MSG. GMOs. Mechanically-Separated Chicken. Grackles. There’s a lot of scary stuff out there, but we thought we’d remind you of one more: security threats to your business. They’re mean, they’re nasty, and at best, they can be a serious mess to clean up. We’re not out to keep you up all night, though. With each secuirty threat, we’ll provide you with some ways to mitigate the risks.
According to Wikipedia, ransomware is a security threat that started in Russia, but we started seeing it last year with the CryptoLocker virus. An end-user would receive an email with a tantalizing attachment, open it, and get infected. It would start encrypting all of their data files in “My Documents” and any network shares they were using. We had up-to-date anti-virus, but this was a new variant. Fortunately, we also had up-to-date backups, so we were able to eradicate the virus and restore our data. Still, it caused a lot of downtime for users. Some businesses we knew that contracted CryptoLocker and did not have backups were forced to pay the ransom—what we heard was about several hundred dollars—via an untraceable pre-paid debit card. Fortunately, the hackers did then provide them the security key, so they got their files back.
We haven’t had any more customers affected by ransomware, but it’s still active. And there’s a kind of ransomware out now that affects more than just PCs: namely, Synology network file servers, which are very popular for small businesses.
Install network-wide antivirus, keep your systems up-to-date with the latest security updates, and maintain thorough, up-to-date backups.
Virtually all laptop and smartphone operating systems—Windows, OSX, iOS, and Android—now support device encryption, and in general, it’s easy to set up. On a Mac, for example, it’s one click in “System Preferences.” Turning this on encrypts your hard drive so that if you lose your laptop or phone, nobody can retrieve any of the private company data on it—even if you just closed the lid without shutting it down. To log back in, a password is required.
Define and enforce a company-wide policy for laptop and device encryption.
Most employees have a smartphone (or get teased for their allegiance to their 2007 flip phone), and they want to bring it to work and use it for work: to get their company email, contacts, calendars, and data. You could purchase “work” mobile phones for everyone, but that would be prohibitively expensive, and besides: who wants to carry around two phones, other than the kind of tech nerd that you DON’T want to hire? (We’re kidding. Sort of.) And, once again, what happens if the device gets lost or stolen or the employee who possessed the device gets terminated? That’s a lot of private company information floating around in the world.
Luckily, device management services, such as Google Apps, can help you secure your staff’s mobile devices. For example, if you’re using Google Apps for Work for tasks like email, calendaring, and file-sharing, you can restrict which mobile devices employees can use for work, control what they can access, enforce policies on the device (i.e., encryption) and remotely wipe them if they get lost, stolen, or the employee who possessed the device is terminated.
Too many people still don’t take password security seriously. They use weak, easy-to-guess passwords, and multiply the risks by using the same ones over and over again. Suppose you bought something online from one of the scores of sites for which you’ve used that password, and the site you bought from gets hacked. The first place the hackers are going to attempt to hack is your email account, because in all likelihood, the same password works there. Once they’re into your email, they can get to virtually any other merchant account you have, because almost all of them let you reset the password by email approval. It’s scary to think about all the weird things people can buy on your dollar and do under your name.
There’s a few key preventative measures to take here. Start by using a password manager like Lastpass. It makes it easy to generate completely random, strong passwords that are different for every site you access. It’s also simple to use because it autofills your name/password for you—all you have to do is remember one master password.
You should also enable two-factor authentication whenever and wherever possible. Two-factor authentication means that it takes two things to log into your account: first, something you remember (like your password) and second, something you possess (like your cell phone) to which a security code is sent every time you log in. So, a hacker trying to get into your account has to not only know your password, but have physical access to your cell phone for the security key. It’s pretty hard for Oleg to get both of those from you while hunched over his computer in Moscow.
We can’t help you with the potential digestive ramifications of mechanically-separated chicken, but can help you implement more practices to mitigate security risks to your business. Reach out to us if you have any questions.