Cybertheft, phishing and the malicious acquisition of data have come to the front of public consciousness in recent years. Criminals are now aware of how easy it can be to steal digital assets rather than physical belongings, while the rewards are often greater and the chances of being caught are less. As large organisations like retail banks become increasingly security conscious, so the thieves have found it more difficult to steal from them or their customers, instead turning their attention to smaller businesses. Unfortunately, there is plenty of low-hanging fruit there. So, below are five simple steps businesses must take to secure its digital assets.
Astoundingly, despite all the expert warnings, the most commonly used password in the UK today is still “password”. It does not take a genius hacker to crack that. A hacker’s first approach to cracking a password is probably going to be a dictionary attack, in which every word and common phrase in the English dictionary is tried repeatedly. So “London” or “data centre” are not good passwords and nor is “London data centre”. The more character sets there are and the longer the password, the more secure it is. So “L0ndonDataC3ntre?” is far more secure for example. It’s vital business ensure all passwords are secure and changed on a regular basis.
Most business IT systems have two parts: external-facing (for example, the company’s website) and internal-facing (for example, the company’s accounting systems). As the name suggests, the external elements can be accessed by anyone, whereas internal processes should only be accessed by trusted employees. A second critical step is to put the two parts onto separate servers and networks with no interconnection between them. That way, if a hacker does take control of the website, there is damage limitation in place as the accounting systems will still be untouchable. Another option available is to run one set in a data centre and the other in-house or in the cloud.
Control VPN access
Most companies now allow remote access to trusted employees over VPNs. Simple access is by a username and password. Access can be made increasingly secure by adding a security step involving something only the user has, as well as something only the user knows. For example, adding a one-time password, which can only be accessed from the user’s email account on their protected mobile phone. If the hacker does not have physical access to the phone to gain the one-time password, cracking the normal password is of no use to him.
Use a data centre
While much effort goes into preventing malicious cyber-access, the simplest way to get hold of data is to physically break in and steal the servers, or just their hard drives. Many smaller companies could never justify the cost of operating 24/7 on-site security cover. The simple thing to do is to put the physical equipment, or maybe just the critical parts of it, into a secure data centre where the physical security, the power, the cooling and the connectivity are guaranteed. Data centres are good at security because it is their job to be.
Hybrid cloud solutions are also growing in popularity, with the critical or constant workload hosted in a data centre, while the less critical, variable workload is remotely hosted in a public cloud.
Get a security audit
Ethical Hacking is a phrase used to describe the work of IT and network security firms. Such a firm sits on the outside and tries to breach a company’s systems and identify vulnerabilities and weaknesses in the same way a malicious hacker would. By doing so, they allow the company to pre-empt any real hackers and to close loopholes before anyone else can identify them. Of course, such audits have to be done regularly, maybe once a year, as all IT systems are continuously updated, overhauled and refreshed. Most data centres will have a relationship with such a security firm. A security audit will repay its cost in peace of mind alone, let alone the avoidance of the disaster which can occur if hackers get into the company’s confidential finance or customer information.
As with many things in business and in life, most of this is common sense. Worryingly, that does not mean even professionals do it, though. Large organisations have the resources and focus to secure their assets using these simple steps. However, for smaller organisations with less time and resource it is still vital that business IT is fully secured, and preferably located in a secure data centre, or they will put themselves at serious risk of cybertheft.
Roger Keenan is the managing director of City Lifeline.