In the 2nd part of our article, “What does a real world small business security plan look like?” we have finally got into the office where your PCs, macs and perhaps servers are are located. But before we start getting into solutions you need to buy, we must again start with something that costs (next to) nothing… and that is…
Make sure you have a company update policy
If your anything like we were, then updates to your computers are at the very back of the list of things you think about, but they really should not be. Software companies offer updates for several reasons, but the most common reason for an update these days is to fix a security problem.
Whether it’s your operating system, or your programs – such as Adobe PDF, Adobe Flash, Java, your browser (Firefox, Chrome etc) – there are likely updates about monthly (or more often in the case of Flash) – and these updates are most likely to fix a security hole.
First thing – when you see that update button and you get ready to click ‘Remind me later’ – think about when ‘later’ might be. Make time for it. Don’t just kick the update can down the road… plan on running the update when you go on break, a lunch break, a coffee break or an eye-break. But quit all your applications, run the update and restart that computer when go on break!
Here in our small office, every friday we have ‘update check’ – which means we manually run windows updates – check for updates for Flash, Java and Acrobat/PDF Viewer. The reason we do these manually, is that the software vendors will sometimes roll out these updates in a way to minimize the bandwidth spikes on their update servers. Run them manually and you’re saying – “I want these now” – not, “I’ll take these some time down the road”.
Security is a “do it now” thing… not a “when we get to it” thing!
One final update note… your physical devices have updates as well – printers, routers, wifi access points etc, all have firmware updates – make a note of your hardware devices and keep a spreadsheet of the web pages for updates. At least every 6 months you should check if there is a firmware update which addresses security – and if there is, schedule a time to install it. If you can subscribe to the manufacturers newsletter or update notification list, do so!
In days gone by, just having a router was enough – and that sort of flipped in about 2010-11. The reason is because malware gangs realized that these little boxes that sat between them and your computers, were quite easy to exploit.
They were able to find some routers which were easy enough to walk right past, others were able to be simple ‘taken over’ – and not only did they then let traffic through, the bad guys could control them and use them as attack bots. Yes, there was a botnet of routers which was used for malicious purposes. This exactly why you need to include routers + access points in your update policy!!
But- are all routers created equally? Ummm… no.
We’re a big proponent of business grade routers, not the >home products you can buy at the regular high-street store… and here’s why…
- you need a wireless network that is secure
- your guest wifi needs to be separate from your main network
- consumer grade firewall often aren’t powerful enough to handle an ‘attack’
- turn ON all the security features available to you – such as Stateful Packer Inspection (SPI)
- A router or firewall from a security company is focused on security – not just selling you a ‘box’
A business grade router/firewall offers vastly superior protection than a consumer or ‘prosumer’ grade solution.
Think about it – if you buy a solution from a networking company where there are no updates regularly – like a dLink or a Netgear, how good can the security of this device be? With a device from a security company, such as Sonicwall, or Sophos, or Fortinet – these companies put out update many times a day. We have our Sophos UTM checking for updates to the signatures for antivirus + anti-spam, every 15 minutes. We can see MANY updates in a single day… we schedule firmware updates at least WEEKLY – and we check every Saturday for updates which we might have missed in the auto-update of firmware which happens around midnight night in the middle of the week.
If you have any reason to be attacked – a consumer level device and even the very low-end business devices might not cope well with attack traffic – we used to run lower model Cisco business device here in our office, and it simple didn’t handle the dDoS traffic we were being sent. Every week or so it would get ‘slow’ and we would have to reboot it. Since installing the Sophos UTM, we were able to ignore the malicious attack – it was countered by the firewall and we could simply ignore it after upgrading to a ‘real’ security device.
Protecting the endpoints…
Your strategy for protecting the endpoints (PCs + Mac generally) will vary depending on whether they are static or mobile – ie, are your endpoints laptops, or desktops? A desktop that doesn’t move can have a regular endpoint protection system in place, a good solid antivirus/anti-malware solution.
We recommend that you use a solid paid anti-malware solution. The reason is that the freebies tend to be lesser products. A paid solution often includes extra features which you really should consider – such as device control. If you’re in any kind of industry with compliance regulations, we would suggest that device control is a ‘must-have’ – because you can lock down your machines so that data cannot be exported to USB thumb-drives EXCEPT those you authorize. This can be part of your compliance documentation.
Opt for an anti-malware with more than a basic antivirus – we recommend all business users get a web filtering solution – one where you can block access to websites by type of site. You can save a lot of time and money by having only your social media team accessing social websites – and perhaps allow access on a machine that is isolated in a break room. Remember that if your employees are allowed to access the wifi – get that segmented network so their facebook on their phones can’t bring back malware from some web based ad that’s been hacked, or maliciously setup.
When you have mobile users – we also recommend that you look into a VPN solution – so that users can connect back to the office using a secured connection.
A laptop should have a full-featured security suite – which includes a firewall as well generally. In the case of ESET’s Endpoint Security – it also includes anti-theft solutions as well.
Read part 1 of our article – What does a real world small business security plan look like?