IT security is absolutely critical to any organization, especially as more and more activity and communication happens online via leading SaaS products, and not just behind the company firewall. Managing your business IT security is always a delicate balance between cost, convenience, and protection. Small businesses often avoid or delay implementing stronger security, and while it often works because they’re not directly attacked, security by obscurity is a faulty tactic.
Here we’ll review some best practices and relative tradeoffs, and initial recommendations to help make businesses more secure.
- Use strong passwords and a password manager
- Enforce 2 factor authorization
- Define your employee onboarding and offboarding, and use an IDaaS provider
- Require password lock for all hardware (laptop and smartphone)
- Be careful with public wifi, use a VPN is possible
- Use anti-virus/anti-malware, especially on Windows machines
- Make sure IT security is an important part of your organization’s operations
For most organizations, email is the most public way to connect and the most vulnerable entrance to the company’s networks and data. The 2016 US presidential election thrust email security further into the spotlight. The big lesson here, is that almost nobody that cares about their business IT security should be running their own email servers in today’s world, especially not the DNC, which learned the hard way.
The two leading business email and productivity providers, which we compared in our Google Apps versus Microsoft Office 365 analysis, both provide world class security. Once you’ve gone with these leading providers, you still have a bit of work on your end to ensure secure usage. Luckily it’s pretty straight forward. The first step is to enforce strong, non-reused, changing passwords. The second, more important step is to enable and enforce multi-factor authorization (often implemented as 2 factor auth) (see below for more details on each).
Email and password authentication is ubiquitous but prone to many security issues. Passwords are often weak, guessable through shared libraries, re-used by users, and susceptible to phishing attacks. If you’d like to see if any of your passwords have been compromised through a security breach at a leading website, you can enter your email address at HaveIbeenPwnd.com. That will show you any sites you’re registered at where your password was likely exposed, and likely on some list of passwords to try.
For your organization, you can implement some basic password policy to help reduce risk. Passwords should be at least 10 characters, and more is better 12-14 ideal. Remembering long complex passwords if obviously very difficult, so you’ll probably want employees to use a secure password manager like 1Password or LastPass. Both of those are secure, offer browser extensions to enable auto-filling of passwords, and have team functionality for secure password sharing. Even better than a password manager, however, is a unified identification and access management (IAM) platform (more on that later).
Because of the inherent insecurity of using only email + password to log into an account, multi-factor authentication (MFA) is highly recommended for any sensitive information and important products. Most leading products will support MFA (Google, Microsoft, Dropbox, Box, etc.). Implementing MFA can be challenging for employees, but tools like 1Password and LastPass have integrated support, and there are many additional free tools like Authy and Google’s authenticator app.
Employee Onboarding and Offboarding
Getting new employees up and running quickly is key for any organization. In the desire for haste and ease of use, many services are set up and shared ad hoc, or with shared passwords that are often easy to guess. Worse, by having an ill defined onboarding process corresponds to having an ill defined off-boarding process, often leaving former employees with access to critical information and services. While most employees won’t do anything with this, it’s a risk not worth taking. One way to deal with this is to have a strictly defined on-boarding and off-boarding checklist, but an even better way to manage this is to have a unified identify and authentication management system.
Unified Identity and Authentication Management (IDaaS)
All of the three security issues we just talked about (passwords, MFA, on/offboarding) are significantly more secure and easy to manage with a unified identity and authentication management platform. In the old days of IT, all of this was typically handled via Windows Active Directory – creating users, groups, permissions, access, all easily and tightly controlled behind the firewall on the company’s physical network (domain). In today’s world with cloud services, roaming laptops, bring your own phones, etc., this controlled and constrained world no longer works. To help solve this issue, a number of companies are offering cloud enabled identify and authentication management (IAM). Two of the leading platforms are OneLogin and Okta, both venture backed, offer unified user and identify management through their cloud platforms. This means that you can centrally set and enforce your business IT security policies, for example requiring all users in a given department (e.g. finance or HR) to use multi-factor authentication for all of their authentication. You can also centrally view and manage which cloud based applications all employees are using and give employees a single place to access their company apps. Both enable you to securely share authentication to shared services (like Twitter for the Marketing team), without needing to share insecure passwords. And they also create a centralized place to easily onboard new employees and remove access from terminated employees. It’s certainly worth the cost of just a few dollars a month per user for the peace of mind and time savings with authentication and password issues.
Hardware Security and Management
Because employees are on laptops and smartphones more than they are on office desktops, the risk of losing a device with company information is significantly larger. The single most important and easiest way to protect devices is to require password protection for all devices. This is obviously harder to enforce when the devices are not owned by the company (e.g. bring your own devices – BYOD), but should be encouraged if not outright required.
The second step that will help further protect devices is to turn on device encryption, which will protect the information on the drives even if the drives are accessed directly. As we learned during a very public showdown with the FYI, Apple’s iPhones are encrypted by default since iOS 8, and also include a hardware failsafe on models after the 5S. Android phones can easily encrypted as well, though it’s not on by default (on most phones at least). Windows and Mac laptops typically don’t have encryption on by default, but you can easily turn it on (via FileVault on Mac, and Windows via built in Windows settings or Bitlocker)
With any hard drive encryption, you can choose to have a backup key stored with your provider (Apple, Microsoft, Bitlocker, etc.), which gives you a failsafe in case you forget your password, but also provides a back door to government access (via subpoena or perhaps even surveillance, depending on your viewpoint).
Finally, managing company hardware gets much easier with a mobile device management (MDM) tool. There are many on the market, several free, some at a few dollars per device per month, and typically include geo location, remote wipe of a device, security policy enforcement, and other management features. We’ll do a deeper dive on MDM solutions later on.
Anti Virus, Malware, Threat management
In general, and especially on Windows machines, computers with sensitive information should include anti-virus and anti-malware. You can see a detailed comparison of some leading anti-virus at PC World.
Public Wifi – Proxy Servers and VPN
Using the web with public Wifi can leave you incredibly exposed. Easily available software can snoop nearly all unencrypted traffic on comptuers within a network, as highlighted by Forbes and others. As the web increasingly moves to https encrypted connections, this threat is being reduced, but until everything is https, you’re leaving your browsing history and more exposed to would be hackers.
The simplest way to eliminate this exposure is to use a VPN to encrypt all your traffic every time you’re on public wifi. We did an analysis of some leading VPNs, and came up with our recommendation of SurfEasy, backed by Opera.
Finally, while you’re in any public spaces, be careful with wireless / bluetooth keyboards, many of which have been proven to be compromised.
Industry specific needs
In addition to the basic security suggestions above, your particular industry might have additional security concerns and requirements, such as HIPAA for healthcare records, PCI for payment compliance, financial regulations by the SEC, among others.
Ongoing Monitoring, Management, and Responses
These recommendations are just a start. Business IT security is an ongoing process that requires dedicated management and commitment from the entire organization, especially senior leadership. You can choose to manage this yourself, bring in part time or full time IT resources, or work with an experience partner, but don’t let it . A great way to continue building on security is by implementing a framework for the entire organization to manage and respond to security risks. Two leading security models are the NIST Cybersecurity Framework and ISO 27001/27002.