Cyber Security: Not a Set It and Forget It Practice
Security is not something you should review every now and then. It should be a regular and ongoing part of your IT planning and review, as well as your business’ strategic plan. The IT industry believes it’s not a matter of if you have a security incident, but when and how damaging it will be. It can seem like there’s just never enough you can do to protect or prevent an event such as hacking from happening. How do you know if what you’ve done is enough?
Fortunately, there are several basic steps that can be taken to protect your business which involve best practices most are already aware of, such as:
- Have an up-to-date firewall with an active security subscription. Firewalls are your first line of defense. They serve to protect all the IP that flows in and out of your network and can prevent trespassers from trying to get in. Most good firewall manufacturers have subscription-based services that can extend past the basics so it’s a good practice to take advantage of those services.
- Patch, patch, and patch some more. You probably know this and already automate the Windows updates and anti-virus applications you use. But are you patching applications like Java, Adobe, Chrome, Firefox, and others? This is often overlooked and isn’t considered by many IT departments-so ask and ensure there’s a practice in place to automate this.
- Change your passwords. This is the most overlooked and arguably the most tedious task for employees to perform. But consider the number of breaches that have occurred in the past couple years and the poor practices in place for changing passwords—it’s easy for unauthorized users to guess them and even easier to run specialized software against systems to gain access.
While these may be the basics, it’s still common to find networks where even this level of practice is missing. When businesses fail to adhere to even the simplest of tactics, they become the low-hanging fruit on the internet and a bigger target for criminals are out there. Similar to making sure your car is in working order—fueling up, oil changes, new tires—simple maintenance can have a big impact on the protection of your network.
What More Can You Do?
Let’s assume you’re doing these things now. Is that it? Are you safe? Perhaps, but most crucial practice is simply awareness. The bad guys are getting smarter and they’re actively targeting our businesses. They’re trolling our LinkedIn and Facebook profiles to find out whom to contact, and looking at our websites to determine hierarchy in an effort to trick us into doing things we wouldn’t normally do. In the Twin Cities market alone, several businesses have been duped out of millions of dollars and, more often than not, there is little authorities can do to go after those responsible for theft.
Consider what happened to a local business last February. The cyber attackers, through email spoofing, impersonated the CEO and instructed someone on the finance team to wire multiple transactions to the tune of $50 million. IT can put all kinds of protection in place to prevent breaches from happening, but when ‘spoofing’ or ‘phishing’ occurs, we’re all susceptible to this. This act of theft is similar to making a prank phone call, only in this case it’s via email and can be more sophisticated. Scams such as these can be prevented with increased awareness.
Your Employees Are Your Advocates
Helping employees understand their role in managing security is a critical part of your practice and they need to know how they can affect the protection of your intellectual property. When the topic of security is covered during company meetings it provides an opportunity for staff to become more aware of the threats that affect both their professional lives and their personal lives.
Cyber security is an engaging topic because we’ve all experienced something like this in some capacity; and we want to know how to further protect ourselves. Providing a forum for your employees to discuss security also allows your staff to express their concerns and collaborate on ideas for managing IT in general. These forums can also shed light on one of the biggest risks in managing security: becoming desensitized. The frequency of reported breaches and theft has become part of our daily lives and it’s led to the attitude: “I’ve done what I can and I’m going to hope for the best.” Too many businesses become willing only after a security incident has occurred, which can cost exponentially more had preventative measures been taken.
We know this isn’t the first article you’ve read on cyber security—and we doubt it’ll be your last. Remember, security is not something you review every now and then. It should be a regular and ongoing part of your IT planning and review, as well as your business’ strategic plan. Why invest all your time and efforts in planning how to grow your business only to see those plans foiled by a potentially preventable breach? Talk about cyber security with your management team, review your strategy with your IT department, and invest in an awareness campaign with your staff.
Brent Morris is Vice President at SUCCESS Computer Consulting. He helps advise organizations on strategic IT initiatives and provides expert technology support for small and medium sized business networks in the Greater Twin Cities area. Brent has worked in the industry for over fifteen years and can be seen frequently speaking to businesses on topics including security, cloud, and Microsoft® solutions.