As we all know, there are some terrible people on this planet, with less than genuine aims in their lives. Just like in the physical world, these people want to steal things and break things, with no thought for the damage it might do. Added to the terrible people, other threats and vast amounts of damage can be caused by people within your organisation – whether by design or accident. IT Security, is very important for businesses of all sizes to combat these threats.
What this means is that you need to ensure that your business is better protected than most. A common analogy is your own house – at home, if your house is the least protected in your street, you’ll be the one that is targeted instead of the house down the street with the Alarm Systems, CCTV and Gates, But at least there, it’s a limited amount of bad people that can attack, because they have to be physically at your home.
In the world of IT, that is completely irrelevant, by design systems are often accessible from anywhere at any time, and these systems interact with more 3rd party systems than ever before. Whilst this provides flexibility in working practices, or savings by using hosted platforms such as Gmail or Office 365, it also means that the same vital systems are open to attack from any location, any time, 365 days a year by those terrible people who want to cause damage or make a quick few quid.
Being better than most in terms of security is no mean feat, you have to have proper budgets in place and have a roadmap that means that your business is constantly evolving it’s protection to keep ahead of everyone else. What you need is a plan. The plan needs to cover all of the categories that you will find below (by the way, they are in no particular order). The starting point is to assess where you are at now. To do that, you’ll need to get help from your IT Support partner. If that’s us, speak with your account manager as soon as possible to get started on your roadmap.
If it’s not us, then speak with your IT partner as soon as possible and find out what they are doing to help you. Of course, you could just contact us anyway and we’ll work with you to assess where you are at and where you need to be – use the contact us page here to get in touch!
Layer 1 – The biggest problem – and your first line of defence – Humans!
The terrible people are most likely to try to attack via their easiest method. That is the humans. Unfortunately, people are the biggest threat to your IT security. They are also the hardest element to protect against, because education takes time.
People make mistakes, (unknowingly) they give out information that they shouldn’t, and they work with technology in ways that we can’t predict. The first stages in almost any attack is, ”social engineering”. This either begins through Email, Phone call, or even in person. Over the years, even before computers, the ability to gain information from people and their predictability has always been the weakest element of most systems: “Loose Lips sink ships”!
First access to your systems is gained via a user account or device, then, because they are on the ‘inside’ further access attempts become possible using that account. It is for this reason that you need to limit users to only be able to access the data, systems and devices that they need to complete their duties and provide suitable training to recognise threats and act on them accordingly.
There are various options to help you to improve in this area, but they boil down to two real options. Option 1 is Human-to-Human training, you can invest in a skilled IT Trainer that provides regular training to your staff, but it can prove very costly. Option 2 is to introduce some technology into the mix. Various vendors are now offering IT Security training as a service. At their heart these technological solutions are basically a portal where your staff can login and watch videos (and you know when they have). They do offer some bells and whistles too, such as ‘testing’ your staff by trying to trick them via email and other methods into providing information that will allow them to gain access. The results are all reported back to you of course, including whether those same staff have actually done the training at all. In the IT Industry, this technology is referred to as User Awareness Training.
Layer 2 – The Perimeter
Most security risks come from the internet, because that’s where the most potential attackers (those pesky terrible people) reside! Where the internet meets your own network (i.e., the devices that you and your colleagues work on – PCs, Laptops, Servers and so on) is called the Perimeter.
Your perimeter needs to be protected against the terrible people! The protection usually comes in the form of a Firewall device. It’s a piece of hardware that sits in between the internet and your own devices. It’s sometimes combined with other functions that are performed on the network, but the important bit, as far as IT Security is concerned, is the Firewall component. It acts as a “blocker” of sorts, stopping things from passing from outside of your network (i.e., the internet) to the inside of your network. In actual fact, firewalls do also stop things from passing from the inside of your network to the outside of your network, but that’s detail that’s not so important at this stage. Your firewall needs to be configured by a professional, to block things, although in practice, many firewalls are set to block everything when you take them out of the box and plug them in. Occasionally, you may need to allow certain pieces of traffic to pass into your network (for example you might need to provide someone access to your CCTV system that sits inside your network), but ideally, this should be done as a last resort. The firewall device is vulnerable as it’s connected to the internet. The terrible people often find ways to ‘hack’ these firewall devices, especially if the manufacturer of the device hasn’t been 100% safe when it made the equipment. Because of this, the firewall device needs to be regularly updated with software ‘fixes’ provided by the manufacturer (this is usually referred to as firmware). It also needs to be suitable for the size of network that you have AND needs to be regularly replaced, when the device reaches end-of-life (this means that the manufacturer is no longer releasing ‘fixes’/’firmware’).
Layer 3 – The Network – IT Security
Inside of your firewall, is your internal network. This consists of many networking devices, such as Ethernet Switches & Wireless Access Points and then beyond those, your actual end-user devices (PCs, Laptops, Tablets, Mobile Phones & Server equipment amongst other things). To keep the highest level of network security, you need to have a configuration that only allows access to devices that you know and trust, such as PCs and Laptops that you have purchased and configured yourself (or via a trusted IT partner like ESP!). It’s possible to configure your network to block access to ANY other device than those that you trust using various rules and tools. However, in today’s world, in business, that is unrealistic. Staff and visitors need to bring their own devices to work and need to utilise the internet connectivity too. Because of that, it’s often more likely that you would configure your network with VLANs (Virtual Local Area Networks) that separate the devices that you do know and trust (i.e., ones provided and configured by your or your trusted partner), from the devices that you don’t (such as staff or visitor owned devices). This means that if one area of the network is attacked, the others aren’t necessarily as vulnerable.
Layer 4 – The Endpoints- your computers, Servers and mobile devices – IT Security
Through the other layers mentioned above, we’ve mentioned your devices on a regular basis. Your PCs, Laptops, Tablets and Mobiles, these devices are known as the Endpoints. Often, there are lots of endpoints connected to your network. Usually in a business, this number is at LEAST the same number of employees that you have in your business. Often, it’s double that number, so there’s a lot to think about at this level.
These devices have to be secured, because it’s very easy for a member of staff, or a user, to cause a problem with the device, network or data , with bad habits or a lack of training directly or indirectly – remember from Layer 1, your users are often one of the weakest points – usually first access to your systems is via a user account or device, then further access leveraged using that account. It is for this reason you need to limit users to only be able to access the data, systems and devices that the need to complete their duties.
At the ABSOLUTE MINIMUM you should be securing these devices with Antivirus, Patch Management and Encryption. Without those products, your devices are a gaping hole in the security of your organisation.
These steps alone are not enough to satisfy many insurance companies (Cyber Insurance) these days. They now look towards other protections and demand other tiers of protection such as antimalware, compliance policies, and more advanced tiers.
There are lots of other products that allow you to further secure these devices but do check that you at least have those things in place on EVERY device and DOUBLE CHECK the requirements of any insurance policies you have in place, The requirements of any Partners you work with or contracts you hold. We can tell you more about those items and anything else, just drop us a line via our contact page here https://espprojects.co.uk/contact-us/
Layer 5 – Applications – IT Security
Each of your devices (or Endpoints as they are set out in Layer 4) have a number of software applications installed on them (for example Microsoft Word, Excel, Outlook, as well as Line of Business applications such as Sage or Dimensions). These software applications also have vulnerabilities that the terrible people could take advantage of! In order to have the best chance of protecting your applications, you should at minimum ensure that software updates released by the software manufacturer are applied to these applications. Again, Patch Management software can help here (it offers two types of protection – one at the Operating System level and the other at the Application Level). Added to this, there are tools that protect against unplanned changes at the application level, these are sometimes referred to as Zero Trust security solutions and some are referred to as Sandboxes. Cyber Insurance policies will often require you to have more stringent options in place here too.
Layer 6 – Data
In many models, data may not be seen as an actual Layer because it’s applicable at every other layer, but here, we are separating it out, because it’s the primary target of the terrible people! When they are trying to gain access to your network in some way, they are after money or destruction. Both of those require access to your data as it’s your most valuable asset. So, what do you need to do to protect it? Here, it always starts with authentication & encryption. Your data should be stored in such a way that it’s not easy for the terrible people to gain access to it, they need to authenticate and decrypt it. You might think of encryption as kind of double password protecting your data, but in a really technical way and a way that’s almost impossible to guess. However, given that we can’t GUARANTEE that the terrible people won’t get access to our data, we should at least ensure that we can recover the data, in case they do destroy it. This means keeping on top of data backups of all your mission critical files and systems such as cloud email backup. It also means being controlled about data policies and compliance, making sure you only keep the necessary data, for the necessary period of time and you only give access to the people that need it.
Layer 7 – The review
It’s always best practice to get someone to check your homework. If you have implemented a set of security features that are aimed at protecting your most valuable assets, you should have it reviewed. If you have an internal IT department, ask an external party to review what has been implemented. If you have an outsourced partner such as ESP, ask another IT Support company to review their work.
This isn’t a case of distrust. It’s best practice. People (even experts) make mistakes and having someone else that is in a strong position, review the policies and implementations makes absolute sense if you are serious about IT Security.
Some businesses will offer this in the form of consultancy, reviewing what has been done and why and what holes might be left. Other companies offer a testing solution, whereby they actually test your IT Security to check whether there are any holes. They use the same tools and methodologies that the terrible people use, but in a nice way, producing a report that tells you where there are still holes and where mistakes might have been made. Wherever possible have your security tested – this is referred to as Penetration Testing (or Pen Testing for short).
Layer 8 – WHAT?? There’s MORE???
Yes, in the above we have covered quite a lot of ground around your network and devices, but there are also the Cloud based applications and services that you utilise. The vast majority of these were quickly adopted to add features, save costs, or achieve flexible working – and 2020 saw a glut of uptake during Covid. Tiers (or Layers) of protection around these services have been added to many cloud services, but many require further configuration and/or licensing. AT AN ABSOLUTE MINIMUM you need to implement MFA (Multi-Factor Authentication) on every cloud service where it is available. Again, this is just the first step in securing many of these systems – we will go into further depth on some of the most popular cloud services in the future.
IT Security is a complex beast, that requires a lot of thought and planning to get right. However, there is a balance. That balance is risk versus reward. Not every business can afford to always protect everything and sometimes, even if they had an unlimited budget, the terrible people would succeed. Some of the world’s largest organisations have fallen foul over the years to the terrible people. If the huge company budgets can’t always protect them, maybe SME’s should feel a little bit better about themselves, BUT, we should always do what we can afford to do and prioritise where necessary and with expert support.
How can ESP help?
If you are an existing customer of ESP fantastic, best in class IT Support Services right here in Sheffield, you can access our security advice for free as part of your IT Support Agreement. We are always willing to produce reports and roadmaps to get you from where you are at currently, to where you would like to be, based on budgets and prioritizations. Ask your account manager for your Security Position report today via our Contact page.
If you are not an existing customer, feel free to reach out via our Contact page anyway – we’re always looking to take on new customers to allow them to benefit from Sheffield’s best IT Support company. Get in touch and we’ll come out to meet you, and work with you to find out what position your company is in and to come up with a plan to get you to where you need to be!