There are a lot of risky assumptions that managers make when it comes to security. When you consider that 60% of small companies go out of business within 6 months of a cyber attack, the best bet is to put all your assumptions on the table and challenge each one of them.
What is your best advice for business leaders on how to best protect their company from data breaches, hackers, malware, cyber attacks, viruses and more?
Number one, you’re never too small to be a target. If your business would not be able to function without your data or software systems, then you’re vulnerable. If your business touches the internet and email in any way, you need security. You need a fresh set of eyes looking at your entire environment to find exposures and give you a solid plan to remedy them, then maintain that shield.
Number two, a high quality security solution is not too costly. When one data breach can take down your business for a day, a week, or longer, imagine the impact it would have on your customers. In the case of personally identifiable information, imagine the odds of being sued or fined. This is where a layered security model acts like a spacesuit: it’s vacuum-sealed and insulated. It’s touching your email, endpoint devices, firewall, network, even printers.
Number three, the absence of past breaches does not indicate that you’re protected. The number and type of threats is exponentially higher today than it was even just five years ago. Unless you have expert resources dedicated to your IT security and continuity, you’re working without a net. If your IT security framework is well-managed, your IT is the lever that can allow you to scale your effectiveness.
I think we hear plenty of buzz in the media about giant data breaches with large financial institutions and other Fortune 500 companies, but we don’t hear much about local businesses. That’s not because it doesn’t happen. Both at our STS headquarters in Omaha and all over the country, we’ve been brought in after the fact.
- A local healthcare practice accidentally exposed its patient records and was subject to very costly fines for HIPAA violations. It cost them almost a million dollars.
- A local retail chain discovers a team of thieves has been skimming credit cards for weeks. They lose many disgruntled customers.
- A company who sells online has their web server taken over by a foreign hacker.
- An unwitting employee opens a piece of ransomware in their email and suddenly, a mission critical server without a backup is encrypted. It is going to cost them thousands of dollars to get back and they have no choice but to pay.
This happens every day, in every city in the country, and then they call us.
What are the best routes to take when it comes to security for the business from mobile devices used by employees and themselves?
We have a pretty tight security model at Scantron for our own mobile phone security. If a person loses their mobile device, we have the ability to wipe the contents entirely. We lock down certain applications on the device and install security detection and threat quarantine on them. We use Outlook which has several good security features, including centralized administration for mobile clients.
In addition your internal WiFi needs to be setup with Public and Private Zones so that only devices that need direct access to internal data are on the Private Zone. If all that is needed is internet then the device should be connected to the Public Zone.
How can businesses help themselves to avoid security issues when it comes to cloud computing?
The cloud is not necessarily less secure than on-premise applications. It is how well you or they secure data and systems from threats.
- Choose only reputable cloud service providers.
- Hire a third party IT service provider for an environmental assessment who can audit everything.
- Don’t fall into the trap of going with the cheapest cloud provider or the one who makes the biggest promises without showing evidence or providing reliable references.
- Impose a hierarchy of overlapping roles in order to manage your data and applications, with company principals at the top.
What are your best tips for helping businesses keep their networks efficient?
One of the biggest areas where we uncover opportunities to improve, all things being equal, is in patching. Not only Microsoft, but many other application providers publish updates on a frequent basis. Another relatively simple fix is in server utilization. We often upgrade servers when we see firms using 90% of capacity and experiencing resulting slow response times. The improvement in performance is dramatic. Lifecycle management is important across all systems; old equipment creates too many downtime scenarios.
Is there particular software or hardware they should look into to help with avoiding all these security problems?
As with a custom-fit spacesuit, there’s no real one-size-fits-all solution. It’s easier to categorize needs by what the security product does: prevention, detection, testing, encryption, secure login, and reaction or quarantine. Essentially, every device you have that touches data needs to have prevention and detection software installed.
Having a set of security software and hardware is just the starting point. You need to also have a sound IT security model which consists of the people, policies, processes and escalation path. Lastly, don’t add IT security to the desk of someone who can’t be dedicated to it.
For more information about these issues, read our article: Five Faulty Assumptions Small Business Owners Make About IT. It’s not just for small business, it’s for anyone.