Smaller firms often struggle just to keep up with maintaining a website. Worrying about a scaled down version for mobile users seems like just too much trouble. Today’s blog is all about why this matters to you and why should you bother with a mobile version.
A bit of background: Mobile sites are versions of your website that can be easily read and used on a small mobile screen. What is readable on a laptop of desktop monitor can be too tiny to use on a small screen. Also, the buttons and fields on your forms become impossible to use.
Why does this matter? Three reasons
Showing up in search rankings. If you want to be found in a search and appear high in the ranking, you need to have a “mobile optimized” site. Google has now included the failure to have a mobile optimized site as a specific reason to lower a website in its search rankings. If you don’t have a mobile optimized site, you slip lower in the ranking. Slip lower in the rankings and fewer people ever find you in a search.
More search and web activity now occurs on mobile devices than standard PC and laptops. If you want attention, you need to be “mobile ready.” You can’t just write off those mobile users- there are too many of them.
If your site is too difficult to use on a phone screen, the user is just going to jump to another vendor. There’s nothing else to say.
So the summary is, if you haven’t already done so, you need to bite the bullet and get a mobile optimized site. The internet offers too much business to just ignore the issue.
You can have all the locks on your data center and have all the network security available, but nothing will keep your data safe if your employees are sloppy with passwords.
There are many ways data can be breached, and opening some link they shouldn’t is one of the most serious security sins employees can commit, but today we’ll just talk about passwords.
Here are some basic practices that you should require your employees to follow. These are basic tips. System administrators should implement other policies, such as those that forbid using passwords previously used and locking accounts after a few failed attempts to login. But just for you as a manager, here are a few tips.
Change Passwords – Most security experts recommend that companies change out all passwords every 30 to 90 days.
Password Requirements – Should include a of mix upper and lowercase, number, and a symbol.
Teach employees NOT to use standard dictionary words (any language), or personal data that can be known, or could be stolen: addresses, tel numbers, SSN, etc.
Emphasize that employees should not access anything using another employee’s login. To save time or for convenience, employees may leave systems open and let others access them. This is usually done so one person doesn’t take the time to logout and the next has to log back in. Make a policy regarding this and enforce it.
These are just a few basic password tips, but they can make a big difference in keeping your business’s sensitive data safe.
Losing an employee is not usually a good experience. If they leave voluntarily, you lose a valuable asset. If they have to be fired, you have the arduous task of the progressive discipline process and the final termination meeting. But there are other concerns that arise when an employee leaves. Those concerns are security and their access to company data.
Here are some considerations regarding passwords and voluntary termination (A.K.A. resigned) or involuntary termination (A.K.A. fired.) It is important you have a process in place so that whenever a termination occurs, nothing slips through the cracks regarding corporate data security.
When you dismiss an employee, you should immediately change out all passwords for anything the employee had access to. Because almost all terminations should be planned, you should also define the process for canceling access. It is unwise to cancel prior to the termination meeting. If you do that, you create the potential for a confrontation when they arrive at work and find their passwords have been disabled. Instead, plan ahead and assign someone to disable their passwords during the time you are having the termination meeting. Before the meeting, be sure you have a list of all access cards, keys, etc. prepared so they can be cancelled before the employee leaves the building.
Voluntary terminations - Different firms have different policies handling resignations. Depending on the specific position, an employee will be permitted to continue working during their 2 week notice period. In that case, you need to consider if there is any possibility the employee might get up to no good during the final days. That is something only you can judge.
In some cases, firms will ask an employee to leave the facility immediately. In that case, you need to have a plan in place. You need to have a list available of all of the restricted systems to which they have access for when this situation arises. The employee should not leave the building until all of their access has been canceled.
This all may seem a bit harsh, but things have changed. 30 years ago, for a disgruntled employee to steal files, they’d be carrying out large boxes of file folders. Now, not only can they empty the building onto a thumb drive, they can take nefarious action that wasn’t possible when data was stored on paper.
In our last blog we started talking about the different layers of security necessary to fully defendyour data and business integrity. Today we will look at the human aspect of it, and networkdefenses. The human layer refers to the activities that your employees perform. 95% of securityincidences involve human error. Ashley Schwartau of The Security Awareness Company saysthe two biggest mistakes a company can make are “assuming their employees know internalsecurity policies” and “assuming their employees care enough to follow policy”.
Here are some ways Hackers exploit human foibles:
guessing or brute-force solving passwords
tricking employees to open compromised emails or visit compromised websites
tricking employees to divulge sensitive information
For the human layer, you need to:
enforce mandatory password changes every 30 to 60 days, or after you lose an employee
train your employees on best practices every 6 months
provide incentives for security conscious behavior.
distribute sensitive information on a need to know basis
require two or more individuals to sign off on any transfers of funds,
watch for suspicious behavior
The network layer refers to software attacks delivered online. This is by far the most commonvector for attacks, affecting 61% of businesses last year. There are many types of malware:some will spy on you, some will siphon off funds, some will lock away your files.
However, they are all transmitted in the same way:
spam emails or compromised sites
“drive by” downloads, etc.
To protect against malware
Don’t use business devices on an unsecured network.
Don’t allow foreign devices to access your wifi network.
Use firewalls to protect your network
Make your sure your WiFi network is encrypted.
Use antivirus software and keep it updated. Although it is not the be all, end all of security, it will protect you from the most common viruses and help you to notice irregularities
Use programs that detect suspicious software behavior
The mobile layer refers to the mobile devices used by you and your employees. Securityconsciousness for mobile devices often lags behind consciousness about security on otherplatforms, which is why there 11.6 million infected devices at any given moment.
There are several common vectors for compromising mobile devices
To protect your mobile devices you can:
use secure passwords
use reputable security apps
enable remote wipe options.
Just as each line of defense would have been useless without an HQ to move forces to wherethey were needed most, IT defense-in-depth policy needs to have a single person, able tomonitor each layer for suspicious activity and respond accordingly.
In the 1930s, France built a trench network called the Maginot Line to rebuff any invasion. Thephilosophy was simple: if you map out all the places an enemy can attack, and lay down a lot ofmen and fortifications at those places, you can rebuff any attack. The problem is, you can’t mapevery possible avenue for attack.
What does this have to do with IT security? Today many business owners install an antivirusprogram as their Maginot Line and call it a day. However there are many ways to get into anetwork that circumvent antivirus software.
Hackers are creating viruses faster than antivirus programs can recognise them (about 100,000new virus types are released daily), and professional cybercriminals will often test theircreations against all commercially available platforms before releasing them onto the net.
Even if you had a perfect antivirus program that could detect and stop every single threat, thereare many attacks that circumvent antivirus programs entirely. For example, if a hacker can getan employee to click on a compromised email or website, or “brute force guess” a weakpassword, all the antivirus software in the world won’t help you.
There several vulnerabilities a hacker can target: the physical layer, the human layer, thenetwork layer, and the mobile layer. You need a defense plan that will allow you to quicklynotice and respond to breaches at each level.
The physical layer refers to the computers and devices that you have in your office. This is theeasiest layer to defend, but is exploited surprisingly often.
Here are a few examples:
Last year 60% of California businesses reported a stolen smartphone and 43% reported losing a tablet with sensitive information.
The breaches perpetrated by Chelsea Manning and Edward Snowden occurred because they were able to access devices with sensitive information.
For example, Comptia left 200 USB devices in front of various public spaces across the country to see if people would pick a strange device and insert into their work or personal computers. 17% fell for it.
For the physical layer, you need to:
keep all computers and devices under the supervision of an employee or locked away at all times.
Only let authorized employees use your devices
Do not plug in any unknown USB devices.
destroy obsolete hard drives before throwing them out
Next time in Part II, we will talk about the human and network layers of security.
There are some things that only people can fix. There are many security risks to which yourdata is susceptible, but there is one method that remains a wonderfully effective hacking tool.That is the phishing scam. This is a legitimate looking email that asks the reader to click on alink. If clicked, the link can infect the user’s computer with malicious software that can stealpasswords, logins, and other critical data. Alternatively, the email appears to be from alegitimate source, perhaps even duplicating a legitimate webpage. The distinction is that thephishing email asks the user to enter personal information, including passcodes. In either case,that is how hackers easily get into your systems.
What’s the best defense against this one? The single biggest defense is education. Trainingyour people to be constantly wary of all the emails they receive. One way some firms areeducating their people is by sending out their own “fake” phishing scams. Employees who clickon the link inside are greeted with a notice that they’ve fallen for a phishing scam and then areoffered tips how not to be fooled in the future. Think of it as the hi-tech version of Punk’d.
You may not be ready to go that far, but it is important to provide ongoing training to all of yourstaff about phishing scams. Your staff are all critical factors in your data security plans.
This cyberattack scheme hasn’t garnered nearly as much attention as the usual “break-in-and-steal-data-to-sell-on-the-Internet version,” but it can be even more debilitating. Ransomware attacks have begun appearing in the last few years and its practitioners are so polished that in few cases they even have minicall centers to handle your payments and questions.
So what is ransomware? Ransomware stops you from using your PC, files or programs. Thebusiness model is as old as the earliest kidnapping. They hold your data, software, or entire PC hostage until you pay them a ransom to get it back. What happens is that you suddenly have no access to a program or file and a screen appears announcing your files are encrypted and that you need to pay (usually in bitcoins) to regain access. There may even be a Doomsday-style clock counting down the time you have to pay or lose everything.
Interestingly, one of the more common “market segments” being targeted in the US has been public safety. Police department data is held hostage, and in many cases, they have given up and paid the ransom. They had little choice. They aren’t the only ones. A hospital in Southern california also fell prey, as did one in Texas.
Ransomware can be especially insidious because backups may not offer complete protectionagainst these criminals. Such new schemes illustrate why you need to have a professional security service that can keep you up to date on the latest criminal activities in the cyber world. Talk to an MSP about possible protections against ransomware.
You hear on the news all of the time about big cyber attacks on large corporations, and evengovernment agencies.The trouble with this news coverage is that is suggests a distorted view ofwhere cyber attacks are taking place. These attacks are not solely hitting large organizations.Small firms represent a significant portion of those who face cyber attacks. Being small by nomeans keeps you immune. In fact, small firms can be used as conduits to larger organizations.That is likely what happened in the case of Target Corporation in 2013
If you’re a small business, then you’re a target for cyber criminals. Last year, 71% of small tomedium size businesses were the victims of Cyber attacks.
Today’s concern is how you would respond to an attack. 31% of small to medium businesses donot have a plan of action for responding to IT security breaches, and 22% admit that they lackthe expertise to make such a plan. A data breach is disastrous.
Your response determines whether it’s a survivable disaster. You need to have a statement forcustomers ready, (47 states require businesses to disclose data breaches), you need to be ableto quickly access backups, and you need access to professionals with experience in disasterrecovery and business continuity.
Hearing “all of your confidential information is extremely vulnerable, we know this because…” isbad news, but whatever follows the ellipses determines just how bad. Consider two scenarios.
“All of your confidential information is extremely vulnerable… we know this because ahacker took all of your customers’ credit card info and locked all of your files behind ransomware.”
“All of your confidential information is extremely vulnerable…we know this because wedid a vulnerability scan of your network, and have some suggestions on how your can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.
Scenario 2 describes the statement after you have had a vulnerability test conducted. Avulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and the possible consequences. This is the equivalent of a doctor giving a physical examination. This information will allow you to know what your risks are and plan your security policies accordingly.
Vulnerability tests should be conducted quarterly, and can be done by in-house IT or outsideconsultants.They should be done quarterly, or whenever you are incorporating new equipment into your IT network.
What is a pen-test: A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have a specific objective (e.g. “compromise this piece of data…) A vulnerability scan tell you “what are my weaknesses?” and pentest tells you “how bad a specific weakness is.”
How often should you pen-test: Different Industries will have different government mandated requirements for pentesting. One of the more broad reaching regulations, the PCI DSS, for example, requires pen-testing on an annual basis. However, it is prudent to go beyond the legal minimum. You should also conduct a pen-test every time you have
Stay Secure My Friend… More Hackers Targeting SMBs
Many SMBs don’t realize it, but the path to some grand cybercrime score of a lifetime may go right through their backdoor. SMBs are commonly vendors, suppliers, or service providers who work with much larger enterprises. Unfortunately, they may be unaware that this makes them a prime target for hackers. Worse yet, this may be costing them new business.
Larger companies likely have their security game in check, making it difficult for hackers to crack their data. They have both the financial resources and staffing power to stay on top of security practices. But smaller firms continue to lag when it comes to security. In many cases, the gateway to accessing a large company’s info and data is through the smaller company working with them. Exposed vulnerabilities in security can lead cybercriminals right to the larger corporation they’ve been after.
Cybercriminals Target Companies with 250 or Fewer Employees
In 2012, Symantec research confirmed that cybercriminals are increasingly targeting smaller businesses with 250 or fewer employees. Attacks aimed at this demographic practically doubled from the previous year. This news has made larger enterprises particularly careful about whom they do business with. This means that any SMB targeting high-end B2B clientele, or those seeking partnerships with large public or government entities, must be prepared to accurately answer questions pertaining to security. This requires an honest assessment of the processes taken to limit security risks.
View Security Measures as Investments
CIOs must start viewing any extra investment to enhance security as a competitive differentiator in attracting new business. Adopting the kind of security measures that large enterprises seek from third-party partners they agree to work with will inevitably pay off. The payoff will come by way of new revenue-generating business contracts that will likely surpass whatever was spent to improve security.
Would-be business partners have likely already asked for specifics about protecting the integrity of their data. Some larger entities require that SMBs complete a questionnaire addressing their security concerns. This kind of documentation can be legally binding so it’s important that answers aren’t fudged just to land new business. If you can’t answer “yes” to any question about security, find out what it takes to address that particular security concern.
Where a Managed Service Provider Comes In
Anyone who isn’t yet working with a Managed Service Provider (MSP) should consider it. First, a manual network and security assessment offers a third-party perspective that will uncover any potential business-killing security risks. A good MSP will produce a branded risk report to help you gain the confidence of prospects to win new business.
A MSP can properly manage key elements of a small company’s security plan. This includes administrative controls like documentation, security awareness training, and audits as well as technical controls like antivirus software, firewalls, patches, and intrusion prevention. Good management alone can eliminate most security vulnerabilities and improve security.