It’s hard to think about vulnerability – and no, we don’t mean your personal ones. IT vulnerability can put your business at risk, and not surprisingly, there are business owners out there that want to sweep their IT problems under a rug.
Yes, IT problems can seem insurmountable at times, and when you aren’t tech-savvy, it’s sometimes easier to ignore the issue than to confront it. We’re here to tell you that almost any IT problem can be overcome if you have the right attitude (and a little tech know-how)!
Why Security Matters Now More Than Ever
Let’s say you’re a business owner 50 years ago, and you have important documents you need to keep safe. How would you file them? Most likely, you would keep them in a file inside a locked cabinet, or if you wanted to be extra safe, in a deposit box at the bank. You’d go to sleep assured that your files were safe, unless your key was taken or the deposit box was broken into.
These days, keeping your data safe isn’t as straightforward. Where do you keep your important information? Most likely on a network. And who has access to that network? Probably people other than yourself. Thinking that your data is safe on an unsecured business network is like handing out keys to your lock box and expecting your files to stay safe.
So why all this concern? Computers have been around long enough that they’ve probably figured out how to keep them safe, right? In reality, the speed at which hackers can exchange information is faster than ever, meaning that computer system vulnerabilities can be exploited almost as soon as they are discovered. Whereas a few years ago, security issues might have been a local problem that were able to be resolved before they snowballed, todays’ malware and hacker networks can work in unison to create worldwide chaos.
Another thing you have to consider when talking about network security is just how many devices we interact with in our daily lives. A few short years ago, the only devices we had connected to a network were our desktop computers. Today, we all carry around networked devices on our wrists, in our pockets, and in our ears. Networked devices can even make you coffee! However, these innocuous machines that we’ve made a part of our lives can also compromise our personal information. When we think IT security, we usually think of big hulking machines with dedicated IT technicians fending off attacks from mysterious hacking groups. The reality is that if any one of your connected devices is compromised, your entire network falls with it. Making connections is great, but it comes at a price.
What Can I Do About It?
Well, the first step to security nirvana is acceptance. You have to accept that security flaws are inherent in all our technology, and that we have to actively secure information that is important to us. Once you’ve done that, you’re ready to make the necessary changes to how you secure your network. We’ve thought of a few of most common IT vulnerabilities that business owners face, and what you can do to stop hackers in their tracks.
Older Computer Software
Here’s the scenario – you’ve just unboxed a brand-new computer and are in the process of setting it up. You’re clicking through the on-screen prompts absentmindedly, when one of them catches your eye. “Allow automatic updates?” you mutter to yourself. “Best not, what if they send out an update I don’t like or want?”
This type of thinking is risky because most people will hesitate when their computer prompts them to update it. They might rationalize it by saying that they’ll do it later, that they can’t restart their computer just yet, or they want to see how the update will affect other computers before they update their own. Before you know it, it’s been two years since your computer has been updated, and it’s lagging, buggy, and worst of all, vulnerable to attack.
See, the reason software companies send out an update is because they’ve discovered an issue that needs to be fixed. Ignoring a software update is like having a mechanic offer to fix your car for free and turning them down. “No thanks,” you say. “I’ll take my chances with this one on the highway.” Sounds ridiculous, right?
Hackers know that for whatever reason, people don’t update their computers as often as they should. They’ll target security flaws in previous software versions in the hopes that people are still running unpatched software. More often than not, they’re right!
If you needed more proof before you allow automatic updates, just take a look at the Hewlett-Packard 2016 Security Research Cyber Risk Report where they say -
Don’t be another statistic – allow automatic updates.
Personal Computing Devices
While we don’t often think of our cell phones as “computers”, they’re actually more sophisticated than full sized computers were 20, or even just 10 years ago. When you have your employees bringing their own devices like phones or computers into the office, you’re introducing a variable you as a business owner can’t control. This isn’t to say that your employees are doing anything malicious, but they might have a virus on their personal devices that’s just waiting to spread. You can install the latest protection on your servers, require unique passwords for your desktops, and have extensive network activity logs, but all of that is meaningless if you have an employee connect to your network where you can’t see who is doing what.
Now before you start cracking down and installing metal detectors in your lobby, you can keep your network and information safe if you just take a few simple precautions.
First, your employees might want to use Wi-Fi when they’re in the office, and that’s understandable. You can create an entirely new network - separate from your internal one – that your employees and clients can use. If they are connected to an independent network, there is less concern that their own devices can access your internal network.
It’s also critical to advise your employees on what they can and can’t connect to their workstations. While they might want to download a few files to a USB thumb drive so they can work on something over the weekend, from a security standpoint, it’s entirely inadvisable. USB thumb drives can contain malicious code that will automatically run once it’s been connected to a device. The well-known Stuxnet virus that crippled Iranian nuclear reactors in 2009-10, got on to their system simply because a technician plugged in a USB drive containing the virus.
How can you prevent employees from plugging in USB devices? Short of locking down your USB ports, you can’t really prevent them from doing so. However, you can change your computer’s auto-run policies so that when a USB device is plugged in, it won’t run whatever is on the device. This could give you some time to scan the device for a virus, and if it’s infected, to immediately remove it.
The Human Problem
I, for one, will welcome our robot overlords after the inevitable revolution. Until that day though, we’re stuck hiring humans to do human work. The problem with humans though, is that we can make mistakes. As a business owner, you want to minimize those mistakes! When a person has access to your internal business network, you have to put a certain amount of trust in them. If something goes wrong, then you want to be able to trace the problem. If only there was a way to see who is on your network at any given moment…
Predictable and boring - just the way we like it.
Fortunately, there is! If you create a unique user profile for each of your employees, you’ll be able to see who has logged on to a workstation at a certain time. That way, if you run into any issues, you can trace the problem back to the user who created it. Of course, this system isn’t foolproof. One person can “borrow” another’s workstation if they’ve stepped away for a minute, so educating your employees about computer safety is extremely important for them and your network.
Sometimes, employers just give access to their employees without thinking what their employees really need access to. Does marketing really need to know about the resumes HR has? Does the sales team need to see the IT department’s passwords? It’s best practice to only give access to the people who need it, and not have the company “default” be an all-access party. A good IT team will be able to set up and authorize individuals for what they need to know, and keep them away from what they don’t.
RATs and Other Rodents
RAT stands for “Remote Administration Tool”, which is a fancy way of saying “getting on to your computer from far away”. If you’ve ever called technical support for your computer, you may have been asked to install some software that allows the technicians to take control of your computer. This software is an example of a RAT, and it’s helpful when you authorize it. If it’s installed on your computer without your knowledge – not so helpful. If you get a remote admin tool on your computer, then there’s no telling what might happen. The person who installed it could be using it as a keylogger (to see what you’re doing on the computer) or might be using it as ransomware (that shuts down your computer and files until you pay a ransom).
How can you prevent this from happening? First, it’s important to only download software from trusted sites. Often, less trustworthy download sites will add on code to the software you want. When you go to download it, the malicious code piggybacks its way on to your computer, where it can wreak havoc.
Hackers have gotten more sophisticated than this though. We’ve heard of instances where you get an email that looks like its from a work colleague, and says something like “Hey, check out the project I’ve been working on.” When you click on the link, it’s not a spreadsheet, and you’ve just infected your workstation (and possibly others on the network) with a virus. This is why it’s important to “trust, but verify”, and if anyone in your contacts sends you something that has even a whiff of suspicion, then you should contact them privately to make sure it was really they who sent it.
“Wait a second,” you might be saying. “I installed an anti-virus program to my computer when I first got it, so why shouldn’t it be able to detect these viruses before they become an issue?” First, congratulations on installing an anti-virus! It’s a step in the right direction, but it doesn’t protect you from every virus that’s out there. Anti-viruses use algorithms to check code that fits in with what they consider to “be a virus”. If the code doesn’t check out, then it’ll pass through undetected. Recently, we’ve seen reports of hackers using something called a “cloaking service” that disguises viruses to not look like viruses. Just like a real virus evolving to escape detection by the body, computers viruses can do the same. In this case, an ounce of prevention is worth a pound of cure!
Overwhelmed Servers
If you host your website on a server, or run your network on one, you rely on having that server run 24/7. Any time that your server isn’t running, you can’t get work done, and clients can’t interact with your website. Hackers know this, and exploit a flaw that’s inherent in all servers to bring them down. They can use what’s called a DDOS attack, which stands for “Distributed Denial of Service”. The way it works is like this:
Imagine you’re driving to a small town from the big city. The road eventually turns into a one lane highway as you approach the small town, which isn’t an issue because there aren’t many cars traveling on the road. Now imagine you have thousands and thousands of cars that all want to travel to the small town from the big city at once. If this happens, no one is going to get to the town in time, and the traffic will come to a standstill.
A similar thing is happening on your servers. When someone makes a request to access it (say from your product website), the “road” can handle it. If a bunch of people try to access the server at once (a lot of people on a small road), the server can’t handle the request and no one gets on.
What’s the problem with having your servers down for a bit? Well, since the average cost of a DDOS attack to a company is about 2.5 million, you might want to look into protecting your servers however you can.
The easiest way you can protect your business is by speaking to your internet service provider (ISP) and seeing if they offer a DDOS protection plan. Sometimes they can reroute internet traffic if they suspect an attack is happening. Another way to protect yourself is by investing in a virtual private network, or VPN. The VPN reroutes all traffic so that it seems that your IP address is coming from somewhere else. If anyone tries to spam that public IP, they won’t be attacking your true. hidden IP address.
Why Managed IT Is Handled Best By The Experts
Keep in mind that this is a partial list at best, there are a thousand and one other ways that businesses leave themselves open to attacks by hackers. Ultimately, the best defense for your business is using a managed IT team that can prevent attacks and stop them in their tracks. There’s no reason you need to worry about your IT infrastructure, so leave the worrying to the pros!