What all business owners need to know is that alongside the benefits of being online, there are also security risks. Understanding and mitigating those risks can be a significant challenge. The IT security landscape has changed considerably in my 30 years in the industry. Knowing what you are up against can be daunting, but it’s the first step in managing those risks.
IT Security Then
Shortly after the advent of personal computers came the personal computer virus. From “Elk Cloner” for Mac and “Brain” for PC, a new industry was born. Soon to follow, antivirus software (like F-Prot and Norton) started to appear on the scene. Infections weren’t widespread yet as the internet didn’t exist and most users didn’t have a hard disk in their computers. It was just a matter of cleaning or replacing the infected disk and getting a new copy if you had the forethought to create a backup.
By the dawn of the internet, hard drives had come down in price considerably. They were now a standard option in personal computers. Antivirus software was becoming more of a necessity for business and by proxy so were regular backups. Still, many users chose to ignore the risks and, if you were careful and practiced ‘safe computing’, disaster could be avoided.
I didn’t use antivirus software for many years on my personal computers (I did on the office computers) during this period because of the performance hit. Instead, I developed routines that would mitigate most disaster scenarios. In addition, having an intimate knowledge of Microsoft’s operating system and the ability to manually repair my own infections should they happen, allowed me the luxury of employing this methodology.
Our clients had a much more involved protection plan. We managed their antivirus utilizing third party software and additionally managed their backup in the same manner. We developed routines with a series of checks and balances to notify us of any impending crisis. The system worked well considering the technology available. Reaction times were reasonable, and downtime was manageable as business was less dependent on this new technology. For small business it was often a matter of balancing cost vs risk.
When Internet and email became a standard tool for all computer users, the door was opened to new types of attack. In the beginning these were fairly benign and presented a minor inconvenience, like petty vandalism. Gradually they became less so, destroying data and causing companies to incur considerable costs to mitigate. In extreme cases, they were exposing sensitive information. Email attacks proliferated as uneducated users were an easy target and were exploited by hackers. We stepped up our protection to meet the needs of our clients and as such, costs increased as well.
Some business owners resisted employing these new technologies. Some implemented safeguards like having one computer connected to the internet and severed from the main network. For others, email was restricted to a few key users.
As well, backups strategies were paid little more than lip service. If disaster struck the safety net was often an overused tape backup that rarely saw maintenance, was never tested, and was administered by client personnel with basic operational skills.
Looking back, I would say that the gap between small business security and enterprise security reached its peak at around this point. Internet banking and ecommerce were starting to hit their stride. IT security was becoming critical in an increasingly online world and while enterprise rose to meet the demands, smaller enterprises (with rare exceptions) did not. Solutions were available but there was resistance. Or perhaps they didn’t understand the risks. Convincing a business owner to spend $5k to $10K for an enterprise grade firewall and backups as well as the labour to configure and monitor it was a tough ask. Instead, placebos like ‘internet security software’ with software firewalls that were reasonably effective were implemented instead. Peace of mind for $60 per year, per computer. It sounded too good to be true because it was. Many networks were compromised but the damage was mostly a loss of productivity. Hackers weren’t after data yet. In the words of the Melissa Virus author, “I just wanted to see if it would work” as his contribution to hacking history crashed an estimated 100,000 mail servers around the world.
IT Security Now
IT security is a weekly headline now. Breaches are in the news quite often and have caused embarrassment, financial hardship and in extreme cases, have resulted in a company’s demise. Hacking attempts used to be focused on enterprise networks but today everyone is a potential target. Password complexity, two-factor authentication, and 90-day password changes, are now standard operating procedure for everyone in today’s online business world.
Recently, a client (whose email we don’t manage) had a user that used their first name for their email password when they switched to a new email server. We received a panicked phone call later that morning. It seems a hacker had taken over their account and managed to send around 5000 spam emails before the mail server operator shut them down. This occurred within one hour of the new server being live. It didn’t take us very long to find the source of the breach and the reason. After educating them and helping them to create strong passwords, they were back in business. Unfortunately, the company’s email communications were compromised for the better part of a day.
People are often surprised (some horrified) when I show them the number and frequency of attempts to breach their firewall and gain access to their network. Calculated brute force attacks are everywhere and constant. Sponsored hacking is rampant, hacker’s identities are difficult to trace, and the frequency of these events are increasing yearly.
Some Good News
Today, unlike in the early years of the internet, enterprise-grade security tools are now available to small business owners. The economies of scale that allowed enterprise businesses to justify the costs of heightened security have been scaled for smaller platforms. Hardware prices have dropped dramatically, and software has been developed to allow MSP’s and MSSP’s to bring all the benefits of enterprise-grade security to the SMB market. Because cost is no longer a prohibiting factor, poor security in an enterprise of any size can be seen as negligence by an increasingly informed public.
Devising a Security Plan
Often, I see articles like “15 security tips to lock down your network” and “10 must do’s to secure your data”. Unfortunately, it isn’t quite that simple. While these articles may be helpful in educational terms, they lack enough specifics for the average user to be able to implement any plan that will be effective. The advice is offered in general terms because the author has no knowledge of your environment or your business’ security goals. In many cases the business owner has no knowledge of them either.
The reality is that for the best chance of success in securing your IT, you are going to require expert help. Often this will be less expensive in the long run. The cost of a breach, having your network or a key user down, and the damage to your reputation with your customers will far outweigh the cost of a comprehensive security plan from a Managed Security Services Provider.
A good plan is one that provides flexibility and scalability. Security threats change constantly. Keeping up with those changes is a full-time job. There are some key considerations when assessing your exposure and creating a plan:
What are you trying to protect?
It sounds obvious, but you’d be surprised how many businesses don’t start here. In most cases, the answer to this question is data but there are also your resources to consider as well. A hacker may not want your data. They may want to use your computers and internet connection to mine Bitcoins or to use you as a proxy to hack Cadbury and get the secret of how they get the caramel inside. Regardless, you will need help assessing where and what your risks are.
How do you protect it?
There are as many opinions about how to protect a network and the products to use as there are chili recipes in west Texas (I have a killer recipe if you are interested). We have a suite of products we use to protect our clients. They were chosen because they serve the needs of our clientele, they are cost effective and scalable from one user operations up to thousands.
I believe a multi-layered solution is the key to an effective security strategy. Let’s compare with a premise security strategy: Your business has locks on the doors and possibly a safe. It has security alarms and surveillance cameras. Your security plan should work the same way.
What will it cost?
Once you have determined the ‘what and how’ you need to set a budget, and this will determine your product choices. As security experts, our job is to demonstrate risk exposure and provide you with a plan to minimize it at a cost that fits your risk profile. We will give you the information and provide flexible and scalable solutions. You decide how and what to proceed with.
Be aware that canned solutions (hardware appliance solutions, boxed software solutions) could have a higher total cost of ownership when comparing them to tailored solutions that are charged monthly. Make sure you calculate the cost of licenses, the usable lifespan (vendor’s “sunset” history on similar products), support contract cost, etc. and ensure there are no hidden costs.
What are the limitations?
Yes, I said minimize your risk exposure. Not eliminate. Beware of someone who tells you they can guarantee you can’t be breached. The internet is whimsical, fickle, and guided by the sensibilities of the collective. Security plans are based on what has happened before and what could possibly happen in the future. Your plan may have to change to cope with new technologies and new risks. Part of a good security plan is flexibility and scalability. Find a professional you trust and work with them. Knowing the risks is good business. Peace of mind may be less expensive than you think.