If you read the news or follow tech related blogs, it seems that there is a new security threat nearly every day. Some days it’s a new website that hijacks your mobile browser, other days it’s a sensationalized news story about an elite hacker group releasing the names of a website’s users. With all these issues, it can be hard to zero in on which threats you should be worrying about.
Here’s an overview of the three most common security threats small to medium businesses face.
Targeted external attacks
Large, organized cyber-crime groups do exist, with Anon proving that. When these groups set their sights on something, nothing is safe. Luckily, the possibility of a smaller business like yours coming under attack from targeted external attacks is pretty slim. While rare, it could still happen and you should take steps to ensure your server(s) and systems that connect to the Internet are up-to-date. You should also ensure your firewalls and/or virus scanners are properly configured, and internal systems (Intranet) are separated from the Internet.
Taking these steps will ensure your system is nearly 100% safe. Granted, skilled and determined hackers can always find ways into systems though. Systems that are harder to hack, or take longer to hack due to stronger security measures, will generally deter nearly all external attacks.
Targeted internal attacks
Just because your systems are safe from external threats doesn’t mean you’re safe. In fact, most security threats to smaller businesses come from the inside. That last security breach likely wasn’t due to an uber hacking collective from Russia, but disgruntled Joe in accounting. If your internal systems are unsecured, or you store a list of machine passwords on a network drive – sounds silly, but you’d be surprised how many companies do this – you are basically inviting employees to steal information. Other security threats come from employees who just don’t know what they’re doing with some technology.
If this sounds like your company, it’s a good idea to take stock of who has access to what, and see if maybe you’ve been a little too liberal with it. You don’t want to completely lock systems and acces down though, as this could hinder your employees from doing their jobs. If you have servers or routers it probably isn’t a good idea to give all employees access to the settings of the system. Instead, either let someone with experience manage these systems, or work with a Managed Service Provider who can look after all this for you.
As technological devices proliferate, employees are increasingly tempted to want to bring their own devices to the office. This concept, commonly referred to as Bring Your Own Device (BYOD) has the potential to be disruptive – both for the better and worse. If done right, you could shave thousands off your budget. If done in the wrong way, your organization could be exposed to nearly every security threat imaginable.
Many BYOD related security cases we’ve seen come from when an employee brings in a device that isn’t up-to-date and connects it to the network. Reading update notes for most programs will show that the patch fixes many known security issues; an unpatched machine makes it easier for hackers or other criminals to gain access to a network. Aside from that, many companies don’t have a method in place to identify what devices employees bring to the office. This makes it hard to pinpoint where security breaches happen, and how to fix them.
We’re not saying BYOD is bad, it just needs to be handled properly. You should create a list of approved devices along with a list of who brings in what devices, and establish a policy that employees must ensure their systems are up-to-date and follow company security measures. One of the easiest ways to do this is to have your security expert look at the devices connected to the network. Each device has a MAC address – a unique ID – that can be recorded and added to a security white list. If the device doesn’t meet established standards, or isn’t on the MAC address list, then it’s not allowed to connect without authorization.
Contact us to find out how we can help reduce security threats in your business.