Improving Virtual Security

In part three of our series on technology in business we look at how you can add virtual padlocks to your data and adopt practices that will help avoid a worst-case scenario such as a hack.

VirtualSecurityYou can’t have missed some of the high-profile business hackings that have taken place in recent years: JP Morgan, eBay, Home Depot, two disastrous ones affecting Sony, to name but a few. In today’s connected age almost everything is at risk, from credit card details to password lists and private emails.

While you may not be running a business on anything like the scale of these corporations, you still need to stay safe online, by observing some of the best practices that these companies will have adopted in the fallout from these breaches.

You’d think, given how prevalent hacking is (botnets are hurling themselves against the defences of servers online around the clock), that the issue might be treated with some seriousness in 2015, but you’d be surprised. Worryingly, Internet security company Kaspersky Lab recently found that 82 per cent of small to medium enterprises actually believe their business is too small to be targeted by cyber criminals, and a third are unaware of how to deal with a security breach should the worst happen.

How wrong they are. Any company’s website and data is a target today: in fact, one recent report by the UK’s Federation of Small Businesses found that more than four out of every ten small companies were hit by cyber-crime in some way in 2014. Luckily, you don’t have to be one of these unfortunate enterprises if you follow our advice.

Take the commonsense approach
The first thing you need to know is that upping your security doesn’t need to be expensive. In fact, implementing a best-practice policy for your company doesn’t have to cost you a thing. There are plenty of common-sense tactics you can deploy.

There are two things you need to understand to begin with: every face your business has exposed to the Internet is a weak point. Every service that requires a login, from your company’s Twitter channel to your email to your web servers, is a potential point of entry for a hacker. The second is that one hack can rapidly escalate to another. If someone gets into your email, you can bet the first word they’re going to search for is ‘password’ – and if you’ve got any logins listed in there, it’s all over. In other words your online defences are only ever as strong as your weakest point.

To make sure there are no holes in the fence, make a list of all the services you use, then secure it and go through them all, creating strong passwords for each (the longer the better, mixing things up with upper-case symbols, numbers and punctuation). Regularly change these passwords – stick a reminder in your calendar for the first of every month, or if you have the option for automatically forcing a password reset at a certain interval, use it.

Make sure no passwords are stored in your email, and add extra ‘locks’ wherever you can. Put passwords on your laptop or desktop that kick in after a short amount of inactivity, and don’t store passwords in your browser, so that you have to enter them every time. If handling highly sensitive data, lock activity down to your business’s IP address so
that anyone outside your office building will have to use a VPN (Virtual Private Network) tool to gain access – trivial for employees, but an obstacle for others.

Most of all, be aware that hacking is not always done by computer. Sometimes all it takes is a bit of social engineering, tricking a person into giving vital details for breaking in.

One common tactic is for hackers to use people’s ‘back-up’ emails that have been nominated for another account in case something goes wrong. If you’ve not logged into these for years the username may be recycled by the provider, enabling an enterprising hacker to sign up and claim your old account.

Doing business over the internet? Double up your efforts
If you’re running a local shop or restaurant, the above is all you might need to do to secure your website – though there’s plenty more you could do to secure your records and data. However, if you sell to customers online or have any sort of username/password set up for their accounts however, you will have to be extra vigilant, as other factors come into play.

You’re storing not just your own data, but your customers’ data. You can’t break their trust by losing it, and, just as importantly, there are laws in many countries regarding how
this data is handled – or destroyed. Data Protection laws in many countries for instance require you to delete data after it is no longer necessary. Treat your customers’ details in the exact same way you’d handle their money: with the utmost care and attention. That means encrypting their passwords, or ideally, never knowing them at all: log-in tools like the highly secure OpenID Connect are an excellent way to add the exact same layer of security to your site or services that companies like Microsoft and Google employ.

Anti-virus is another important factor. While your first line of defence should always be caution and common sense – don’t plug any USB memory sticks into your computer that you don’t absolutely trust, don’t open attachments from anyone you don’t know and don’t ever let a compromised computer back on your network – it’s crucial that your systems stay on top of the latest malware threats.

In truth, there’s little to distinguish between the leading service providers such as Norton and Kaspersky. Microsoft’s own Security Essentials for Windows is also good. The important thing is to stay up to date with whatever you opt for, keeping all of your software up to the latest version release. That includes the operating system too: as tedious as waiting for a Windows or OS X update to install is, they’re updated to fix any vulnerabilities researchers (and hackers) discover.

Secure all your company’s data – not once but twice over
Bots and hackers are not the only concern any business faces online, of whatever size. There are the simple everyday factors there’s no getting away from: human error and clumsiness, physical theft and hardware failure.

With that in mind, it’s important that you not only secure all your company data, but that you back it up too. Then back it up again – what’s known as redundancy. Hard drives have many moving parts and can eventually fail, while solid state drives are faster but more expensive and can be written to only a certain number of times. Store your back-ups in multiple places. Create copies of all your files and store them offline at regular intervals too.

Make sure that whatever policy you put in place is adhered to by everyone: don’t be afraid to introduce employees to corporate cloud back-up services like Dropbox and Box, which make uploading everything on a computer seamless and automatic.

Smartphones need security too
Remote workforces are on the rise thanks to the increasing power and popularity of smartphones and tablets, letting employees work anywhere. But this comes with risk.

The good news at least is that modern mobile operating systems like Android, iOS and Windows Phone are very secure, and can be sandboxed (apps not allowed to do anything outside their own little virtual environment ever) making it very difficult for anyone to install rogue software as can sometimes happen on Windows and Mac desktops.

The bad news is that smartphones and tablets can be an easy back door for entry if they’re not protected with a PIN code or password. It’s much easier to hack a person’s email by stealing their phone than breaking into an office and trying to guess their PC’s password or trying to make them open an email attachment.

If your company provides employees with phones, be sure to enforce a password lock every time a screen times out. If your business employs a BYOD (Bring Your Own Device) policy, limit which operating systems are allowed, make sure all employees use a screen lock and have ‘Find My iPhone’-style GPS tracking activation installed so that they can easily locate the phone if stolen.

Protecting the physical aspect of your virtual data
When we talk about the cloud it’s very easy to forget that the Internet is very much a physical entity, with laptops and servers and cables that can be stolen, just like data and logins. With that in mind, there are precautions companies of any size should take to secure their machines, especially portable laptops.

Strong passwords from sleep are a must, and some laptops have fingerprint scanners, for instance, for added security. But you should also prepare for what to do if a laptop is stolen: install software that encrypts your entire hard drive (File Vault 2 for Mac, DiskCryptor for Windows) to make the data inaccessible, and activate tracking software such as Find My Mac or Prey to help you track down the location of your machine if it gets swiped.

Be prepared for the worst
Remember: you only ever have a 100% security track record until you don’t. With that in mind, it pays to be fully prepared should the worst happen and your company suffers some sort of data breach. Be sure to have mapped out which data would be most disastrous if it were lost or stolen, and plan a response: how you’d react, how you’d inform customers and how you’d test employees. Then test them, to see how they cope in an emergency situation. You’ll be thankful you did.

Two-step authentication and password managers – doubling the security of your devices need not be difficult
If you use any services (such as Google or Dropbox) that offer two-step authentication, always activate this. This greatly enhances your security by requiring you to enter a
code sent to your phone (or printed off and stored somewhere safe) every time the service is accessed from a new device. In other words, the hacker now has to hack your phone too in order to get anywhere.

There’s a catch to this. Often, services like this will give you one-time passwords and codes you need to use, and it can quickly become difficult to keep track of every one you need to remember. That’s where password managers come in. These are clever – and trusted – apps that let you use just one ultra strong password to log into all your accounts, even though each account still technically has its own separate and strong password. So long as you use them for everything, on your desktop and phone, they can make your online life a lot more secure and easy. Check out services like 1password or LastPass, but remember you’ll need to be all in to get the most from them.

Educate
Remember that any network’s defence is only as strong as its weakest link: that means you have to keep your guard up at all times, and so does everyone else. Make your IT security policy clear and comprehensive, and make sure everyone knows it inside out, especially if you have a large number of staff or a high turnover rate. Make IT security part of the training for everyone in your business, whether they’re working at the reception desk, running accounts or simply stocking the warehouse.