Make IT a Priority. But Where to Start?
Last month we talked about why your company needs to make IT and cybersecurity a priority. This month we’re talking about where and how to get started. Let’s begin with some cold, hard truths:
First, I absolutely and unequivocally believe IT is a full-time job that requires a specialist or team of specialists. We’re long past the point where your nephew who is “good with computers” can adequately handle your company’s IT needs.
Today it’s not just about fixing problems, but rather identifying business goals, putting a plan in place to achieve those goals and constantly evaluating both to make sure they’re relevant and aligned. Furthermore, the fast-changing nature of the industry means just keeping up with the latest trends, practices and standards requires a significant amount of time on top of the mountainous task of daily management and monitoring.
Second, it’s important to understand there are no guarantees throughout any of this. There are no singular answers, no one-size-fit-all solutions. This does not mean the situation is untenable, prohibitively expensive or out of reach (a myth I find myself dispelling quite frequently).
The best approach is a layered approach that includes technical safeguards, as well as education and training for end users. When working with our clients, we try to ensure for any method that exists to circumvent one set of protections, another set of protections exists to prevent it. That may seem obvious, but rarely do I see it executed properly.
While there are a ton of ways to achieve your desired result as it pertains to the specific goals of your company, there are several things that every company, no matter the size, needs to be doing:
1. Get spam protection and business email.
Yes, the email included with your website is free, but you get what you pay for. It lacks the tools and features required to manage it properly and keep it secure.
Email is the most attacked vector with 90% of security breaches originating via email. All companies should be concentrating their efforts here, not just in terms of technical protections, but also user training. Every day we see users who cannot properly identify spam and phishing emails (in their defense it is getting more difficult to do so), people who routinely forward infected emails to other users and people who enter usernames and passwords without checking the URL.
2. Use commercial-grade, routinely updated network equipment.
I see too many instances of something meant for a home being used in a business. There are differences in both the build quality and the lifespan of a commercial piece of equipment, as well as a focus on efficient and feature-rich software.
Commercial-equipment is updated more frequently and has more protections and flexibility than consumer-grade products. While it typically costs more, if you factor the increased lifespan and better performance, you’ll come out ahead.
It’s also becoming standard industry practice to charge a subscription-based fee for network gear software updates, and while it is an ongoing expense it’s also incredibly important to make sure critical infrastructure is always up to date.
3. Ensure regular and timely updates of your computers, servers, operating systems and third-party applications.
If software updates stop because an application has gone end-of-life, then upgrade to its latest version. Line-of-business applications sometimes come with a hefty price tag, but your business would not function without it, so it’s a necessary trade.
Companies that decide not to upgrade hardware or software, whether due to budgetary concerns or just fear of change, may see short-term savings but almost always experience long-term problems.
This affects not just your cybersecurity position but also the ability of your business to respond to and recover from a major systems failure or natural disaster, as well as your ability to adapt to changing market conditions or open new lines of business.
4. Ensure users are restricted using the principle of least privilege for specific needs.
This is not about trust, an individual’s skills, capabilities, or title but rather a pragmatic approach to an overall security plan. Only grant each person access to the minimum they need to perform their job functions and pay special attention to permissions within software and across departments.
Financial software and company data are always at the top of everyone’s mind but don’t forget about things like controlled access systems and phone systems. Having a server that allows you to centralize the management of usernames, passwords and user privileges is key for companies of any size.
Additionally, two-factor authentication (2FA, also referred to as multifactor authentication or MFA) goes a long way to preventing breaches caused by compromised security credentials. It is easier and cheaper to implement than ever before.
5. Follow password best practices!
No other topic in IT has been more thoroughly and exhaustively covered and yet it seems no one follows basic principles, which are:
• Complexity is out, length is in. Without getting too heady about it, the longer a password is the more difficult it is to break and each subsequent character that’s added increases difficulty exponentially.
• Avoid common substitutions like @ for A or $ for S. They are expected and factored into password cracking algorithms. We recommend clients try a full sentence that’s long but easy to remember or a set of words such as “whale-ocean-bridge-rainbow.” Either of these will result in a much more secure password than “P@$$w0rd.”
• Change passwords often. Although the latest cybersecurity guidelines from the National Institute for Standards and Technology recommend not changing your password frequently, that’s only because people tend to use the same password each time with only slight variation, or to use overly complicated passwords and then write them down.
I believe frequent password changes are important; use an entirely new password each time!
• Use different passwords for everything. If you have a hard time remembering passwords, ask your IT consultant about implementing a secure password manager. Do not save passwords in sticky notes on your monitor, contacts in your phone named “Password List” or Excel files on your desktop called “My Passwords.xlsx”.
6. Secure your data at rest and in transit.
When all other methods of protecting your company’s computers have failed, you should have confidence that you’re still secure because whatever data was accessed or stolen is unreadable and inaccessible.
Data encryption is probably one part of IT that has undergone the most change over the years in terms of becoming easily accessible to even the smallest companies. That commercial-grade email solution and spam filter I mentioned earlier? All the best-in-market solutions include email encryption at the check of a box.
Full disk encryption (FDE) is readily available in Windows 10 Pro and Enterprise (the only versions you should be using for business) as well as Windows Server 2016 and 2019. It simply needs to be enabled and configured. Additionally, most modern solid-state hard drives include hardware encryption out of the box.
Each of these areas should be addressed as part of a larger, over-arching security plan intended not just to protect against threats but rather to help your organization better respond to everyday challenges.
When an IT and cybersecurity strategy are properly executed, they are a driver of growth and a foundation on which to build.
Leverage your technology to increase your uptime and productivity. You’ve invested time and money into your business. Make sure it’s protected.
Editor’s Note: Robert Merva is the owner and CEO of Avrem Technologies LLC, a business IT and cybersecurity consulting firm started in 2007 and based in Canfield, Ohio. They monitor and manage the networks, servers, computers and software that their clients rely on every day. By combining a unique approach with years of experience and proven solutions, organizations that use Avrem have more uptime, are more efficient and have better security, all with less headaches. Visit Avrem Technologies at Avrem.com
Bits and Bytes is sponsored content produced by Avrem Technologies LLC
Copyright 2020 The Business Journal, Youngstown, Ohio.