Protecting Your Systems in 2022
Here’s what we’ll be doing in 2022 to help our small business clients with IT security.
2021 offered an unprecedented number of challenges to small business information systems.
I wanted to take a few minutes to talk about the overall strategies that I’ll be using to protect my clients in the coming year.
Defense in Depth
There’s no such thing as a magic pill. Not one product, not one solution, not one strategy that can safeguard IT assets 100% of the time; anyone who tries to convince you otherwise is trying to sell one. And if you believe that sales pitch, you’re already falling into a trap of the mind; you’re already making too many assumptions and assumptions won’t keep you safe.
Instead, it is more rational to perceive risk in terms of layers of control.
Here are some examples:
one layer controls the physical access to a network;
another controls the wireless access to a network;
another controls the remote access to a network;
another layer authenticates who you are to that network;
another defines what software you do or do not have access to.
Five layers, five controls.
Over time, we can measure and test our controls to prove that they work, and we can say - with some degree of certainty - that our systems are secure.
Security, after all, is just a feeling: it is the confidence that we have in our safeguards. If you’re not already managing your IT in layers, how can you have any confidence that your systems are secure? Well, you can’t - you’re just making assumptions - and assumptions do not equal confidence.
Cloud Computing
Most small businesses do not have computer and network expertise on-staff. And aside from the talent problem, managing IT assets and information systems is extraordinarily risky and costly. So unless computer expertise is a core-competency, why do it?
It is far better for small businesses to outsource that risk and push it onto the backs of vendors who can operate at a better economy of scale and can manage IT better than them.
Somebody like Google can manage your email more cost-effectively than you can, and they have an army of professionals safeguarding your data. So why not let Google handle your email instead of running your own email server? The same could be said for applications, files, phone calls, databases, and device management.
In doing so, small businesses transform IT into an always-on utility - a system like electricity and water - allowing for the most reliable, cost-effective access, using any device, anywhere.
You don’t keep an electrician on-hand to deal with electrical problems, right? And you don’t keep a plumber on your payroll to handle the plumbing problems and run more water into your building. The same should be for your IT. Outsource the risk; transform IT into a utility.
In 2022, I’ll continue to push my small business clients to abandon running their own on-prem servers and devices, and to leverage cloud computing to the greatest extent possible.
Identity and Access Control
One of the biggest challenges we have in IT today is this concept around stealing somebody’s identity to gain access to a confidential system. This is primarily done with phishing attacks. A bad actor sends your team an email that looks legitimate. They click on a link and are brought to a website that looks and feels legitimate, but is really set up by the bad guys to capture their username and password to a secure system.
It’s a huge problem and employee training isn’t enough. The bad guys get more sophisticated every day. We need technical controls that adapt - using machine learning (ML) and artificial intelligence (AI) - to spot the phishing attack and prevent the user from evening seeing it. Google’s Gmail uses these tools to constantly screen attacks from aggressors intending to steal ident information from your employees.
Combined with good password management policies, multi-factor authentication, and admin alerts controlling end-user access, adaptive ML/AI promises to reduce these effects significantly. In 2022, in my role as a Google Partner, I’ll be continuing to help my clients get the greatest benefit from their cloud platform investment by securing their identity.
Endpoint and Mobile Device Management
Another vector of attack against your systems is through exploiting the human propensity to procrastinate and ignore risk.
A good example are computer security updates. Many users will deliberately tell their computers to not apply updates, or, won’t restart their machines after receiving updates. This prevents the system from receiving necessary software updates to help protect them, and over time, the lack of patches creates huge holes that aggressors can drive a truck through.
Endpoint Management (EPM) uses software to regulate the compliance of managed computers so that they’re always receiving their security patches. EPM also takes care of things like viruses, malware, and intrusion detection. It provides a set of tools to remotely manage assets to bring them back into compliance and safe to use.
Mobile Device Management (MDM) uses similar controls to verify that the devices approved to remotely (like mobile phones, tablets, and laptops) access company information are controlled.
Used in conjunction with each other, MDM and EPM alert administrators to take action if a machine continuously falls outside of the range of acceptable patching, suffers from malware or an attack, prevents unauthorized, lost, or stolen devices from accessing secure information, and provides dashboard-level pictures of the overall security posture of a company. It’s the best, most cost-effective way to prevent loss … rather than reacting to loss.
In 2022, I’ll be attempting to convince most of my clients to join my endpoint management program and implement MDM to best control their systems.
Managed Browsers
Increasingly, phishing attacks come not just from email but from what are referred to as browser hijacks. Websites and software will redirect the user’s browsing activities to websites that attempt to steal ident credentials or Personal Private Information (PPI). Hijacks threaten not only the user but any confidential information that may exist on their computers.
These risks demand that an IT control be extended to Internet browsers. Managed browsers are browsers that exist on any device anywhere but they receive a central set of policies. These policies dictate how the browser can be used, when it can be used, what sites and software are okay to use - and which ones aren’t - and prevents the user from accessing known-bad websites that could harm them.
In my role as a Google Partner, in 2022, I’m going to help a majority of my clients by deploying managed browsing policies governed by their Google Workspace investment to help keep their teams safe while using the Internet.
Perimeter Control
There are logical software components to every network. These components control the logical flow of information. You’re probably familiar with these devices by their names of routers, switches, bridges, and gateways. Most are simple computing appliances without a high degree of security built-in to them.
These devices do their work day in and day out and most of the time, you don’t have to even think about them. However, over time, their firmware needs to be updated; for the same reason we patch computers, we must also patch these devices. Aggressors realize that this equipment often goes unnoticed and unsecured because it’s not something most people are thinking about.
Well, I’m thinking about it. In 2022, I’ll be helping my clients identify their network’s perimeter infrastructure, either patching or replacing suspect equipment, and implementing tighter security controls over them.
Training
All the ML/AI in the world can’t beat human instinct or well-trained human behaviors. Technical controls to help secure the workplace are great but real security - real confidence - begins and ends with training people.
Your team must be brought up to speed about the most recent threats and concerns, and given tools to help them navigate the risk.
Sometimes, the best training simply interrupts an emotional response to a problem … to get somebody to just question clicking on a link so they can ask for more advice is an interrupt that a hacker can never thwart. The most skilled hacker can rarely beat an attentive, trained human! They’re counting on the human to not be paying attention, to not be trained.
Therefore, technical controls aren’t enough. This next year, I’ll be pushing training to help teach and inspire others to take these threats seriously. Further, responding to these problems by dealing with them in-depth, through implementing layers of controls, through shifting more and more risk to cloud providers, by implementing strong controls over identity and Internet browsing, and through inspecting the perimeters of our networks, will help instill a stronger sense of security for my clients next year.
R
Working from Home? You Need a Computer Consultant.
Today more than ever, small businesses and home office workers need a reliable computer consultant to help them navigate computer problems. We recommend you get to know someone local who can help you when you need help.
In the age of COVID, everyone is making changes, particularly as it relates to the nature of work.
If you’re a knowledge worker operating out of your home office, you’re using computer and networking equipment that you’ve never had to really rely upon. Your home PC, your home router, your home wifi - these were devices of convenience.
Today, though, you’re relying on your network and computer equipment is a matter of making an income, running your business, and servicing your customers. In the past, a bit of jitter in watching Netflix wasn’t a big deal, but if you can’t complete a clean teleconference, you might not land that agreement. You need the same security, performance, and reliability out of your home network as your office network, and you need somebody to help you get there.
A computer consultant can help you with these problems. They’ve got real-world industry training and discipline that we can bring to the equipment found in your home office. The same practices and techniques that keep your office network safe can be applied to your home. It’s about enterprise computing at home office scale.
Computer analysis and endpoint monitoring
Antivirus, malware, and intrusion detection
Router inspection and firmware upgrades
Security analysis and application of best-practices to keep you safe
Disaster recovery and data backups
Work telephones and conferencing
Remote support and troubleshooting
Including all of this, a computer consultant can just give you good, practical advice. Things you should know about and be aware of.
If you believe that the COVID experience isn’t going to end any time soon, and that work-life balance is inexorably going to change one way or another, then establishing a good relationship with a local technical professional is your hedge against data loss, down-time, or critical failure. Get to know someone who works when you work, and can get you out of a tight spot when you really need them.
Just give us a call. And we don’t charge anyone to get to know how we can help them, so it’s not going to cost you anything to just open up a conversation.
R
Remote Workers are Significantly Vulnerable to Hacking
Everyone is working from home. But what about the risks to our computers and company data? What kind of countermeasures can you take to help protect your small business from disaster?
The COVID-19 pandemic has forced millions to work from home.
In the tech industry, we call home computers and home networks unmanaged endpoints - unmanaged because we don’t control those devices and we have no idea how they’re configured.
There’s a whole bunch of risk that comes with unmanaged endpoints:
The operating system of home computers are often neglected. They could be lesser versions of Microsoft Windows or MacOS and haven’t received critical updates or patches.
The software or settings that we introduce into corporate environments to safeguard our computers aren’t implemented with unmanaged endpoints.
Disaster recovery options on unmanaged endpoints is challenging because data may be stored on the local hard drive of these machines. There may not be any data backups.
Privacy and confidentiality of corporate data may also be at risk because, again, such data is stored on an unmanaged hard drive. Who knows if the local admin password on the PC is set to a reasonable level as to disallow root-level access.
The use case of home machines are very different from business machines. There’s likely to be more risky behaviors (browsing, downloading, installing by end users) associated with these endpoints taken on by teenagers and children.
The networking equipment - like the home router and wifi access point - likely hasn’t been patched, updated, or even its root password rotated from its default setting.
And all of this spells big trouble for the small business.
The challenge is to transform these unmanaged assets into managed ones, and, to inspect the networking environment for potential risks and, well, you know … do something about it!
We help small business use technology better. That includes three critical solutions to help protect small business while distance-working.
Ongoing Endpoint Monitoring and Protection.
Online Backups.
Remote Support.
Our Endpoint Monitoring and Protection software reports vulnerabilities back to us so we can take corrective action. It turns an unmanaged endpoint into a managed one. It helps identify areas where the operating system may be vulnerable, or, when somebody installs a risky program. It also includes an antivirus, anti-malware, safe browsing, and intrusion protection system that counters typical threats to a user’s machine.
Our Online Backup solution is all about recovering the company’s data in addition to the user’s data while they’re using their own PC for company business. In the event of failure or if their machine is hit by a ransomware, we can recover the user’s data to a restored machine.
Our Remote Support is part of what we offer. It’s a human eye to look at the user’s network and can make recommendations to improve their security posture. We can red-flag issues that are unmitigated risks so that they can be dealt with; otherwise, we can help safeguard the remote employee with a few simple changes. And of course, if the user gets in a jam with their tech, we’re there to help so they can get back to work.
In all, our approach is to mitigate risk to the small business and to the employee by taking preventative measures. Instead of just reacting to failure - hoping that everything is okay with an unmanaged asset - we help our clients move beyond hope. We help small businesses have confidence in their ability to function and serve their customers.
That’s how we add value.
R