TECH TALK: Small business most vulnerable to hackers

Donovan Hoggan
By Donovan Hoggan
July 14th, 2010

 Imagine coming to work one morning and finding out that your computer network has been attacked. Your bank is wondering why you closed your account and why you haven’t responded to their emails.

“But I have responded to them.” you say.

This is when you find out that you are black-listed all over the world and no one can get your emails. You also find out that, over the weekend, there have been several withdrawals of $4,999 each. You’ve been hacked.

Small business has a number of unique computer security needs. IT staff are rare and an IT security team is unheard of. Computer issues are usually assigned to an office manager or to “the guy who knows a little bit about computers.” Budgets are limited and so is time.

At the same time, small businesses are quite attractive to bad guys. There are several computers in one spot, so it’s worth more to the bad guy than a home PC, and the average small business has a larger cash-flow than the average house.

The end result is that small businesses are more vulnerable than big companies with dedicated IT security staff and have more profit potential for a hacker than a home user. This unfortunate “in between” position leaves small businesses very vulnerable.

There are, however, some opportunities to protect your business that are as straight-forward as they are effective.

The first step is to assign the job to a specific person. Meaningful progress is very difficult when responsibility for a task is unclear. You sometimes get two people doing the same job but, most often, you end up with tasks not getting done because no one realized it had to be taken care of.

Step two is to give the assigned person the support that’s needed. Few things are as frustrating as having responsibility without the capacity to live up to it. I’ve personally been in the position of putting safe-guards in place, only to have someone senior to me cause a whole bunch of damage by circumventing my work. If you assign someone the job of protecting your computer network, be sure that everyone respects that. If security is getting in the way of getting the job done, work with the assigned person to find a way around it that doesn’t unduly expose your systems.

Next, have a plan. It doesn’t have to be complicated or difficult. Just take some time and think about what elements of your computer network are most important to you. Is it the emails? Do you have any software that is critical to your company?

One important question is: How long can you afford to be without your computers before serious damage is done to your company? Hours? A day or two? A week or two? This will have a powerful effect on what kind of planning you should be doing.

Another part of your plan should be the day-to-day measures you are taking to protect your computers, and how you are going to ensure that it gets done. Do you have commercial-grade anti-virus running on all of your computers (please say yes)? If so, how will you ensure that it’s being updated? That it’s running scans on a daily basis? How do you make sure that it gets renewed every year?

Your solution may be an automated network tool, or it may be as simple as having someone assigned to go through a checklist with each computer on a specific schedule. However you do it, it’s important to make sure that it gets done. Otherwise, your plan is in danger of becoming a worthless exercise in paper-pushing.

Finally, you need a policy and you need to explain it. The single biggest threat to your network is how staff use it. Your staff use USB thumb drives on home computers, then bring them to work. They download music, install apps from Facebook and click “OK” whenever dialog boxes pop up. It’s important that they know what to avoid.

It’s also important that they know why. In a previous life, I was a Social Worker. I came to work one morning and found that the IT department had, without discussion or explanation, blocked access to instant messaging. It took us less than two hours to find a way around it and, to my knowledge, IT was never able to block that particular method. Had they explained why it was a problem and worked with us on how we could do what we needed to without jeopardizing the network, we would have been happy to work with them.

Web filtering is the same. I just Googled “bypass web filtering” and found 1,570,000 hits. If your staff don’t understand why a security measure is important, odds are they’ll find a way around it.

My last suggestion is don’t be afraid to ask for help. Computer security is a multi-faceted and moving target. Money spend on putting together a good plan can save you thousands of dollars in support costs, lost business, etc. Be sure your consultant is well-qualified and has the experience to find you a comprehensive solution that works with your business.

As always, if you have any questions or would like more details, just drop me a line at donovan@castlegarsource.com.

Categories: General