Skip navigation
2013

QAdavidlewien_Body.jpgby Erin McDermott.

 

Your staff is your personal cavalry when it comes to running a small business. But how do you keep them on guard for a potential hacking attack? David Lewien is the president of Go West IT, a technology-services company based in metro Denver. (Why Go West? He says it signifies helping clients choose their direction.) Business writer Erin McDermott spoke with Lewien recently about dealing with employees’ personal mobile devices, getting serious about growing threats, and keeping a small business’s staff armed with the information they need.

 

EM: There have been reports that the private accounts of the First Lady, Vice President Biden—even Beyoncé—had been hacked and their personal information stolen. A month ago, it was the New York Times and Washington Post confronting hackers. Is the message starting to filter down to small business customers that data breaches are something they need to be worried about?

DL: I think businesses and individuals are getting the message that security breaches are something that is possible for them and that they should be concerned about. I think there’s still a big gap between the knowledge that it’s a problem and what they should do about it. That gap exists for most small business owners that I talk to. Many don’t know how to prevent breaches or where to turn to for help.

 

EM: Security experts say it’s often an internal factor—they call it “social engineering”—that the bad guys exploit to gain entry. How can small companies work with their staffers to make them more aware that these threats are out there and keep them up to speed on how to prevent problems?

DL: IT security for small businesses is not unlike it is for larger businesses. It’s just a scaled-down version in terms of scope. IT security for small business encompasses a lot of things, social engineering and the entry points through personnel is absolutely a component of that.

 

There are lots of entry points and the approach that businesses should take, from a security standpoint, is to have layers of security that include the use of network security devices, third-party filtering, policies, and procedures to prevent attacks on a very broad scale. Of course, that’s more difficult for small businesses because they generally don’t have the resources, knowledge, or personnel to handle all of these tasks.

 

We recommend some very basic things from a pure operational, functional standpoint. A good business-class firewall—we distinguish that from a consumer-grade firewall. So the firewall you buy at local retailer isn’t necessarily what a small business should be using. The cost difference between a business-class firewall and a consumer-grade firewall is negligible. The firewall protects the business at the Internet gateway and is the first line of defense between your network and the public Internet. It’s also very important for small businesses to make sure they have a good, business-class antivirus application running on all of their machines and that it’s constantly updating. That’s also relatively inexpensive to put in place.

 

QAdavidlewien_PQ.jpgFrom there, it’s about handling internal resources—personnel. The most important thing, in my opinion, is managing credentials for access to your systems. Having policies, procedures, and controls in place to make sure employees are using complex passwords that are changed on a routine basis—that’s the key to your first line of defense. Then it becomes a matter of educating users about the appropriate use of company resources: the company’s WiFi connection, the personal computers, and even the company websites. That education starts by sitting down with users and saying: “Look, these are the types of threats that we may encounter,” and then set forth ways they can mitigate the risks around those threats.

 

EM: Let’s talk about educating the staff. In the case of the New York Times, it appeared to be rogue emails—for instance, one of those win a free iPad offers—that someone clicked on and gave hackers entry into their system. How can a small business keep everyone informed about these changing threats?   

DL: The key, like any training program, is routine and frequent touches on this. For most of our customers, we recommend that they hit on this on a recurring basis. Keeping employees aware of the risks and the potential damage that can be caused by a breach is something that could be done, say, every two weeks at a staff meeting. Say to them: ‘Hey, everybody. Please remain diligent. We saw again in the paper today that there have been these attempts to gain access to peoples’ computers by phishing scams, like promising a free iPad. Keep your eyes open for that. Anything that looks out of the ordinary, please be cautious of it.’

 

By bringing this up in a recurring fashion, it seems to have a bigger impact than, say, an annual training session where everyone just signs off on a memo.

 

EM: From the IT security end, what are you seeing with mobile devices?

DL: First and foremost, we see them being connected to the corporate networks. For small businesses, I have not seen a rash of successful attacks launched from those devices, but I personally believe we are headed in that direction. They’re relatively weak from a security standpoint and the people trying to launch these attacks are constantly pushing the envelope and looking for the next best way into corporate networks.

 

Because everyone realizes these devices are connected to corporate networks through WiFi, it’s just a matter of time before we have viruses and spyware that are written to sit in waiting on a personal device. Then once it’s connected to that corporate network, it will do its dirty work, gathering passwords or credentials or mapping the network for a more sophisticated attack. I don’t see it a lot with small businesses yet, and I think a lot of businesses are allowing those devices to be connected to their internal network without an understanding of the risk. As a side note, those devices also consume valuable bandwidth intended for business purposes.

 

My recommendation is that small businesses consider having a separate guest network that’s not part of the company network for employees and these devices. It’s a discussion to have—here’s a connection for your iPhone where you can keep tabs on your kids or whatever you want to do—we only ask that you not connect to the internal corporate network.

 

We can deploy technology to prevent personal devices from connecting to the corporate network but most small businesses aren’t investing in these technologies now. If breaches increase as a result of connecting personal devices, we may start to see smaller businesses stepping up to invest in these systems. Again, education is key. Let people know this is a problem. Tell people to be aware of what they’re doing on their cellphones—and, particularly with iPhones, we would encourage users not to “jail-break”—modifying the phone to run unauthorized software—their devices. There is some security set up around Apple iOS from a supported vendor like AT&T or Verizon, and when they jail-break the devices, they leave themselves wide open to some risks they wouldn’t face if they hadn’t done that.

 

EM: What about regular old company mail?

DL:  Aside from web browsing, it’s the most common entry point for spyware and viruses on a network. We recommend to our customers that they implement a good third-party spam and virus filtering solution for their email. Even if filtering is in place, there is still a small chance that phishing emails or viruses can slip through the filters.

 

Then it’s about educating users about clicking on links in emails. Unfortunately, we all need to click on links sometimes—it’s what we do on a regular basis. It is part of how we communicate with the rest of the world these days.

 

It becomes a question of what do we do if we suspect there’s been a problem. The last thing we want is for an employee to be concerned that they clicked on something they shouldn’t have and then don’t say anything about it for fear of losing their job or being reprimanded or being criticized. We tell our people that we want your employees to raise that big red flag when they think something has happened—anything out of the ordinary: “After I clicked on this link, my computer started running slow.” Raise a red flag and have someone check it out. Or when you open Internet Explorer you are suddenly taken to an unfamiliar search page. Those are the symptoms that should raise attention and be sure that someone who knows what they’re doing investigates. Those are telltale signs that something underneath is doing harm. We want users to understand that this can happen to anyone. It doesn’t mean you were doing something you weren’t supposed to. Let’s just identify those problems so they can be remediated.

CloudStorage_Body.jpgby Jennifer Shaheen.

 

It took less than a minute—just long enough for the Starbucks barista to confirm my order—for a small business catastrophe to occur. While my back was turned, some sticky-fingered thief swiped my laptop.

 

You can imagine my reaction. Like many small business owners, I used my laptop as a key element in operating my business. Everything was on there: projects in development, banking, employee information and more. Recreating that information from scratch would take hours, weeks—in some cases, months! The risk exposure was tremendous, both financially and in terms of my team’s personal security.

 

But this story has a happy ending. The fact that our company uses cloud-based technology for our operations meant that I could, using my smart phone, remotely disable access to all critical data. The thief had a nice laptop, but they didn’t have a way to rip off my personal or professional information. Better than that? My total downtime was less than ten minutes.

 

What is “the cloud?”

The cloud is just the latest, most powerful incarnation of a very old (in tech-time terms) concept: remote computing. Cloud computing is the delivery of computing services, such as storage or software, over the Internet as opposed to those services being hosted on an individual user’s computer. When you use Gmail or QuickBooks Online, you’re using a cloud-based service.

 

Some cloud-based firms offer free services. Google Docs is a suite of services that provides word processing, spreadsheet, and slide-show software; FreeCRM offers lead management, and Evernote promises to help you remember everything. Other services charge a monthly subscription fee, including Microsoft’s Office 365, Adobe’s Creative Cloud, and 37signals’ Basecamp project management platform.

 

CloudStorage_PQ.jpgEmpowers Innovation

“When a small store I owned needed a better method to log packages in and out, we realized that we would have to create our own,” says Patrick Weir, president of EZTrackIt, a package tracking service. “Cloud computing allowed us to create a solution that could be shared easily among computers, both our own and then to clients. This made the solution possible not just from a technical perspective, but also from a business one.” Without access to cloud-based technology, developing services like this, that depend on access to significant amounts of computing power, would be cost-prohibitive.

 

Enhanced efficiency

“As a small business owner, cloud-based services have streamlined many of my administration functions, provided additional back up for business documents, and enabled easier access to those documents from multiple locations,” says Janet Hoffman, president of HR Aligned Design, a New York City-based human resources consulting firm. “Sharing documents and keeping versions current with multiple parties has become easier.”

 

The cloud has also had a transformative effect on small business’s ability to collaborate and compete. Services such as Google Docs and Dropbox facilitate document sharing, while remote conferencing platforms like WebEx and GoToMeeting enable multi-media meetings. The cloud’s ubiquity has made it the go-to solution for connecting with clients and employees, no matter where they’re located.

 

Better back ups and superior storage

Computers crash. Clouds don’t. One of the primary benefits of using cloud-based technology is that your business is protected against computer crashes and loss. We can’t forget about operator error, either. Failing to hit “Save” at a critical moment can result in catastrophic data loss. When you’ve got a customer waiting, there’s not always time to re-create all of your efforts. Cloud-based storage preserves your data so it can’t be lost due to human error or natural disasters. Retrieving your data from the cloud is simple and easy.

 

Additionally, the data storage capacity offered by cloud-based services is exponentially greater than the amount the typical small business owner could expect to access on their desktop. The alternative, offline approach would be extremely costly and labor intensive for a small business, as it involves saving data to an external hard drive and then moving that redundant storage platform offsite. 

 

Is the cloud secure?

According to John Souza, president of online training company Social Media Marketing University, choosing the cloud can offer better security than offline options. As proof, Souza cites a recent report by Alert Logic, a cloud-based security provider. That report found 46 percent of corporate security systems were hit by brute force attacks, versus 39 percent of cloud providers. Further it found malware had gained entry into 36 percent of on-premises computer systems, versus only 4 percent of cloud-based systems.

 

But small business owners still need to do their research. “The bad news is that security on the cloud is pretty uneven. Many sites can and do share all kinds of personal information about their users to other companies and to the world at large,” says EZTrackIt’s Weir. “The good news is that many more sites protect their user data with a zealous passion. The trick is knowing which is which.”

 

When asked for best practices small business owners should follow when using the cloud, Weir points to three simple things to keep in mind: money, reputation, and privacy. For example, that ‘free’ service might not be such a good deal after all. “Every website needs revenue to keep their lights on,” he notes. “If their service is free then odds are they are getting that revenue by selling your information.”

 

“Be aware of what your responsibilities are,” says Hoffman. He cautions small business owners to hold cloud services to the same expectations of security and privacy they would have for on-site data storage. “Depending on the business’s function, these standards may involve legal requirements and could be higher for some than for others,” he explains. “For instance, there are government regulations about handling credit card information and personal health information. Businesses should move forward with leveraging cloud based solutions by taking the time to consider all implications for their business.”

Filter Article

By tag: