Computer system security lapses periodically
make headlines, causing serious problems
for those whose systems have been violated. It
should make all businesses take notice.
But local IT experts say that while the ramifications
can be severe, steps can be taken to
see it doesn’t happen.
Alex T. Silverstein, president of Unified
Digital Group LLC in Ballston Spa, noted
that “every business that retains electronic
records of any kind should consider whether
or not portions of those records need to be
encrypted.”
“We hear about the hacking and theft of
credit cards every night on the news,” said
Mark Shaw, founder and president of Stored
Technology Services (StoredTech). “For the
small business owners like us, there are a
number of lessons to learn from these events.”
He stressed that an upcoming issue involving
Microsoft servers needs to be addressed soon.
Jared Humiston, president of Adirondack
Technical Solutions, said security needs to
be thought of in layers and businesses should
consider that approach.
Each expert provided the Saratoga Business
Journal with some advice.
Shaw on Secure Servers:
While it’s pretty clear that these attacks
were coordinated against targets like large
corporations there are takeaways for all of us.
What is the largest item for security coming up for many businesses? There is an easy answer.
Microsoft is focusing on security for its
Server 2003 operating system. This is going end-of-life July 14, 2015, which means that
servers in many environments will need to
be replaced and migrated to a newer version.
Microsoft will no longer provide updates or
fix security flaws exposed after that date. In
essence the servers are sitting ducks.
While Windows XP dying made a splash this
year, this issue is even larger. Servers are the
backbone of many networks and if they are not
upgraded, everything from files, applications
and more could be compromised and used by
those looking to breach a company’s security.
The single largest event for many businesses
is this end-of-life for the core of their
networks. Upgrading or replacing a server
operating system requires more than just
buying a new version and installing it. There
are a number of things to consider:
Can your hardware handle the upgrade? If
you have a server that is five-plus years old,
does it have the horsepower to run the new
operating system? Server 2003 would run with
much lower requirements then the new 2012
R2 editions.
Is your server under warranty? Older servers
will be out of coverage and it becomes a
business decision to continue to utilize hardware
that cannot easily be repaired.
Will all your applications work on the new
operating system? Often applications like
Quickbooks need to be upgraded to the latest
version. If this is not planned for it can cause
a slowdown in the upgrade path and increase
unexpected costs.
What other functions does that server provide?
Does it run the company’s printers? Does
it allow users to connect remotely? Does it run
the email services for the company? Defining
these items and addressing how they will work
moving forward is fundamental to a successful
install of a new server and operating system.
Upgrading an operating system on your
home computer is far less intensive than the
upgrade of an operating system on a server.
Looking at these issues can make the process
a lot less painful.
This is just one of many things that will
help ensure that a company is protected, other
items like proper virus protection, firewalls,
VPN’s, policies, mobile device management,
web security, and more will make the environment
less prone to vulnerabilities. Discussing
Windows Server 2003 going end of life, should
be on every company’s road map for 2015, and
the time to plan for that is now.
Humiston, Layering Security:
As a solutions oriented company with a
focus on security, we have seen cyber crime
reach an all-time high in recent years. In many
cases, small business owners that do not work
with a security focused IT firm find out how
vulnerable their data is when it is too late.
The damage done from a cyber-attack could
prove catastrophic for a business. We have
seen the negative results of cyber-attacks on
some of the larger companies. These companies
have taken losses in the tens of millions
of dollars and have lost the public’s confidence,
further increasing the damage done to their
organization.
Security needs to be thought of in layers.
A simple password that you change every 90
days is not enough. Those layers should go
beyond the out of the box virus protection and
firewalls. Companies also need to consider
how their employees are using their technology
in and out of the office and include social
engineering into their security policy.
These policies should be reviewed and
updated on an annual basis to ensure they are
current. Security should be an organizational
effort with the sole goal of improving the company’s
security posture and protecting their
data and their client’s data.
Technology is ever changing and your
organization should be prepared for change.
Cloud computing, electronic purchasing and
millions of mobile devices have increased the
number of targets for cyber criminals. It is
recommended that companies with high-risk
data or that may fall in a regulated industry,
have annual risk assessments and vulnerability
assessments completed to make sure
the improvements made to your environment
throughout the year have not opened up new
holes in which you can be exploited.
We encourage these businesses to contact
their local IT Service provider for the proper
guidance in implementing a security program
in their organization.
Silverstein on Encryption:
A company can incur significant financial
and legal penalties if any personal, financial,
or other sensitive information is exposed to
unauthorized parties.
In layperson’s terms, encryption is the process
by which clear text, that is, data stored
in its original, unmodified state, is rendered
unreadable by humans and, more importantly,
un-hackable (in most cases) by sophisticated
computer programs designed to steal that
information.
Encryption is performed by running
specialized, mathematical programming
algorithms that manipulate your clear text,
resulting in protected cypher text. If you are
not a programmer or database administrator,
you will most likely need to hire one to accomplish
this task for you.
Most strong forms of encryption usually
work by way of a pair of digital keys, known
as a public and private key. Your public key
is used to encrypt your data. You can share
this key with anyone who needs to create
encrypted data for you. Your public key cannot
be used to decrypt (that is, to un-encrypt)
your data. Only the private key can be used
to perform decryption; therefore, you should
never share it with any unauthorized parties.
If your institution is in the habit of storing
sensitive information in clear text in a database,
spreadsheet, or other electronic format, it is up
to you, as a principal of the company, to take
action as soon as possible. The cost of hiring
a professional to perform data encryption is
surprisingly low (since it is a common task), the
reduction of risk is immediate, and your return
on investment exceedingly high.