It seems that we are hearing almost daily about security breaches and ransomware attacks. Most of the time these are large corporations and government agencies, so how can we possibly keep ourselves protected when they can’t?
To start with, we don’t need to be as secure as these other targets because we don’t have as much to protect. No hacker organization is going to expend massive resources attempting to hack into your system to gain access to your Facebook account. I’m sorry to be so blunt, but you just aren’t worth the trouble.
These large entities have data that is worth billions of dollars when resold. Tens or hundreds of thousands of credit cards, top secret information that foreign governments will pay millions or billions of dollars for, etc. The pictures of your niece are cute and all, but just not worth that kind of money on the open market.
What all this means is that you have to protect yourself and your business against a different class of threat. This threat will most likely not be as sophisticated or as relentless as the ones against the larger targets but it might be no less devastating to you if it happens.
Standard protection software
Absolutely the first thing to consider is your protection software. Most people refer to this as their antivirus software although the primary protection these days is more from spyware and other malware. Do not skimp here, get the best you can that fits with your situation. This means that if you are a home user, you should get the best home antivirus you can, don’t get one just because the advertisement looked good. The same goes for a small business.
The good news here is that I have already put together a nice article you can read to see exactly how to pick out the best antivirus solution for yourself. For those of you who don’t want to go read another article right now, the best antivirus solutions on the market for home users or small business users is Kaspersky and Bitdefender. Either of these will be excellent protection.
One of the biggest threats today is ransomware. This is a nasty form of malware where the software encrypts your files so that you can not read them. They then want you to pay them to decrypt those files and gain access to them again.
In every case I have seen, those who paid got their data back. Included in the list of people who paid ramsonware authors are US government agencies, hospitals, local police departments and many small business owners and home users.
Fortunately, excellent protection can be had simply by downloading CyberReason RansomFree and installing it on every Windows computer you have, all for free.
I have had clients who would have been destroyed had it not been for this software. I know it works, and I know it works well. While nothing is perfect, this is excellent protection at no cost so if it isn’t installed on your Windows computers hackers will just assume you want to be infected.
It is amazing how many people I hear a week tell me they need me to get their data back off their computers, and when asked what kind of backups they have, they have none. If you have no backups of your data, get some kind of backup right now. Even if it is a horrible type of backup, any type is better than none.
The easiest is a simple cloud backup solution.
Many providers such as BackBlaze offer solutions that can back up your computer in real time to the cloud. The advantages here are that the backup is automatic, it is in real time, it is backup up outside your home or business to protect against fire/flood/theft and versioning to protect against ransomware.
You might have read that term versioning and be wondering what that is. Versioning means they keep multiple versions of the same file. When a file is changed, the new version of that file is backed up but does not overwrite or replace the old version, it is simply kept as another version of the same file.
When ransomware hits and encrypts your files, those encrypted versions of your files are backed up. If you do not have a backup solution with versioning, those encrypted files now replace your usable files on your backups, making the backups useless.
Local backup and hybrid backups
Sometimes clients can not keep backups online due to security or legal concerns, or it may not be practical given the amount of data they have to backup. They may also want a solution that has both a local backup for speed of recovery, and a cloud backup for protection against fire/flood/theft.
For these situations you should try a solution such as CloudBerry Backup. This software is extremely affordable, very reliable, awesomely flexible and comes with some of the best technical support in the industry. I recommend this solution to virtually all my business clients who for whatever reason are not ready to go to the cloud.
CloudBerry allows you to back up your data to one or more local destinations (including rotating hard drives, NASs, remote shares, etc) and also supports a huge array of online destinations such as Amazon and other cloud providers. You can backup locally only, online only, or any combination of the two. Heck I think you can backup multiple local machine to multiple local and online destinations all at the same time.
Here is something you can do right now that will not cost a dime and can dramatically increase the security of your network, have everyone change their password to something long, complex, with numbers, letters, symbols and both lower case and capital letters. This should be something that is impossible to guess, even for other employees or family members.
Next, make sure that your users do not write the password down somewhere that someone else can find it. This means no post it notes, no sticker on the bottom of the keyboard, etc. If they need to keep the password somewhere because they can not remember it, try a password program like 1Password.
Programs like 1Password allow you to keep a synchronized list of passwords on your computer, phone and tablet. They also can tell you if the password is a secure one or not. Small investment, big returns.
Next, get in touch with your IT provider and ask them for a list of all usernames and passwords they have. These should include things like your server’s administrator account, routers, switches, phone PBXs, etc.
Don’t be surprised if the usernames and passwords from the IT people are horribly simple and obvious, or if they just left the information as it came from the factory. IT staff are usually very good at reading their clients and understanding the level of complexity in a password that particular client can handle. If you ask that same IT staff what their passwords are on their home equipment, chances are they are far more secure than you would think.
Once you have this list, check it to make sure it looks secure and if it is not, ask your IT staff to secure it regardless of how loud you scream when you see what they pick for passwords.
The credential problem
You have a variety of vendors and one of them needs access to your server to install some software. The knee jerk reaction is to give them the administrator username and password. Please don’t. Ask your IT staff to create an account for them with the permissions they need, then give them this information. Then your IT staff can disable this account when the job is done.
This should be done whenever anyone needs access to one of your systems. Do not just give them whatever credentials are handy. Do you really know who works for your vendors? What hiring procedures do they use to make sure your data is in safe hands?
Most of the time you can trust your IT staff because you can actually meet with them and shake their hands. While this doesn’t give you any guarantees it certainly does reduce the chances of being taken. It is very difficult to measure someone over the phone, particularly when they may let some employee remote in without you ever even knowing who that particular person is or why they are there.
Pick your IT staff/provider
One thing I constantly see that really horrifies me is people, and even companies, using friends who know a lot about computers to keep them running. This may sound like a good idea, my buddy just fixed my issue with an infected computer for $30 that the IT company wanted $120 to fix, awesome!
Sure, assuming that friend actually removed the whole infection and did something to help it not come back, you saved a few bucks. But the experienced tech might have seen something else that was a problem and saved you something else down the line. When it comes to IT these days, you need experience, not a bargain.
Of course, feel free to ignore that advice because clients that get up a creek by inexperienced techs make my day when I have to charge the heck out of them to get them out of that jam. I make way more money off fixing other techs screwups than I do with preventive measures off a client.
I had a tech and a parts supervisor look at me like I had killed Santa Claus when I told them that Amazon has fake reviews and they should use a tool like FakeSpot.com to verify the products before they just order something with positive reviews. Their jaws dropped, a little drool came out of the corner of their mouths, and this haze came over their eyes.
After a few minutes they could talk again and they just could not believe that reviews could be faked. Then I told them that it applies to other website like Yelp, TripAdvisor, Apple, and NewEgg. There went the Easter Bunny as their jaws headed south again.
Talk to your IT staff/provider
You know your business, your IT staff knows your IT. If you want to know how secure your IT is, ask your IT staff. Never assume. We constantly are forced to make decisions based on not just how secure your data should be, but how much of an IT budget you have and much more. Your IT staff will secure your infrastructure as best they can given the rules, abilities, resources and funds that you provide.
The first thing you should ask is how secure the IT staff thinks you are, and what they would like to see happen to make it more secure. Ask them how much it will cost. Then ask them if you add 25% to that amount will that make a substantial difference? You need to have them tell you what they really think, not what they think you can afford.
In reality, most of my clients are relatively secure. They are not bulletproof, but for what they have and can afford, they are doing pretty well. Substantially increasing what they pay me would not substantially increase their security. In fact, if it were up to me they would pay more to other people for services such as cloud backups rather than to me.