10 Simple IT Security Steps for Small Business
IT Security is Critical
Malware attacks due to lack of IT security have made big news lately. Cybercriminals are a huge concern for all businesses. Unfortunately, small businesses that lack an IT department have a higher risk of exposure to their attacks. Though not as attractive a target as a Fortune 500 company, they may be considered by hackers as a much easier mark. Ultimately, a single attack could wipe out many small businesses.
After taking steps to upgrade our own security procedures, Eron Iler, Fleetistics fearless leader, documented what he learned through the process. In this video, he shares 10 steps that any company can take to improve their IT security and lower their risk of falling victim to cyber-attack. To learn about cyber crimes visit IGTech365.
Transcript of 10 IT Security Steps
Click Here to View
Hi everybody! Eron here with Fleetistics, and today we’re going to talk about something a little bit different than fleet tracking technology. What we’re going to talk about is technology
that has come to the forefront in the news lately, and it’s really about securing your business. We’re not only interested in your fleet, but we want to see your overall business flourish and in the future we hope to bring you more business related products and services that will just help you grow your business and make it a more profitable business.
So the topic today is actually IT security. There are some things that we have done internally to improve our security
and these are the same types of things that most small to medium businesses should be doing as well.
Now if you’re in a bigger organization you probably have IT staff that is available to take care of these things for you. You
may hear some things that you’re not doing and you may have to ask your IT group as to why you’re not doing certain things, because these are pretty basic you know type security measures that should be implemented.
So the very first one is two-factor authentication, and if there’s anything that’s going to help you avoid getting hacked – and it’s the easiest thing to do – two-factor authentication is it. You can receive an email, an SMS, or you can use the authenticator app to get a code which then allows you to enter that code to
then access sensitive areas of your organization or to sign in to perhaps you know a company resource like SharePoint or something like that. It is a very very simple way of doing
And with all security there’s a trade-off. There’s convenience
versus security, and every time that you add more security you’re going to have a little more inconvenience, so you’ve got to realize that in our world today we are just dealing with
things differently. And now when it comes to malware, spyware you know the encryption technology, things of that nature, those things have very, very real consequences. And you can see from the gas, the gas company who is a major organization which would probably or should have had some of the best IT available, they still got caught. So what are you going to do in your small business? And it is just as easy as clicking on something that looks familiar, not paying attention to the destination URL and then you install something that encrypts your hard drive, right? Or, you know, even worse yet it gets into your network and encrypts your network so something like two-factor authentication is a very easy way to put up an initial barrier to that process.
All right number two is only allow computers that are connected to your network through the company to actually
connect up to your resources. And it is convenient for us to allow people to work from home, and use whatever computer computer they may have already in place. It is also inconvenient for employees to have to use a company computer because they probably already have a workstation set up, however, what you cannot do is rely on that computer and that employee to manage their security the same way that you want to manage your business security. Therefore, if you enable the functionality that only a company computer that is registered through your IT department on your network can actually connect to your company resources, you will avoid the holes that are created by employees who may or may not keep up with IT security. They certainly are not going to have the level of security that you would want to have to protect not only your data in your operation, but your customer information as well. And if you happen to be storing you know credit card information or sensitive data then by law you have requirements like this to protect that information. You know if an organization was to steal all your contact information… you know maybe it’s something they could find online, but if they took that list and turned around and sold it to a competitor (and I don’t know about you, but every day I get prompted via email “hey would you like to buy a list from this organization or this industry?” They can take that information and make it available to your competitors and then start calling on your customers. Right? So it may seem mundane for certain types of information but they can do a lot of things with data
that you and I don’t even think about.
So another step is to control what IP addresses can connect to your network. And even if someone’s working from home you can simply type in “what is my IP” you can get their IP address and you can share that with your IT department. The IT department can then configure the firewall to only allow certain IPs to connect. The firewalls have a lot of advanced functionality and you could actually do additional things like only allowing connections during certain times of the day.
So we know that a lot of hacking takes place coming out of
Russia and China and their hours of operation are typically not going to be our normal business hours. By blocking you know network connectivity outside of working hours, you’re going to
remove a huge chunk of opportunity for people in these other countries to hack into your network. Hackers don’t want to go where it’s hard to do things, they want to go where it’s easy. They may probe a lot around different companies and networks looking for these little gaps and then when they
find then they exploit it. If they can’t even touch yours because you’re, you have IP restrictions either by individual IP and or IP and by day and time, then you’ve created a hard surface or a
hard security scenario that they aren’t going to want to waste
time trying to figure out. If they can’t hack it then they can just move on to your neighbor or your competitor who hasn’t
done anything, and they will easily be able to continue on with
The next thing is the implementation of Intune. Intune is a Microsoft product and it allows you to protect your data
on mobile devices, laptops, even PCs, but you know a lot of people connect phones, and I do the same thing, I connect my mobile phone to my work. I connect up SharePoint, OneDrive, email, OneNote… All of those things are on my phone, and what happens if my phone gets stolen, right? I’ve now created a pipe from my phone straight into my business. And because authentication has already taken place, if somehow they can get into my phone then they’re going to have that direct
access well. With Intune, it’s an app that installs on these devices, and if you know the the phone gets stolen, or a laptop
gets stolen like we had. In our case we actually had an installer who had a laptop stolen out of the vehicle, and at that time we had remote monitoring software on the laptop and we
were actually able to log into the laptop and we could see the user was, you see their emails and we could see that they were in Africa, it was West Africa somewhere… in the, I think it’s called the Cape Horn area, and we could see what they
were actually typing and things like that, so we sent a little message and consequently we never heard from them
again after that. But Intune allows you to go in and
compartmentalize your company information and lock it down
and uh you know if something gets stolen you can reach out to that device and you can lock that information and delete it off of the device completely. And it’s only affecting business related information and there’s no spyware involved, so your employees don’t have to worry about that. But, you know if something happens you can grab that data and you can delete it off that device and know that your information is protected.
If you need assistance or are interested in Microsoft 365 or Intune, I would recommend checking out IGTech365.com, which we’ll post in the show notes. IGTech365 is an IT company. They handle our IT and they can handle your IT as well. Even if you have the Microsoft Office 365 package today or Business Suite today, they can become your partner of record and it doesn’t change your price or anything else. And once they become your partner of record, then they will actually also provide support that goes along with that. So if you have a question or a problem then you don’t have to call Microsoft. You call IGTech365. They’ll handle it and get on the phone with Microsoft or help you through that. It’s a full service it company, so you can check with them and see what other services they offer as well, from Microsoft Teams as a voice over IP system, which we also use internally – which is great, to the full office 365 Suite.
The next thing is to scan network connections for sensitive
information patterns such as credit cards and social security numbers. That’s a little bit more complicated and a little bit more advanced. Most small businesses aren’t going to do
that, especially if you don’t maintain that type of information, but there are programs that you can put on computers that will scan traffic in and out, and look for patterns of information i.e a social security card number or a credit card number. And when it recognizes that 16 digit number then it flags it and sends that information to Management, so they can look at it and make a determination as to whether or not that’s something that should or should not be happening.
Monitoring you know computer activity is another one. Whether you’re looking at detailed information or just looking at activity. If you see a computer as active during off hours, then maybe somebody is taking control of that computer when you know that employee is not going to be working. So if you saw activity at three o’clock in the morning, and you know it’s a it’s an administrative position that would never have a need to work at that time frame, then you can pick up on that and go in and take a look and see what’s going on.
Something as simple as locking your screen, and you may not know this but if you hold down the windows key and hit the L key at the same time, it’ll actually lock your computer, which is a very easy habit to get into when you’re walking away from your computer. Even in your house, you know you have people coming and going in your house, maybe a cleaning service something of that nature, and if you walk away from your computer and all of a sudden you know your computer is opened up and you leave the house to go walk the dog, there’s nothing preventing someone from getting on your computer, taking a picture of your computer, things of that nature. So getting in the habit of locking that screen and putting an auto lock on that screen after let’s say five, ten, thirty minutes of no activity is a great way to help lock down the computers and avoid you know that type of intrusion that you might not think happens, but it’s totally possible.
The next thing that we did is we updated our password policy. And changing your password every 30 days is just not practical. Everybody hates it it’s, that is a sacrifice that I don’t want to make, but what we can do is make the passwords more complex, and we can make them longer. We can require capitals and lowercase, and special characters and some number combinations, things of that nature that are going to make the odds of it getting hacked pretty, pretty low. And once you do that, then you know maybe change your password once a year type thing is what you want to do. IT people are going to have a different you know opinion on that, but if you do that in conjunction with two factor authentication, then you’re going to have a pretty secure login process.
And the last thing is taking advantage of the you know the employee background checks these days who is actually getting into your systems. Who are you hiring are they the right
people? So there’s a personal security protection that you need to be looking at. There are so many online services today that can run background checks for you to make sure that the people that you are, that you’re hiring are the right folks, and the people that you can trust to handle certain types of sensitive information. And what you don’t want to do is have information that walks out your organization. A platform like SharePoint, which is part of the Microsoft 365 platform, can also monitor for downloads of files you know large quantities, if files are being deleted it can monitor that. It does keep a recycle bin for you and a version history for you which is great, and again if you want some help with that and you want to learn more, IGTech365 is the company to call.
You know so there’s protections in all these different areas that you need to be looking at and they’re just so, so simple that there’s no reason why you shouldn’t go about making some of these changes. But these were just 10 things that I came up with as a small business that would make sense for your business whether you have two people, right? If it’s not family still you know some of this stuff you want to do regardless, even on your personal computer. But if you have two people and they’re not all family then that’s when you should start this practice. And if you have it implemented when you hire people then it’s much easier than to implement after you’ve got you know people that are that are hired and used to doing things the old way, right? Because change is always difficult.
So that’s what I have for you today. I hope you enjoyed, I hope you got some tips. If you enjoyed the content, hit the like and subscribe button down below, and we will see you on the next video. Good luck growing your business and stay profitable!
IT Security Top Ten List
- Implement 2-Factor Authentication.
- Only allow resource access to computers that are connected to your network.
- Control what IP addresses can connect to your network.
- Only allow connections during certain times of the day.
- Implement Microsoft Intune or a Mobile Device Management (MDM) service
- Scan network connections for sensitive information patterns.
- Monitor computer activity.
- Lock screens when not at your computers. (Windows + L key)
- Update your password policy to be 8+ characters, numbers and symbols.
- Require employee background checks.