In business these days, IT (Information Technology) is a huge part of it. Gone are the days (even with tradies) that you don’t need a computer or tablet. Most businesses use computers for more than just ‘sending the occasional email’. We are becoming more and more reliant on IT and using it for everything from banking through to managing our jobs, team and marketing. I should emphasize I am NOT an IT specialist. However, an article written by a non IT guru might be a good thing; for a start it’s in a language the average business owner can read. Unfortunately, IT is one of the neglected areas in business – we focus so much on marketing, sales and delivery and run out of time for often many of the backend tasks. Please don’t ignore this issue; I very much hope you never say “OMG, I wish I’d actioned what Donna wrote in that blog!!!!”
How to protect your business using IT
Get an IT person
Have someone on call you trust, who knows your systems, is good at their job and generally available. All very well to have the perfect person, but your system crashes and they can’t get to you for a week. Cheap is not always best, but then neither is the more expensive. I’ve heard horror stories on both ends. Think of this person as a member of your staff; check them out, talk to them and ensure the fit is right. Do all this before you have an urgent need; perhaps for some general maintenance or an upgrade.
Communication
Have great communication with them. If my guy tells me something I don’t understand, I’ll say “I don’t understand”, rather than nodding and worrying about looking stupid. I believe in knowing enough about IT I can manage, talk to my specialist, without having to know every aspect of the industry. Know enough you can trust them; not so much that you will micro-manage them. If you have contractors, have a strategy for them. Remote workers are often a target for hackers; they often connect to the network through non-secure public hot spots which can be very risky.
Admin Privileges
These should be restricted to those who need access. Don’t just leave with one person (who presumably at some point will get holidays) but also don’t leave your system open to every person in the building. As your business and team grow, so do the number of people accessing. People make mistakes, delete things by accident, stuff things up, or on occasion (say after being dismissed) can be malicious. Restrict everyone’s access to what they actually need. This also goes for your accounting software; you should have admin rights yourself; give access to others on functions they only need.
Passwords
Use them and keep a register of all passwords, including who has access to them. Do not leave this list lying around. If someone leaves, it’s easy to see what they had access to and change that password. Do not give everything the same password; someone cracks one; they are into everything. Do not use your kids’ names, your dog’s name, your date of birth, 1111 or other obvious things. FYI, the most commonly used passwords are 123456 (or variations on that), qwerty, football and yes, password. Use none of these. Go for ones which are a mix of letters and numbers and don’t make sense; harder for people to guess. Also ensure no one (bar the business owner) has access to all passwords – decentralise this. However as the business owner, ensure YOU know all passwords. The worse time to be chasing them is when someone is leaving, or you have to sack your contractor (and beg them to give you the passwords).
Policy & Education
As your business grows, have a policy around IT. Things like not sharing your password, not loading up software and, in fact, not even downloading screen savers. This policy should include appropriateness – such as pics of ‘girls’ on the screen which some staff may find offensive. Of course, if staff are suitably blocked it makes it harder for them to the wrong thing. Egress Software Technologies stated that 62% of data breaches occurred as a result of human error. Let’s reduce that factor in our own businesses. Also ensure all staff NEVER click on attachments or links they do not know. This can be a little harder if you say have Origin as your electrical supplier and there is a scan going around with a fake bill from Origin. Being sharp – and really look at the email address it came from – click on ‘reply’ and it will be different from the authentic. If you do print something confidential – be sure that you and staff shred it.
Backup
Remember that Ransomware can travel through the cloud, so have a backup system which is separated/disconnected from the system. You might use a combination of cloud backup and then on occasion have an alternative system which is disconnected other than at actual backup time. If your system crashes, you get a virus or some other malicious activity – you will love your backup … it might even save your business.
Antivirus Software & Updates
At the very least you should have anti-virus software (including capture of Trojan horses), anti-spam software and anti-phishing software. Don’t forget firewalls also. There are many options out there; some even free. There are also stories that some online have a virus built into them. Buy only from a trusted source and one which your IT specialist strongly recommends. It may sound obvious, but be sure to run updates. This ensures your anti-malware, anti-virus and software is current. Even better, set your system to update automatically so that it’s not human driven.
Configure Microsoft Office & Web Browsers
Macros should be blocked from the internet and only allow vetted macros either in ‘trusted locations’ with limited write access or those with digital signature with trusted certificate. In respect of web browsers, you may want to block Flash (better to uninstall it), ads and even Java on the Internet.
Whitelisting
Use application whitelisting to help prevent malicious software and unapproved programs from running.
Automated analysis
Setup analysis of email and web content, run in a sandbox, where there is a block setup if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes. If your system is running strangely and suddenly slow, this can mean suspicious behaviour – investigate it.
Email & Web content filtering
Whitelist allowed attachment types (including in archives and nested archives). For the websites, whitelist those with good reputation ratings.
Control what goes out
If you are a larger company, or issues around staff stealing confidential data or IP, then control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. If you are allowing documents to go on a flash drive, ensure everything is password protected. Frighteningly, flash drives are lost more often than we’d like to believe.
Secure notebooks
There is now biometric fingerprint recognition on notebooks and laptops. At the very least, invest in a $20 security cord (akin to a bike lock) you can keep the laptop connected to a desk. Never leave these lying around and train staff to be very secure. It’s not just the value of the laptop (some are very cheap, others really expensive) it’s what is on it that often contains the real value. Full disk encryption is another option. Also for Apple products, utilise the feature “Find my Mac” or “Find my iphone”. When I talk about notebooks, remember also that phones now contain so much information, so apply these concepts to incorporate all mobile devices.
Network segmentation
Where appropriate separate your network, so that any confidential or highly classified information is separated from general areas which have access to the internet, email etc.
Administrative privileges
These should be tightly controlled. It is important that only limited and key staff have them. When an adversary targets a system, they will primarily look for user accounts with administrative privileges. Disable local administrator accounts.
Monitoring your System
Microsoft have a System Monitor tool called SysMon (free I believe) which is a good entry level tool. It has a heap of features. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
Insurance
You can get business insurance which is related to IT, security, breaching of your system and more. Talk to your insurance broker on what might be useful and relevant.
Maintenance
If you don’t have time for this, get your IT person in regularly. They can even do this remotely most of the time. Everything from ensure updates are current, cleaning up, deleting junk and generally ‘servicing’ your system not that much different from your motor mechanic servicing your car.
Plan for a crisis
None of us wants anything bad to happen. But it can. What is your backup plan if the worse happens? It might be ransomware where someone is demanding $50K and you can’t/won’t pay it. It might be a theft of computers, fire in your premises, floods … the list could go on. What is your plan? It’s easy enough to go out and buy a laptop or computer, but what happens from there. The best time to plan for a crisis is well before it occurs. Remember it’s not just your documents; it’s all your email addresses/contacts, perhaps tasks, diary, schedule, appointments, email signatures and much more. Have a disaster recovery plan which means you’re back in business as quickly as possible (possibly before your clients, customers or competition even discover).
This is just the tip of the iceberg; but a good starting point. Talk to your IT specialist as I am sure they will give you relevant advice for your business and situation. Don’t leave this for ‘tomorrow’ as you never know when something might happen. So many businesses are technology-based, rely on their data, computers and systems, so it’s important that they are in optimum shape from an IT perspective.
If you need IT contacts or whatever your business needs, email me at donna@donna-stone.com.au and I can refer you to someone. With my business coaching services and network, I know of people to connect you with.
