The basics of IT security

Let’s start off with an uncomfortable truth. The bottom line is that your IT systems are vulnerable. As you’ll have seen in the press, even with access to the best technology and talent, high-profile businesses, financial institutions, and governments are not immune to the possibility of an IT breach.

For an SME or sole trader without access to those high-level defences, not only is a breach possible, it’s likely to be a relatively easy task for a skilled operator. The sad truth is that there is probably no way to stop a determined expert from getting access to your system.

Now the reality check. Before you permanently disconnect from the internet it’s worth remembering that most of us are of little interest to a malicious hacker. The amount of work required to get into our systems is probably more effort than the return is worth. In truth, most security issues on small business IT systems happen because we accidentally created an easy opportunity. Think of it like encountering a pickpocket. If you carry your wallet where it can be easily accessed in high traffic tourist areas, you’re far more likely to get robbed.

However, if you visit the same area and take a few sensible precautions to keep your wallet safe, you’re no longer an easy target and therefore much less likely to encounter a problem. A few small concessions to security and you’re safer.

It’s the same with your IT. A few simple precautions and habits will go a long way to stop you being vulnerable. Here are 10 things to get you started. These are in no particular order of importance and you need to have a comprehensive approach to your security. Trust me, the people who want access to your system are looking for any way in they can find.

1. Get a good virus checker and keep it up-to-date. I can’t stress that last bit enough. An out of date virus checker is a hole in your security. Virus checkers work for the most part by recognising the code that makes up the invading software. The development of new malicious software is a constant process and just needs a small change to the code in something like a trojan virus (a nasty little bit of code that hides, like a Trojan horse, inside other code) and it will slip through your checker. All good security programmes come with regular updates, so you just need to get into the habit of updating or setting them to automatically update themselves at regular intervals.

2. Speaking of keeping up-to-date, do the same with your operating system and key software packages. Yes, sometimes it can be a bit of a pain in the neck waiting for your system to update, but most of these revisions contain security features. Updates on operating systems are common and most of the time they are minor tweaks to the way the system works to increase stability and, as we already said, update the security.

3. Do your backups! And then for really key data, do them again. If you have a cloud-based back-up process and you also save your key data to a physical drive, you’ll be able to get up and running again very quickly should the worst happen. It’s a little difficult to advise you on what you should back up and when in an article such as this one because you’ll need to personalise your backups based on your own needs. However, as a rule of thumb back up everything regularly and any really important data immediately or as soon as possible. The more important it is to the running of your business, the more important it is that you back it up after every change.

The final key factor in backing up your data is making sure that your backups work. Once a month, test your backups. There’s nothing worse than finding that what you thought was a working backup solution has, in fact, been a massive waste of time as they weren’t configured correctly.

On a monthly basis, you should be testing it with a simple recovery of a few random files. If this works fine, then that’s great you have what appear to be a working process. But, on a quarterly basis, you should be doing a full restore of your data to make sure that everything works. This is highly important if you’re doing a full system backup and not just backing up the files.

4. Email security is extremely important. Many malicious virus attacks come from an attached file or document containing a virus or similar source of malicious code. The rule is simple. If you don’t recognise the sender or even if you do and you’re slightly suspicious of the attachment, then don’t click on it or open it.

Check first. You’d be amazed how many problems can be prevented by sending a simple email or a quick phone call/text message to ask the alleged sender if they actually did send the suspicious one. Email hijacking and spoofing that makes the sender address appear legitimate is quite common so it’s not uncommon for this to fool the recipient into opening a link or attached file. If it looks suspicious, be suspicious!

5. While we’re on the subject of email security, scam emails that trick you into handing over key information deserve their own entry. This is known as “Phishing” and often they seem to come from sources such as banks, shopping sites and so on. If you receive an email asking you to follow a link and enter your information in any way, check it. Remember though these can be very sophisticated and may seem to come from very legitimate sources such as HMRC. Often though there will be clear indications that the email isn’t what it seems.

Grammatical and spelling errors, email addresses that don’t match the source, pixelated graphics and so on are common mistakes that will identify a phishing email immediately. The senders are not always so clumsy though. You may, for example, receive an email that informs you that a shopping account has been breached and you should follow the link enclosed to reset your password and payment details. Check it with the alleged sender first and contact them through a different method than the ones in the email you received.

6. Passwords are a pain! Remembering them is a nightmare and to make it worse you should change them on a regular basis. So, keep your passwords in a secure folder and install a password management system. There are many of these available for free or at a relatively low cost and they can really help. Varying your passwords and using random words and numbers also works wonders.

It may make life easier, but you should never reuse a password over multiple sites. Gaining your password to a less important site or some part of your social media for example may not be the end of the world, but if that is the same password you use for your bank….I am sure you get the picture.

If you want to get a rough idea of how secure your password is, try this website https://howsecureismypassword.net.

7. It’s very common these days to allow people access to your network with their own equipment, so have a consistent Bring Your Own Device (BYOD) policy and ensure it’s followed. As a little side thought on this as well, have you considered your data protection and GDPR responsibilities with BYOD access? Remember if someone has access to sensitive data such as names and bank details you’ll need to show due diligence in protecting the privacy of the information.

8. Beware of your social media trail of breadcrumbs. I sometimes sit with a new client and within minutes I can tell them about a range of personal information from family members to where they are likely to be at the weekend. Your social media trail can seem innocent enough but think about what you’re posting. A trail that shows you being on holiday with your family combined with all the other information on your profile could be an open invitation to being robbed.

9. Public Wi-Fi is a minefield. From virus distribution to spoof networks that masquerade as legitimate to access your data, public Wi-Fi is simply not to be trusted. Use it sparingly and only from trusted providers. Certainly, be very wary of sending personal data over a public network. This is a system that is being accessed by anyone who is in range and is generally not secure in any way. Do your online shopping and banking in particular at home. Would you write your card and pin number down in a coffee shop and leave it on the table for anyone to see? No, then why would you risk sending them over a public Wi-Fi system? If you must use public Wi-Fi, then invest in a VPN (Virtual Private Network). These can be purchased for all devices at a very reasonable cost and the extra level of security they provide is well worth the cost.

10. Finally, the best piece of advice I can offer is this – don’t be afraid to ask. You won’t look silly, you won’t bother anyone and you won’t be admitting some kind of terrible weakness. There is a lot of free advice online (obviously check the source is trustworthy) and that is a good place to start. In the end though, you can’t beat simply asking someone who knows what they are doing about your security.

This is far from being a complete list but it’s a good place to start when it comes to thinking about your security. Safety is, for the most part at least, about good habits when online, having clear IT policies and keeping up to date.

Chris Lambert
Latest posts by Chris Lambert (see all)
close
The Business Bulletin

Don't miss out...

Enter your email address to ensure you receive the next edition of The Business Bulletin as it is published.

Chris Lambert

With a couple of decades of experience under his belt, and a genuine interest in new developments, Chris is a rare combination of experience and up-to-date technical know-how. As well as wielding a screwdriver to deal with everything hardware, he is the man to go to when it comes to remote maintenance of your systems. He is a skilled technician with an uncanny ability to see what does need doing and what will need doing to maintain your system and keep your data flowing.