3 security mistakes small companies make and how to avoid them

Filed Under: Featured, Privacy, Security threats

3 security mistakes small companies makeSmall businesses are in a tight spot; every organisation needs a basic level of computer security even if they don't have any technical employees.

Every small business and micro-enterprise is stretched and running one is all about finding the smartest way to allocate your limited time and resources.

Just about every organisation is dependent on computers but dedicated IT staff are a luxury most very small businesses do without. More often than not their 'IT cap' is worn by the least non-technical person.

Whoever that person is, they need to find a way to secure their computers against cybercriminals that aren't looking to cut them a break just because they're small.

Last month I wrote about 4 password mistakes small companies make and how to avoid them.

I wrote that first because if you or your employees use weak passwords, reuse passwords or share passwords you'll compromise your security at every level.

If you're running anti-virus and you're taking good care of your passwords then you're ready to look at some other aspects of computer security.

We can learn a lot from the mistakes of others so I've compiled a list of three more basic security blunders that small companies make and how to avoid them.

Unencrypted disks

If you read my last article about small business security mistakes then you might remember a test I ran on a real small business computer that came into my possession.

I took on some Windows computers from a small business I knew that had recently wound up. One of the computers was labelled 'admin' and seemed important so, with the owner's permission, I decided to see how quickly I could crack the administrator password on that computer with a password auditing tool.

I burned the tool on to a disk, popped it into the DVD tray and rebooted the computer. The admin password, a dictionary word with a zero instead of an O, held out for eight seconds.

The moral of the story, and the point of my experiment, was to show how useless poor passwords are in the face of an automated attack.

What I didn't mention was that because I had physical access to the computers I needn't have bothered trying to guess the password at all. I could have plundered everything on that computer without the password.

Why? Because the disks didn't use full disk encryption.

Unencrypted hard disks store data in a form that's easy for other computers to read. I could simply have restarted the computer with a Linux boot CD and either read the data straight off the drives or reset the admin password.

If computers use full disk encryption then attempting to bypass the operating system and read the data directly like this just doesn't work. Until it's decrypted, the data is no better than white noise and your data is safe if you leave your computer unattended, lose it, have it stolen or throw it away.

Full disk encryption makes your computer behave the way you already expect it to - it protects your data from anyone who doesn't have the password.

The good news is that you probably have full disk encryption software already. Windows computers come supplied with BitLocker software and Macs come with FileVault. It's time to switch them on.

Half-baked backups

I know three small business people whose laptops have simply died on them in the last six months (two had hardware failures and one was strongly provoked by the arch nemesis of laptops everywhere - a poorly placed cup of coffee).

The first person ran automated daily backups that scooped up everything on their computer and backed it up more or less continuously. The second used a manual backup process that only required they plug in an external drive. The third didn't take any backups at all but made extensive use of some well known cloud email and storage products.

The first user was up and running the same day with all their configuration, applications and data restored to a new computer. They lost about 30 minutes of work.

The manual backup process used by the second user suffered the same fate that all manual, undercooked or jerry-rigged backup processes seem to;  it simply wasn't used very often. Even though user #2 only had to plug in a USB cable every day to stay more-or-less backed up, they didn't actually do that. They lost a month of data.

The third user lost everything on their laptop but actually suffered less than the second because most of what they used was in the Cloud.

Interestingly, the second and third users both ended up with new laptops and both took about the same amount of time to get back on their feet - around two weeks.

Your backups are your business's last line of defence against attack and you can't afford to lose months of data or several working days making up for the fact they aren't there.

Your computer security efforts should be focussed primarily on stopping attacks but if all else fails you should be able to restore your systems to a point in time before they were hacked, infected, defaced, ransomed or brutally molested by your morning pick-me-up.

If backing things up requires even a modest manual intervention then the chances of it actually happening plummet. Let your computers do what they do best and automate your backups.

To minimise the risk of viruses spreading to your backups, you should store some recent backups offline and unconnected to any of your other computers.

Using Windows XP

Keeping your software up to date is an absolutely critical security precaution.

Five years ago, the Conficker worm spread like wildfire by exploiting a vulnerability in Windows. The tragedy of Conficker was that it exploited a vulnerability which had been patched by Microsoft 29 days before it began spreading.

Because software was left unpatched, Conficker became the most widely spread malware in the world and an object lesson in the importance of keeping software up to date.

Which leads us nicely to XP.

The problem with keeping Windows XP up to date is that you can't.

Microsoft pulled the plug on Windows XP updates in April 2014 after a twelve year life and a seven year countdown.

XP will never, ever be updated again.

Despite that, our web analytics reports that about 5% of you - the security concious readers of Naked Security - are reading these words on a machine that's running Windows XP.

Let's be clear; Windows XP is dead.

It has passed on.

It is no more. It has ceased to be. It has expired and gone to meet its maker. It's a stiff. Bereft of life, it rests in peace. If you hadn't ignored the end of life announcements it would be pushing up daisies. It's history. It's off the twig. Kicked the bucket, it's shuffled off this mortal coil, run down the curtain and joined the choir invisible.

It is (with apologies to Monty Python) an Ex-P.

Windows XP is not the first piece of software (or even the first popular operating system) to be retired and it won't be the last. It is a fact of life that software your business depends upon will expire from time to time and you need to be ready to say goodbye before it does.

XP is dead and it's time to move on.

Next steps

Take a look at our 4 free tools to boost your security and do our 3 essential security tasks (the tasks are aimed at families but they're great advice for micro-businesses too).


Image of business error courtesy of Shutterstock.

, , , , , ,

You might like

17 Responses to 3 security mistakes small companies make and how to avoid them

  1. VL-S · 83 days ago

    Mark,

    What is your approach on backing up a full disk encryption.

    • My approach? Generally, don't try and be fancy and don't worry too much about the specifics - what you want above all else is reliability so find a solution that works out of the box, that's well supported, that lots of other people use and use that.

      • VL-S · 83 days ago

        What I am getting at is...

        If a laptop drive is truly encrypted only when the power is off, then how does one make a backup of it?

        • You back it up when it's on, and not encrypted, and then encrypt the back up drive. Or you clone the disk image.

  2. Bob · 83 days ago

    Which backup tool was the first person using?

  3. Pat · 83 days ago

    "Windows computers come supplied with BitLocker software." That's not really true for Windows 7. Only the Enterprise and Ultimate editions include BitLocker. Most people have the Home Premium edition, which does NOT include it.

    • Net-worked Up · 83 days ago

      Also Windows 7 Home Premium won't let you back up over a network - very annoying

    • Matt · 76 days ago

      Consumer level computers and many business grade computers also lack the TPM chip that is required to properly use bitlocker.

      • Paul Ducklin · 76 days ago

        How so? What's wrong with full disk encryption if you don't have a TPM chip?

  4. You said "If backing things up requires even a modest manual intervention then the chances of it actually happening plummet. Let your computers do what they do best and automate your backups.". My question is where are you backing up to if you can't manually plug in an external drive? Not every small business uses a server to backup to, and even if they do not all of the computers are connected to it. That pretty much destroys the idea of totally automatic backups for a significant amount of people.

    • If you don't have automated backups right now then something, perhaps a few things, will have to change before you do.

      One of those things might be that you need a server.

      If you really don't want a server, or if it won't work for you for whatever reason, then you might look at Cloud backup solutions.

      How practical that is will depend on how much data you need to back up, your data plan and bandwidth. It works for some people and, as I said, since you aren't automating right now it's likely that something in your environment will have to change so if it isn't getting a server it might be getting a better data plan.

    • Deramin · 83 days ago

      You can pick up a decent NAS with drives for about $250 on Newegg (or similar). Not having a network backup location is an excuse for poor hindsight, not an actual problem. That NAS pays for itself the fist time something goes wrong. Or, as the author noted, cloud storage is better than nothing (and some are more secure than others).

  5. fgsbiz · 82 days ago

    good tips ...

  6. Roger le Clercq · 81 days ago

    Thanks Mark
    On automated backups an easy first-line is to use a second drive inside a PC. Supplemented of course with a second-line copy to a different machine (server?) then cloud as well.
    BTW It is rung down the curtain as in end of a performance, not run down the curtain redolent of 3 blind mice! Sorry I'm a pedant.
    And can I plug a free and simple backup program? Karen's replicator will automatically do what you want when you want. Been using it for years now. Simples.

  7. Can't buy windows, so legal WinXP vs pirated Win7/8?

    • Mang · 77 days ago

      Or one of the many many many legal, free open source operating systems out there. Yes, there are compatibility issues with some software, and the time that needs to be invested in learning a new system, but if you aren't willing/can't pay for up to date software, that's the cost.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Mark Stockley is the founder of independent web consultancy Compound Eye and he's interested in literally anything that makes websites better. Follow him on Twitter at @MarkStockley