There’s no such thing as an impregnable system for protecting your company’s IT systems. However, you can take a number of measures to give yourself a prudent level of protection. PROFIT readers suggested a number of these measures in their response to this question posed last issue by the CEO of a Winnipeg-based marketing company:
“I keep reading about the threats posed to my company’s website and even our internal network by phishing scams, viruses, spyware attacks, etc. We do have some protection such as a network firewall and we run security software. We haven’t had any problems yet, but do I need to put more IT security measures in place? Is there really that great a risk of my business being hit by some cyber attacker, given the fact that ours is a relatively small company? I don’t think our information is of any value to anyone but our company and our clients, and my security budget is small.”
Best reader responses
Moscou “MC” CotÃ©, Voyages Constellation LtÃ©e:
There is a key rule you must take into account in deciding upon your security needs, one that applies not only to IT but to all security aspects: you must have adequate security based on the potential loss represented by a breach.
A 100% foolproof system is not possible, never, period. Even the world’s most “secure” systems (or vaults, for that matter) can be broken into given the right tools, time, skills and, most importantly, will.
If your system has basic protection but thieves will walk out with millions upon a successful breach, then you are at risk and will be attacked eventually. On the other hand, if your protection is above and beyond the value of the loot, they will go elsewhere, trying to find an easier target.
What your required security level is cannot be determined without knowing what the wrongdoers can get away with. And you need to assess that yourself.
Spending lots of money for security that exceeds that level will most probably be wasted, and could be better used elsewhere. I have seen servers with double firewall and security tokens protecting the data, yet stored in an office without window bars. Although a hack would be difficult, someone could simply steal the physical server. So it is important to know what the weakest link in your security chain is. Start there if that link is not secure enough, even if it is not an IT solution.
In order to have an honest and meaningful answer, try to find an IT security specialist that is not in the business of also selling the protection. Also, make sure all your upgrades are up to date and that you don’t store information, such as credit card numbers, that is no longer required.
You would be correct in assuming that attackers will not specifically attack a small-business website—unless someone was specifically targeting your website, which is rare. Although attacks nowadays are common, a few simple steps are enough to secure small to mid-sized businesses:
- Viruses, spyware and malware: The best way to keep these out is by ensuring you have good anti-virus software (I personally recommend Kaspersky, NOD32 or Symantec Endpoint) to cover your basic security needs.
- Random attackers: They look for open ports on computers that they can compromise. As long as your firewall does not respond to these requests, your computer will seem not to exist, and thus random attackers will move on to the next target. A properly configured firewall comes in handy here. Ensure that only a few needed ports are open to the Internet.
- Phishing: There is really not much one can do about this. Phishing is when a site that looks like yours is created for the malicious intent of stealing user data. These sites are meant to confuse users into believing that the fake site is legitimate and that they need to provide their personal information, as they would on the legitimate site. The good news is that currently only big corporations are the target of phishing scams, so there’s not much to worry about there. A good policy is not to include any external links in e-mails to customers, and to remind customers of this policy whenever possible.
- Attacks on e-commerce sites: It your site offers online shopping, you may need to look into setting up a secure connection to the transaction servers. The details of doing this are out of scope of this e-mail, but any professional Web developer would be able to assist you with this.
Elliot Ross, tech blogger at strategitech.ca:
Desktop security software, including anti-virus and anti-malware, is a good place to start.
Let’s look at that firewall now. In most SMEs, that little firewall box doesn’t get the attention it deserves. This little guy is the first point of defence for most SMEs. And like general PCs, it needs maintenance, monitoring and upgrades.
Are its rules checked regularly? Are its logs looked at? Is it a manageable enterprise-class device, or is it a small consumer-grade device that “grew into” enterprise duty as your business grew?
In the SME space, we can’t afford 24/7 monitoring staff. We can’t afford to dedicate someone to ensure that this little box is properly updated, that its security rules are correct and that the log files are being checked for dangerous activity. So in our SME space it makes sense to outsource the management, monitoring and reporting of these devices.
If you are a business of more than a few individuals and you rely primarily on a hardware firewall and routing device, in your next budget cycle you should plan to spend the money to ensure that the device is upgraded from a consumer-grade or entry-level device to one with remote management and monitoring capability.
Second, consider outsourcing the management of this device, possibly to your ISP or a third party. If your ISP has this service, that could be ideal. ISPs have 24/7 dedicated professionals and the tools to monitor all their own devices anyways. If you’re lucky, your ISP will have a monitoring service that includes a professional-grade device and the associated monitoring and maintenance in one package.
And finally, the majority of data losses and other IT breaches are “inside jobs.” They can be malicious, or they can be accidental, the latter such as an employee or contractor who opens an e-mail containing a virus or malware. This means ensuring your network security controls are in place, especially with sensitive data.