Small businesses are in a tight spot; every organisation needs a basic level of computer security even if they don’t have any technical employees.
Every small business and micro-enterprise is stretched and running one is all about finding the smartest way to allocate your limited time and resources.
Just about every organisation is dependent on computers but dedicated IT staff are a luxury most very small businesses do without. More often than not their ‘IT cap’ is worn by the least non-technical person.
Whoever that person is, they need to find a way to secure their computers against cybercriminals that aren’t looking to cut them a break just because they’re small.
Last month I wrote about 4 password mistakes small companies make and how to avoid them.
I wrote that first because if you or your employees use weak passwords, reuse passwords or share passwords you’ll compromise your security at every level.
If you’re running anti-virus and you’re taking good care of your passwords then you’re ready to look at some other aspects of computer security.
We can learn a lot from the mistakes of others so I’ve compiled a list of three more basic security blunders that small companies make and how to avoid them.
If you read my last article about small business security mistakes then you might remember a test I ran on a real small business computer that came into my possession.
I took on some Windows computers from a small business I knew that had recently wound up. One of the computers was labelled ‘admin’ and seemed important so, with the owner’s permission, I decided to see how quickly I could crack the administrator password on that computer with a password auditing tool.
I burned the tool on to a disk, popped it into the DVD tray and rebooted the computer. The admin password, a dictionary word with a zero instead of an O, held out for eight seconds.
The moral of the story, and the point of my experiment, was to show how useless poor passwords are in the face of an automated attack.
What I didn’t mention was that because I had physical access to the computers I needn’t have bothered trying to guess the password at all. I could have plundered everything on that computer without the password.
Why? Because the disks didn’t use full disk encryption.
Unencrypted hard disks store data in a form that’s easy for other computers to read. I could simply have restarted the computer with a Linux boot CD and either read the data straight off the drives or reset the admin password.
If computers use full disk encryption then attempting to bypass the operating system and read the data directly like this just doesn’t work. Until it’s decrypted, the data is no better than white noise and your data is safe if you leave your computer unattended, lose it, have it stolen or throw it away.
Full disk encryption makes your computer behave the way you already expect it to – it protects your data from anyone who doesn’t have the password.
The good news is that you probably have full disk encryption software already. Windows computers come supplied with BitLocker software and Macs come with FileVault. It’s time to switch them on.
I know three small business people whose laptops have simply died on them in the last six months (two had hardware failures and one was strongly provoked by the arch nemesis of laptops everywhere – a poorly placed cup of coffee).
The first person ran automated daily backups that scooped up everything on their computer and backed it up more or less continuously. The second used a manual backup process that only required they plug in an external drive. The third didn’t take any backups at all but made extensive use of some well known cloud email and storage products.
The first user was up and running the same day with all their configuration, applications and data restored to a new computer. They lost about 30 minutes of work.
The manual backup process used by the second user suffered the same fate that all manual, undercooked or jerry-rigged backup processes seem to; it simply wasn’t used very often. Even though user #2 only had to plug in a USB cable every day to stay more-or-less backed up, they didn’t actually do that. They lost a month of data.
The third user lost everything on their laptop but actually suffered less than the second because most of what they used was in the Cloud.
Interestingly, the second and third users both ended up with new laptops and both took about the same amount of time to get back on their feet – around two weeks.
Your backups are your business’s last line of defence against attack and you can’t afford to lose months of data or several working days making up for the fact they aren’t there.
Your computer security efforts should be focussed primarily on stopping attacks but if all else fails you should be able to restore your systems to a point in time before they were hacked, infected, defaced, ransomed or brutally molested by your morning pick-me-up.
If backing things up requires even a modest manual intervention then the chances of it actually happening plummet. Let your computers do what they do best and automate your backups.
To minimise the risk of viruses spreading to your backups, you should store some recent backups offline and unconnected to any of your other computers.
Using Windows XP
Keeping your software up to date is an absolutely critical security precaution.
Five years ago, the Conficker worm spread like wildfire by exploiting a vulnerability in Windows. The tragedy of Conficker was that it exploited a vulnerability which had been patched by Microsoft 29 days before it began spreading.
Because software was left unpatched, Conficker became the most widely spread malware in the world and an object lesson in the importance of keeping software up to date.
Which leads us nicely to XP.
The problem with keeping Windows XP up to date is that you can’t.
Microsoft pulled the plug on Windows XP updates in April 2014 after a twelve year life and a seven year countdown.
XP will never, ever be updated again.
Despite that, our web analytics reports that about 5% of you – the security concious readers of Naked Security – are reading these words on a machine that’s running Windows XP.
Let’s be clear; Windows XP is dead.
It has passed on.
It is no more. It has ceased to be. It has expired and gone to meet its maker. It’s a stiff. Bereft of life, it rests in peace. If you hadn’t ignored the end of life announcements it would be pushing up daisies. It’s history. It’s off the twig. Kicked the bucket, it’s shuffled off this mortal coil, run down the curtain and joined the choir invisible.
It is (with apologies to Monty Python) an Ex-P.
Windows XP is not the first piece of software (or even the first popular operating system) to be retired and it won’t be the last. It is a fact of life that software your business depends upon will expire from time to time and you need to be ready to say goodbye before it does.
XP is dead and it’s time to move on.