Blog
Facts:
Small Businesses according to American Express Open
- 25% aren’t using A/V or if they are many are out of date and ineffective
- 60% don’t protect their wireless networks at the office
- 2/3rds don’t have a security plan in place
- Less than 6% of data breaches are discovered by the company. (Verizon Data Breach Report)
50% of businesses that are hacked go out of business within 3 years
- Use Protection!… I mean software protection. For home users or very small businesses, we recommend downloading the free Microsoft Security Essentials http://www.microsoft.com/security_essentials. For businesses, we recommend using a centrally monitored end-point protection product, whether you do your monitoring or your IT Company.
- Keep Your Software Up to Date. Every first Tuesday of the Month Microsoft releases fixes to bugs they and others find. These bugs are exploited by malicious software and can compromise your computer. Patching eliminates the known flaws to programs. Include Windows, Office, Adobe Acrobat, Adobe Flash, Java (if you really need it), Quicktime, or any other “plug-in” software
- Give yourself and your employees minimal rights. It’s tempting to remove all controls and grant yourself and your staff full access to your computers because otherwise it’s a hassle. However, its best to have a separate account to do any “administrative” work.
- Use Something Better than 12345. Choose strong passwords with letters, numbers, and special characters to create a mental image or an acronym that is easy for you to remember. Create a different password for each important account, and change passwords regularly. Read http://triadanet.com/is-your-password-12345/ for more information. Consider using a password manager like 1Password or LastPass
- Be careful of where you compute. It’s great to go to a coffee shop to get some work done. It’s also a great way to get your information stolen. Although your bank provides a secure way to do business with them online, it is best to do that from your home network rather than the open network at a café or airport lounge.
- Use Good Hygiene. Don’t open unsolicited emails especially if they have attachments, or links to reset a password that you didn’t request. Consider the websites you visit. Don’t put in random USB drives or CD’s you have found or been given.
- Backup All The Time! Implement a system that security backups online whenever you have a connection whenever you make changes to a file. Not having an automatic offsite backup is a sure-fire way to forget to do it.
- Protect your sensitive data. There are tools that can encrypt your hard drive so that if someone finds your computer they won’t be able to pull data off of it unless they have your password. Don’t carry lists of your clients’ credit card accounts. Besides being a PCI violation, it’s not responsible.
- Educate yourself, your colleagues, and your staff. Most people want to do the right thing. But many times barriers are put in front of them to do their jobs. Without proper explaining the reasons why and the risks involved, participants won’t buy-in to your policies.
As you can see, some of the items on this list are things that you can install onto your computers to help protect you from the bad stuff, the others are things behaviors that if followed would greatly reduce your risk.
Because mobile devices were traditionally complex and expensive, they were relegated only to companies that provided those devices. However, as devices got easier to use and more affordable, people began to purchase personal devices. As this number grew, people wanted to use one device for both personal and business. So many small business owners are now need to make a choice. BYOD or COPE? Or “Bring Your Own Device” vs. “Corporate Owned, Personally Enabled”.
The Typical Solution – BYOD. According to the CDW Small Business Mobility Report for 2012, nearly 9 out of 10 of small-business employees use their personal mobile devices for work. But how do you support and more importantly secure all of these devices? The scary thing is that most small businesses don’t even try! The survey found that only 1 out of 5 small businesses have deployed (or plan to deploy) any systems for managing and securing employees’ personal devices.
The Alternative – Is COPE Any Better? A minority of small businesses has implemented a Corporate Owned, Personally Enabled (“COPE”) policy instead. They buy their employees’ mobile devices, secure them, and then let employees load additional personal applications that they want or need. And the employers control what types of apps can be added too. And the “personally enabled” aspect of COPE allows employees to choose the company-approved device they prefer while permitting them to use it both personally and professionally. COPE is certainly more controlled and secure, but for a business with a limited budget, buying devices for every employee can add up pretty quick. If you go the COPE route and are large enough to buy in volume, you can likely negotiate substantial discounts.
Security Concerns With BYOD. If you have client information that must be kept secure or other industry specific regulations regarding the security of client data, then COPE is likely your best approach. It takes out any gray area of whose data is whose. Plus there is a certain comfort level in being able to recover or confiscate any device for any reason at any time to protect your company without any worries of device ownership.
Advice For BYOD Companies. Despite the numerous advantages of COPE, most small businesses will still choose BYOD because it can save them money. Here are 2 of Lawrence Reusing’s (GM of mobile security at Imation) important rules for BYOD. Consider these when creating your mobile device policy.
- Assume employees will use personal devices on the corporate network even if they are told not to. Half of employees use personal devices to take confidential data out of companies every day.
- Assume employees value convenience more than security. If your policies are inconvenient, employees will work around them.
Have you ever had one of those days when you head into the office looking forward to a “calm everything is as it should be day.” …and then your network crashes and your stress level goes through the roof? If so then you know how this unsuspecting used car salesman feels on a surprise test drive with NASCAR star Jeff Gordon.Give us a call we will make sure you network is as reliable as your Grand Dads’ old Buick.
- A
dd More Memory. An effective and inexpensive way to improve your computer’s performance is to install more memory (RAM). Unlike your hard drive which you store all of your data, adding more computer memory will speed up your computer programs, allow you to run more applications at the same time, and improve responsiveness. - Perform Regular Maintenance on your Computers. It sounds cliché, but like your cards, your desktops, laptops and servers need regular maintenance to perform at top speed and reliability. If you have a standard hard drive (not a newer solid state drive), defragmenting your hard drive will greatly improve performance on loading applications and files. Also you should periodically scan your hard drive for errors.
- Keep your Operating System and Software Up to Date. Running your Windows Update or Mac OS-X System Update will make sure you are running the latest version. This will make sure that any known vulnerabilities are plugged up and that any known performance related bugs are fixed.
- Run a Spyware Scan once a week. Although you may already have Antivirus software running, you should also install an additional Spyware/Malware scanner to clean up any thing not picked up or left behind by your web-surfing. Spyware does suck up system resources to do its dirty work, ultimately slowing your computer down and causing it to crash. And on top of that, they frequently steal data!
- Remove unnecessary programs from running in the background. Many computer manufacturers will load all sorts of tools and utilities and over the course of time of trying out programs, they will leave things running in the background even after reboots. Each of these processes saps a little bit of performance from your computer. Add them up together and you are taking up a large chunk of your resources. Uninstall programs you no longer need and disable those that don’t need to run in the background.
Although these recommendations will certainly help speed up your systems, it’s not a silver bullet. If your computer network is seriously out of date or constantly crashes or is painfully slow, find an IT support provider. Then it’s time to “Keep Calm and Call Triada Networks.”
Most small businesses and startups try to go it themselves when it comes to computer support. Many companies will pick the partner that is the most tech savvy or has a younger family member to help bridge the technology generation gap; heck they set up your home wireless network, right? Depending on your sophistication, you may be able to get away with it. However, here are some signs that may show that you are ready to look for outsourced IT support.
- The Computer Support designee at your company is doing more technology work than his or her “day job.” This is probably the most common thing we come across when we meet with new companies. Their office manager is doing more tech work than managing the office, or their nephew has gotten a full time job after college and can no longer help you out.
- Computers are running slower than they did when you first got them. Like your car, your computer is a fine tuned machine. It needs regular maintenance to keep it running properly and at optimal performance. Your outsourced IT support company can implement a proactive maintenance schedule that will get your computers back up to peak performance. This allows you to keep your computers for longer and get more productivity out of them.
- Pop-Ups, Spyware, and Internet searches going to places you shouldn’t be going to! With monitoring, scanning and education, these can be prevented. keep the barbarians at the gate and don’t let them in. Computer viruses, spyware, and other mal-ware have multiple ways in infiltrate your computer network: e-mail, bad websites, USB sticks, and CDs. A proper security plan will ultimately reduce risk, keep your data safe, and even save you money.
- Employees are spending more time surfing Facebook, YouTube and ESPN than working. We know you don’t want to be the Internet police and you would like to give your team the tools to do their jobs. However, your outsourced IT support company can help put together the proper filters including more freedom at certain times of day (lunch time, after work) to get their shopping or social networking done. But, don’t get too heavy handed. Unless you are in a regulated industry that prevents it, you may want to still allow employees access to their social networks; ultimately it can help you grow your business if it’s done right.
- Where is that spreadsheet I worked on last week? You’ve lost a critical file, presentation, or proposal. Your computer crashed and corrupted some important documents. Data loss has hit everyone at some time or another. It is a fact of life. But are you confident you can get back what you lost? What if your office is hit by a hurricane and your computers are flooded? Your backup tapes sitting on top of your server isn’t going to be much use and the copies you brought home last week are grossly outdated. Tape drives have an average failure rate of 100%- that’s right, all tape drives will fail at some point, usually without warning and when you need it the most. You could use an online backup provider that advertises on the radio (and for home users or for less-time sensitive data, it may be fine) but you’ll have to wait up to a week or more to get your files back. How did your business work during that time?
When your technology isn’t working, your business isn’t either. This isn’t just a motto or a throw away marketing line. We know this is true about our customers which is why we take making sure your computer networks are running optimally and available, very seriously.
If you are interested in a FREE Network Report Card, give us a call at 201-297-7778 or visit http://triadanet.com/free and fill out the form. We will come to you and provide a no-obligations assessment of where your computer network stands and hand you a report card.
Businesses have different challenges when it comes to authentication. We’ll break this down in several areas.
Password Policies
Password policies are a set of rules defined by a business to enhance the security of their computer assets. The policy can take many forms and there are various schools of thought that say whether complex passwords or longer passwords are better. Regardless of what a business’ policy is, weak passwords may result in unauthorized access and compromise. All users of your systems: employees, senior executives, contractors, and vendors should be included in your policy.
Administrator Accounts
Administrator accounts are the most sensitive in your company. However, most businesses never change them. We recommend that the main “root” or “administrator” account is not used, but individuals that have been provided their own administrator account separate from their every-day account. These accounts should be changed at least once a quarter. Each account should be documented with what access levels they have in a secure database. These accounts should be periodically audited for access.
Service Accounts.
Service accounts are special accounts used by processes or programs that need a special level of access. These too are rarely changed in most organizations. Like the administrator accounts, these should be documented with what access levels they require and no more. These passwords should be changed at least once a quarter or whenever anyone who has access to these accounts leaves the firm.
User Accounts
User accounts, or standard accounts, are used by every day employees, contractors, etc. These accounts should be at least changed twice a year.
Password Composition
Passwords can be a combination of lower case, upper case, numbers, and symbols. At least three of these four should be used and passwords should be at least 15 characters. This length with complexity and a longer time between changing accounts strikes a good balance One recommended way to deal with this is to use pass phrases. Phrases are typically easier to remember and type in than a cryptic set of symbols, letters and numbers which will more likely end up on a post-it note. A Pass-phrase examples could be a famous quote, a passage from a book, a line from a movie, or a joke.
Password Rotation
A history of passwords should be kept so they cannot be re-used too frequently. For example, if you set your password history to be 6 and you change your password once every 6 months, it will be over 3 years before you can use the same password. However, if someone changes their password in succession to bypass that, it would defeat the purpose. So make your password histories long AND define a minimum password age of at least 1 day.
Storing Passwords
If you are an administrator or a business owner, you probably have tons of passwords that you have to remember. We reviewed some personal password managers in http://triadanet.com/is-your-password-12345/. Some of these have enterprise versions as well such as LastPass. Many people will use an Excel spreadsheet that is password protected or encrypted using a program such as TrueCrypt. There are also some stand alone password managers like KeePass. KeePass will encrypt all your passwords and will help you generate very random ones as well. You can protect your KeePass vault with a password, a keyfile, or some other method.
We actually use a different method. We have a central password manager that we can access securely over the web. The connection to this password manager is protected as is the data that is stored there. We can then “check out” a password when it is needed and then enforce changes to passwords for administration accounts and service accounts. Accounts on the password system will be given access to certain vaults. So if an employee leaves the firm, you know right away what passwords they have access to and can take appropriate steps to change them. You may wonder, well that’s all well and good, but what if your password on the vault is compromised, doesn’t that leave you vulnerable because now all of your passwords are exposed? The answer is yes potentially. However, by protecting the Password management system with a Two Factor Authentication method such as a software or hardware one-time-password token, or a usb dongle, you mitigate against that possibility.
Conclusion
Passwords are the most popular way to configure systems for access control. Although Two Factor systems, biometrics, etc. are gaining ground, we still need our passwords for now. So safeguard your keys to the kingdom with passwords that are long enough, complex enough, and change often enough.
- If you don’t have a Google account, get one: Visit the Google Signup Page and fill out the form. If you already have a Gmail account, you can use that.
- Find the Google Local Page that you are interested in. Visit https://plus.google.com/local and type in the business name. You can visit ours by going to http://triadanet.com/gplus which forwards to the proper web page (shameless plug)
- Click on the Write a Review Button
- Different types of businesses will have a slightly different form, but fill it out and click on publish
That’s it! Now you know how to leave us, I mean, anyone a review. In the future we will discuss how to create your own Google Local page.
#1 Overconfidence
You and your employees’ confident in the security systems and products is the #1 threat to your network. It doesn’t matter what anti-virus software or other safe-guards you are running if your employees do not surf safely. This will result in porn pop-ups or more nefarious spyware that will quietly steal information. Websites promising free stuff, result in theft of information like your mother’s maiden name, high school, etc. used to answer common security questions leading to theft of otherwise secure data. Think before you click!
#2 Social Networking Sites
No one can deny the popularity of social networking sites like Facebook. Threats range from malware (eg. viruses, worms, spyware) to scammers trying to steal your identity, information and money. Businesses are using these sites to communicate with their colleagues and clients, so blocking outright is no longer an option. Educating your employees and enforcing a strong acceptable use policy.We can help you develop a policy, then monitor compliance using a Unified Threat Management device that controls and reports on network access.
#3 Attacks On Mobile Devices
Mobile is the largest growth area in computing. Mobile devices such as smartphones and tablets are growing at an incredible rate. These small mobile devices often contain sensitive business data and they are easily lost or stolen. Be sure to password protect and encrypt data on all mobile devices whenever possible. Ensure you include mobility and BYOD (Bring Your Own Device) in your acceptable use policy and your enforcement system.
#4 Cloud Computing
Although the cloud is many things, in its basic form it involves using the Internet to access and store your data. When you use programs that store their data online such as email, Facebook, DropBox and others, you are working in “the cloud.” Using the cloud for automated off site backup has rapidly gained popularity and is just the beginning. Companies like Microsoft and Google envision the day when we will use inexpensive terminals or devices such as tablets instead of computers to run programs and access data located somewhere on the Internet. Data should be secured not only where it is stored but as it is transmitted over the Internet.
Passwords are the least expensive way to keep people out of systems they should not have access to. Unfortunately most companies to not properly set password policies to prevent the use of weak passwords: such as dictionary words or information about the person that can be simply found by doing a couple of Internet searches or looking at social networking sites.
The flip side of the password issue is that if you force employees to select very complex passwords that are difficult to remember, they will write them down on those yellow sticky notes and stick them to their monitor or under their keyboards. Security professionals that do security assessments and penetration testing, call these “yellow gold.” By checking dumpsters or waste baskets for these sticky notes, an attacker will gain knowledge to your password patterns.
Ok, so if you can’t select weak passwords and you shouldn’t select complex passwords because employees will write them down, what should you do? What is a good password? Armstrong and Simonson state the obvious: “a good password is easy to remember, but hard to guess.” (Armstrong, 1996) One effective method would be to use a pass phrase. Perhaps a line from your favorite movie: “I made him an offer he can’t refuse.” If your systems or application cannot support long passwords, use the first letter of each word: “Imhaohcr” You can make this further complex by replacing certain letters with similarly looking symbols or numerals: “!mh@0hcr” This makes it something easy to remember, but hard to guess. A website that I like to use for generating easy to remember passwords is actually one meant for kids, called dinopass.
Alternatives to Passwords
But because passwords are cheap, they are also inexpensive to break into. Attackers have many tools at their disposals to crack passwords. A password is a one factor authentication system in that it uses something you know, your password. A two factor authentication system adds a second factor to reduce your exposure. A second factor can be something you have like a token that generates one time passwords or something you are like a fingerprint, iris or retina scan, face recognition, etc. You must decide as a business owner if the additional expense of adding such a system to protect your assets. But if it can prevent a loss of customer data, it may well be worth the expense.
Managing Multiple Accounts
One difficulty we all face is the multiple accounts we need to maintain. People have used several methods to cope. Using the same password on multiple accounts common but is not great idea. A less than secure website for example that gets compromised could reveal your account information for a more secure system, like your bank. An alternative way to this is to use separate passwords for your important and sensitive systems vs. ones that are less so. This minimizes the impact for a breach, but it still will leave multiple systems vulnerable. Adding a known password along with a pattern related to the system that you are accessing, such as an abbreviation of a website name.
A better solution would be to use a password manager. A password manager can generate random passwords for each system or website that you need and is protected with a single password. The key to this is of course the strength of that “master password.” Replacing the master password with a two-factor solution as described would provide an additional layer. One such password management system is LastPass, another is 1Password, which up until recently, was only available on the Mac platform.
That’s Great for Individuals but What about Businesses?
Businesses have a similar and yet more complex concern. But more on that later…
201 Firenze Street
Northvale, NJ 07647
201-297-7778