances that you need to meet. It’s best to cover these on a case-by-case basis, as each regulation will have very specific requirements. We highly recommend you reach out to the IT security experts at Agilitec IT for an evaluation.
Ongoing Management, Updates, and Testing
What good is a smoke detector if the batteries are dead? The same goes for IT security that isn’t properly managed, kept updated, and regularly tested.
Don’t wait for a security breach or data loss to start thinking about IT security. To get started, and to find out what it would take to establish the solutions found in our fundamental IT defense plan, give us a call at (978) 993-8038.