Where is the Security Button?

Effective steps for businesses of all sizes

2018 began with the announcement of another computer system vulnerability.  The Meltdown and Spectre susceptibilities are particularly interesting to those of use who work in technology every day because the flaw is in the design of the computing hardware.   

While there are no known successful exploits of this vulnerability, a staggering number of “bad-actors”, both criminal and state-sponsored, are working hard to exploit any vulnerability. For examples, a much more easily managed vulnerability resulted in the 2017 exodus of personal information for more than 142 million people at Equifax.

What can I do?

How do you, as the owner of a small business, manage the risk when huge corporations like Equifax cannot? While there is no perfect answer, you can take effective action.  The following guidelines can significantly reduce your risk.

Training

No one working in an office should touch a keyboard without a basic understanding of the fundamental components of a computer system, and how it can be attacked or compromised.  The concepts are simple and the training is easily obtained.

Now “con-artists” are called social engineers

While the names have changed, the concepts are the same.  Silver-tongued crooks can talk unsuspecting employees into giving up confidential information, including passwords and system access information.  Industry researchers estimate that 50%of known system breaches stem from human failures - either social engineering or disgruntled employees.  Employee training, and diligent password and system access management, can effectively address this type of vulnerability.  Make your employees aware of potential exploits and implement policies on the handling of passwords and other system access information.  Manage passwords and system access to minimize the damage a disgruntled employee can do.

Implement and enforce good password policies

Flawless software and impenetrable security measures are useless where there is no password discipline.  Sharing user accounts, putting passwords on sticky notes, simple passwords or passwords that never change are common practices that undermine information security.  Poor password management will undermine all other security efforts.

Don’t open the door for hackers

System vulnerabilities, by themselves, are not the problem.  The real problem is malicious software introduced into a system that exploits the vulnerability.  Malicious software can get past network firewalls and infect company systems in many ways, but one method stands above all others.  E‑mail. Email can contain malicious attachments and/or links.  The unwitting recipient can easily by-pass security precautions and install malicious software.

This, again, is a training issue.  Employees need to understand how they can be fooled by seemingly harmless e-mail messages.  Employers are well advised to provide only as much access as employees need to modify the software on work computers.

Maintain your systems

It is essential that you apply the latest patches and updates to your systems.  The debacle at Equifax last summer was probably avoidable, because the vulnerability was known, but uncorrected.  Timely updates to the servers could have averted the catastrophe.

Find a partner

Important as it is, it can be difficult for small businesses to maintain complex technical infrastructure.

Information security is a complex topic.  Small business and many medium sized businesses cannot afford to hire and train the experts needed to address security challenges.  Fortunately, consultants, integrators and technology brokers can meet this need.

A carefully chosen partner can provide the policies and training you need to avoid a catastrophe.   strong partner can provide a technology roadmap and system architecture that minimizes your exposure to information security vulnerabilities.  Finally, a technology partner will help you select technology providers who can support your system architecture and technology roadmap.

Security and Cloud computing

The conversation with your technology partner will soon turn to cloud computing.  Cloud computing gives small and medium companies access to massive computing capability.  Businesses use, and pay for, only the capacity that is needed to do their work. 

The cloud model has many advantages.  The purchase, implementation and maintenance of computing infrastructure is provided by the vendor.  The vendor is also responsible for managing system updates and addressing system vulnerabilities as soon as they are identified.

Cloud service vendors must provide a secure platform to their customers. In general, they do a very good job.  These providers employ dozens of information security specialists and constantly monitor the environment for malicious use and ensure system stability.

Summary

There is no perfect answer to the problem of information security.  The good news for business owners is that the problem can be managed.  Small and medium companies can implement policies that effectively address half of the risk.  Partnerships with the right technology providers address the remaining risk by ensuring your computing infrastructure is well defended today, and well positioned to address new challenges tomorrow.

Michael Williams is the founder and CEO of Complete System Design, Inc.  a New Hampshire corporation established to provide technology solutions to small and medium sized organizations in our region.