If you run your business using mobile technology, paul rigby advises how to maintain security
In today’s market, wireless is increasingly becoming king. Many devices don’t even arrive with an Ethernet port. Working remotely—whether that’s from home, a client site or even a hotel room across the country—is now a fact of life for many businesses. But it’s important to remember that you can’t forget about security just because your users aren’t on-site. Small businesses can still be held liable for data breaches as the result of a lost laptop and attackers can intercept sensitive data being transmitted across wireless network. Businesses need to ensure their informationsecurity strategy extends beyond the office so that their data and network remain safe.
PROTECT THE ENDPOINT
What happens if an employee’s laptop gets misplaced or stolen? Sensitive data such as employee records or client information can potentially be exposed. Because of that, make sure all computers issued to these employees have full disk encryption. It’s easier than it used to be, since modern operating systems now ship with built-in encryption programs. BitLocker is available for Windows users and FileVault 2 was first introduced in Mac OS X Lion.
If the employee is using his or her own computer for work, ask the employee to encrypt the drive. Disk encryption makes it extremely difficult for attackers to retrieve data from machines. It’s the first line of defence and should not be ignored. If USB sticks are popular in your workplace, encourage everyone to use encrypted drives. Make sure everyone has one—at the minimum—so that sensitive data is always copied onto secure devices. Since we are already talking about laptops, go ahead and set up a password to lock down the BIOS as well. It’s great you have the Windows accounts locked down so that thieves can’t log in and encryption means they can’t read the saved data but what about the BIOS? A password-protected BIOS means the attacker cannot just boot off a USB stick or CD and muck around your hard drive. Set the hard disk first on the boot order list in the BIOS and then set a password for the BIOS. That means a thief cannot try to use USB or CD to boot up and cannot get into the BIOS to change it.
Just because the employee isn’t in the office doesn’t mean he or she should be exempt from regular software updates and patching. Set up all devices to automatically download and install patches as they become available. Require employees to connect to the corporate network on a regular basis so that updates can be pushed to their machines. Considering how many devastating attacks have targeted unpatched security flaws, it’s important to make sure all software packages are updated regularly. Have the latest security software, Web browser and operating system installed. Turn on the firewall on your operating system, too.
Consider whether your employees really need administrator access. A lot of attacks nowadays take advantage of the fact that users have full privileges over the machine. Create user-level accounts for employees and restrict what they can or cannot do. That way, if they are infected with malware, that rogue program is also restricted in what it can do on the machine. Rethink whether employees should be able to install software without IT knowing about it. Only trusted IT staff should have full access over the endpoint.
Look into setting up a Virtual Private Network server to ensure employees are connecting back to work systems over a trusted connection. VPN doesn’t have to be super-difficult or onerous. Some routers can support a handful of VPN connections and Windows offers a built-in client. If you don’t need a full-blown VPN setup, protect your users with a VPN service. It’s the best way to make sure eavesdroppers don’t intercept sensitive data when employees connect to public networks.
Protect the smartphone, too, along with all the emails, documents and contracts that might be vulnerable on it. Make sure all devices have a lock—not just a screen swipe but an actual passcode or pattern. And if you have the option to, use something stronger than a 4-digit PIN. iPhone users should be encouraged to use the fingerprint sensor. These measures make it harder for thieves to snoop around the device. Many devices can also be configured to wipe all the data after a set number of incorrect attempts to unlock the screen. Make sure there is a way to remote wipe mobile devices if they ever get lost. That could be accomplished through a business-wide mobile device management platform or asking users to turn on the relevant setting on their mobile device’s operating system.
TRAIN EMPLOYEES
Yes, passwords aren’t perfect but they’re what we’ve got right now so we need to work with the system. Educate employees to make sure they are using strong passwords on all accounts, hardware and services. Provide single sign-on where possible and look into two-factor authentication where it makes sense. And make sure all user passwords are changed frequently. If single sign-on isn’t a possibility and using strong passwords and changing them frequently sounds difficult (it is), consider using a password manager.
Extend the password education to password hints so that users learn why they shouldn’t use real information. Instead of putting in the model of your first car or mother’s maiden name—which could potentially be mined from social-networking sites and other sources of information—users should be encouraged to lie and put in a fake answer that they alone would know.
Teach employees the warning signs of phishing, so that at least some are stopped and trashed. The goal isn’t necessarily to make it so that employees would identify every phishing email but you can make employees question whether some messages are real or not. Emphasise that phishing can first target personal online accounts, before piggy-backing onto corporate information. IT shouldn’t be relying on users to stop 100 percent of all phishing attacks but if users get in the habit of reporting suspicious messages, that can help block some attacks.
Create policies and explain why users can’t do certain things. If you are worried about users uploading sensitive files to cloud services, use Web filtering to restrict access to Google Drive, Dropbox, etc. If you do wind up doing that, make sure your users are educated about why the policy exists and, more importantly, set up approved processes for file-sharing and collaboration. Don’t just shut down employees from doing certain things—give them alternatives so that they aren’t tempted to sneak around.
SECURE EVERYTHING ELSE
As more and more people take advantage of modern technology to work outside the office, the pressure is on to make sure their employees are protected, the data is secure and that servers and systems aren’t vulnerable to attacks. Regularly back up data on all remote machines. Stay vigilant and keep an eye on what mobile workers are doing. Security isn’t just something for within the four walls. Make sure your end users don’t inadvertently download and install malware that can travel through your network.
Just because you are a small business doesn’t mean your data and employees aren’t at risk. Consider where the danger points are and take advantage of built-in tools when you can. Even taking small steps is better security than not doing anything at all.
