Top five ways to increase business IT security
Roger Keenan joined City Lifeline as managing director in 2005. Prior to City Lifeline, Roger was general manager at Trafficmaster, during which time he progressed to managing director for Germany and then CEO of Trafficmaster in Detroit. Roger belongs to a number of industry and trade associations, including the Chartered Institute of Marketing (MCIM), the Institute of Engineering and Technology (MIET) and is a Chartered Electrical Engineer (CEng). Roger studied at the University of Wales where he was awarded a BSc Hons degree in Electronic Engineering. He then went on to study for an MBA at Cranfield School of Management. Roger is an experienced public speaker and in his spare time has a keen interest in classic cars.
large organisations are forced to become increasingly security conscious, so the thieves have found it more difficult to steal from them or their customers, instead turning their attention to smaller businesses. Unfortunately, there is plenty of low-hanging fruit there as many small organisations don’t realise the threat posed by cybertheft or how simple it can be to implement a failsafe solution.
Cybertheft, phishing and the malicious acquisition of data have come to the front of public consciousness in recent years. Criminals are now aware of how easy it can be to steal digital assets rather than physical belongings, while the rewards are often greater and the chances of being caught are less. This is clear to see when researching the biggest cybertheft in history, which saw hackers steal an estimated US$1billion from banks throughout Russia, the United States, Japan and numerous major European countries.
As large organisations are forced to become increasingly security conscious, so the thieves have found it more difficult to steal from them or their customers, instead turning their attention to smaller businesses. Unfortunately, there is plenty of low-hanging fruit there as many small organisations don’t realise the threat posed by cybertheft or how simple it can be to implement a failsafe solution. With the big data market expected to continue its exponential growth, below are five simple steps businesses must take to secure their digital assets.
Astoundingly, despite all the expert warnings, the most commonly used password in the UK today is still “password”. It does not take a genius hacker to crack that, so if you’re sat at a machine which uses this password, the time has come to take the leap and change it. A hacker’s first approach to cracking a password is probably going to be a dictionary attack, in which every word and common phrase in the English dictionary is tried repeatedly. With that in mind, “London” or “data centre” are not good passwords and nor is “London data centre”. The more character sets there are and the longer the password, the more secure it is. So “L0ndonDataC3ntre?” is far more secure for example and is much less likely to be successfully hacked. It’s vital business ensure all passwords are secure and changed on a regular basis while also making sure they aren’t written on post-it notes and stuck to a computer monitor for anyone to see.
Most business IT systems have two parts: external-facing (for example, the company’s website) and internal-facing (for example, the company’s accounting and payroll systems). As the name suggests, the external elements can be accessed by anyone, whereas internal processes should only be accessed by trusted employees with the relevant security clearance. A second critical step is to put the two parts onto separate servers and networks with no interconnection between them. That way, if a hacker does take control of the website, there is damage limitation in place as the accounting systems will still be untouchable. Another option available is to run one set in a data centre and the other in-house or in the cloud. This will instantly increase business security, ensuring if a hacker is successful, they are only able to access one element of the business, rather than causing havoc throughout the company.
Control VPN access
Most companies now allow remote access to trusted employees over VPNs. Simple access is available by a username and password. Access can be made increasingly secure by adding a secondary security step involving something only the user has, as well as something only the user knows. For example, adding a one-time password, which can only be accessed from the user’s email account on their protected mobile phone. If the hacker does not have physical access to the phone to gain the one-time password, cracking the normal password is of no use to him.
Use a data centre
While much effort goes into preventing malicious cyber-access, the simplest way to get hold of data is to physically break in and steal the servers, or just their hard drives. Many smaller companies could never justify the cost of operating 24/7 on-site security cover. The simple thing to do is to put the physical equipment, or maybe just the critical parts of it, into a secure data centre where the physical security, the power, the cooling and the connectivity are guaranteed. Data centres are good at security because it is their job to be – why would any business choose data centre storage if it wasn’t a secure option?
Hybrid cloud solutions are also growing in popularity, with the critical or constant workload hosted in a data centre, while the less critical, variable workload is remotely hosted in a public cloud.
Get a security audit
Ethical Hacking is a phrase used to describe the work of IT and network security firms. Such a firm sits on the outside and tries to breach a company’s systems and identify vulnerabilities and weaknesses in the same way a malicious hacker would. By doing so, they allow the company to pre-empt any real hackers and to close loopholes before anyone else can identify them. Of course, such audits have to be done regularly, maybe once a year if not more often, as all IT systems are continuously updated, overhauled and refreshed. Most data centres will have a relationship with such a security firm to ensure their security is of the highest possible standards. A security audit will repay its cost in peace of mind alone, let alone the avoidance of the disaster which can occur if hackers get into the company’s confidential finance or customer information. Losing sensitive customer data can have disastrous ramifications for businesses, costing them clients and tarnishing their reputation simultaneously.
As with many things in business and in life, most of this is common sense. Worryingly, that does not mean even professionals do it though and many businesses may have failed to implement any of the above tips. Large organisations have the resources and focus to secure their assets using these simple steps. However, for smaller organisations with less time and resource it is still vital that business IT is fully secured, and preferably located in a secure data centre, or they will put themselves at serious risk of cybertheft.