Your staff is your personal cavalry when it comes to running a small business. But how do you keep them on guard for a potential hacking attack? David Lewien is the president of Go West IT, a technology-services company based in metro Denver. (Why Go West? He says it signifies helping clients choose their direction.) Business writer Erin McDermott spoke with Lewien recently about dealing with employees’ personal mobile devices, getting serious about growing threats, and keeping a small business’s staff armed with the information they need.
EM: There have been reports that the private accounts of the First Lady, Vice President Biden—even Beyoncé—had been hacked and their personal information stolen. A month ago, it was the New York Times and Washington Post confronting hackers. Is the message starting to filter down to small business customers that data breaches are something they need to be worried about?
DL: I think businesses and individuals are getting the message that security breaches are something that is possible for them and that they should be concerned about. I think there’s still a big gap between the knowledge that it’s a problem and what they should do about it. That gap exists for most small business owners that I talk to. Many don’t know how to prevent breaches or where to turn to for help.
EM: Security experts say it’s often an internal factor—they call it “social engineering”—that the bad guys exploit to gain entry. How can small companies work with their staffers to make them more aware that these threats are out there and keep them up to speed on how to prevent problems?
DL: IT security for small businesses is not unlike it is for larger businesses. It’s just a scaled-down version in terms of scope. IT security for small business encompasses a lot of things, social engineering and the entry points through personnel is absolutely a component of that.
There are lots of entry points and the approach that businesses should take, from a security standpoint, is to have layers of security that include the use of network security devices, third-party filtering, policies, and procedures to prevent attacks on a very broad scale. Of course, that’s more difficult for small businesses because they generally don’t have the resources, knowledge, or personnel to handle all of these tasks.
We recommend some very basic things from a pure operational, functional standpoint. A good business-class firewall—we distinguish that from a consumer-grade firewall. So the firewall you buy at local retailer isn’t necessarily what a small business should be using. The cost difference between a business-class firewall and a consumer-grade firewall is negligible. The firewall protects the business at the Internet gateway and is the first line of defense between your network and the public Internet. It’s also very important for small businesses to make sure they have a good, business-class antivirus application running on all of their machines and that it’s constantly updating. That’s also relatively inexpensive to put in place.
From there, it’s about handling internal resources—personnel. The most important thing, in my opinion, is managing credentials for access to your systems. Having policies, procedures, and controls in place to make sure employees are using complex passwords that are changed on a routine basis—that’s the key to your first line of defense. Then it becomes a matter of educating users about the appropriate use of company resources: the company’s WiFi connection, the personal computers, and even the company websites. That education starts by sitting down with users and saying: “Look, these are the types of threats that we may encounter,” and then set forth ways they can mitigate the risks around those threats.
EM: Let’s talk about educating the staff. In the case of the New York Times, it appeared to be rogue emails—for instance, one of those win a free iPad offers—that someone clicked on and gave hackers entry into their system. How can a small business keep everyone informed about these changing threats?
DL: The key, like any training program, is routine and frequent touches on this. For most of our customers, we recommend that they hit on this on a recurring basis. Keeping employees aware of the risks and the potential damage that can be caused by a breach is something that could be done, say, every two weeks at a staff meeting. Say to them: ‘Hey, everybody. Please remain diligent. We saw again in the paper today that there have been these attempts to gain access to peoples’ computers by phishing scams, like promising a free iPad. Keep your eyes open for that. Anything that looks out of the ordinary, please be cautious of it.’
By bringing this up in a recurring fashion, it seems to have a bigger impact than, say, an annual training session where everyone just signs off on a memo.
EM: From the IT security end, what are you seeing with mobile devices?
DL: First and foremost, we see them being connected to the corporate networks. For small businesses, I have not seen a rash of successful attacks launched from those devices, but I personally believe we are headed in that direction. They’re relatively weak from a security standpoint and the people trying to launch these attacks are constantly pushing the envelope and looking for the next best way into corporate networks.
Because everyone realizes these devices are connected to corporate networks through WiFi, it’s just a matter of time before we have viruses and spyware that are written to sit in waiting on a personal device. Then once it’s connected to that corporate network, it will do its dirty work, gathering passwords or credentials or mapping the network for a more sophisticated attack. I don’t see it a lot with small businesses yet, and I think a lot of businesses are allowing those devices to be connected to their internal network without an understanding of the risk. As a side note, those devices also consume valuable bandwidth intended for business purposes.
My recommendation is that small businesses consider having a separate guest network that’s not part of the company network for employees and these devices. It’s a discussion to have—here’s a connection for your iPhone where you can keep tabs on your kids or whatever you want to do—we only ask that you not connect to the internal corporate network.
We can deploy technology to prevent personal devices from connecting to the corporate network but most small businesses aren’t investing in these technologies now. If breaches increase as a result of connecting personal devices, we may start to see smaller businesses stepping up to invest in these systems. Again, education is key. Let people know this is a problem. Tell people to be aware of what they’re doing on their cellphones—and, particularly with iPhones, we would encourage users not to “jail-break”—modifying the phone to run unauthorized software—their devices. There is some security set up around Apple iOS from a supported vendor like AT&T or Verizon, and when they jail-break the devices, they leave themselves wide open to some risks they wouldn’t face if they hadn’t done that.
EM: What about regular old company mail?
DL: Aside from web browsing, it’s the most common entry point for spyware and viruses on a network. We recommend to our customers that they implement a good third-party spam and virus filtering solution for their email. Even if filtering is in place, there is still a small chance that phishing emails or viruses can slip through the filters.
Then it’s about educating users about clicking on links in emails. Unfortunately, we all need to click on links sometimes—it’s what we do on a regular basis. It is part of how we communicate with the rest of the world these days.
It becomes a question of what do we do if we suspect there’s been a problem. The last thing we want is for an employee to be concerned that they clicked on something they shouldn’t have and then don’t say anything about it for fear of losing their job or being reprimanded or being criticized. We tell our people that we want your employees to raise that big red flag when they think something has happened—anything out of the ordinary: “After I clicked on this link, my computer started running slow.” Raise a red flag and have someone check it out. Or when you open Internet Explorer you are suddenly taken to an unfamiliar search page. Those are the symptoms that should raise attention and be sure that someone who knows what they’re doing investigates. Those are telltale signs that something underneath is doing harm. We want users to understand that this can happen to anyone. It doesn’t mean you were doing something you weren’t supposed to. Let’s just identify those problems so they can be remediated.