Computer system security lapses periodically
make headlines, causing serious
problems for those whose systems have been
violated. It should make all businesses take
notice.
But local IT experts say that while the
ramifications can be severe, steps can be
taken to see it doesn’t happen.
Alex T. Silverstein, president of Unified
Digital Group LLC in Ballston Spa, noted
that “every business that retains electronic
records of any kind should consider whether
or not portions of those records need to be
encrypted.”
“We hear about the hacking and theft of
credit cards every night on the news,” said
Mark Shaw, founder and president of Stored
Technology Services (StoredTech). “For the
small business owners like us, there are a
number of lessons to learn from these events.”
He stressed that an upcoming issue involving
Microsoft servers needs to be addressed soon.
Jared Humiston, president of Adirondack
Technical Solutions, said security needs to
be thought of in layers and businesses should
consider that approach.
Each expert provided the Saratoga Business
Journal with some advice.
Humiston, Layering Security:
As a solutions oriented company with a
focus on security, we have seen cyber crime
reach an all-time high in recent years. In
many cases, small business owners that do
not work with a security
focused IT firm
find out how vulnerable
their data is when it is
too late.
The damage done
from a cyber-attack
could prove catastrophic
for a business.
We have seen the
negative results of cyber-attacks on some
of the larger companies. These companies
have taken losses in the tens of millions of
dollars and have lost the public’s confidence,
further increasing the damage done to their
organization.
Security needs to be thought of in layers.
A simple password that you change every 90
days is not enough. Those layers should go beyond
the out of the box virus protection and
firewalls. Companies also need to consider
how their employees are using their technology
in and out of the office and include social
engineering into their security policy.
These policies should be reviewed and updated
on an annual basis to ensure they are
current. Security should be an organizational
effort with the sole goal of improving the
company’s security posture and protecting
their data and their client’s data.
Technology is ever changing and your
organization should be prepared for change.
Cloud computing, electronic purchasing and
millions of mobile devices have increased the
number of targets for cyber criminals. It is
recommended that companies with high-risk
data or that may fall in a regulated industry,
have annual risk assessments and vulnerability
assessments completed to make sure
the improvements made to your environment
throughout the year have not opened up new
holes in which you can be exploited.
We encourage these businesses to contact
their local IT Service provider for the proper
guidance in implementing a security program
in their organization.
Silverstein on Encryption:
A company can incur significant financial
and legal penalties if any personal, financial,
or other sensitive information is exposed to
unauthorized parties.
In lay person’s terms, encryption is
the process by which
clear text, that is, data
stored in its original,
unmodified state, is
rendered unreadable
by humans and, more
importantly, un-hackable
(in most cases) by
sophisticated computer programs designed to
steal that information.
Encryption is performed by running
specialized, mathematical programming
algorithms that manipulate your clear text,
resulting in protected cypher text. If you are
not a programmer or database administrator,
you will most likely need to hire one to
accomplish this task for you.
Most strong forms of encryption usually
work by way of a pair of digital keys, known
as a public and private key. Your public key
is used to encrypt your data. You can share
this key with anyone who needs to create
encrypted data for you. Your public key cannot
be used to decrypt (that is, to un-encrypt)
your data. Only the private key can be used
to perform decryption; therefore, you should
never share it with any unauthorized parties.
If your institution is in the habit of storing
sensitive information in clear text in a
database, spreadsheet, or other electronic
format, it is up to you, as a principal of the
company, to take action as soon as possible.
The cost of hiring a professional to perform
data encryption is surprisingly low (since it
is a common task), the reduction of risk is
immediate, and your return on investment
exceedingly high.
Shaw on Secure Servers:
While it’s pretty clear that these attacks
were coordinated against targets like large
corporations there are takeaways for all
of us. What is the largest item for security
coming up for many businesses? There is an
easy answer.
Microsoft is focusing
on security for its
Server 2003 operating
system. This is going
end-of-life July 14,
2015, which means
that servers in many
environments will
need to be replaced
and migrated to a newer
version. Microsoft
will no longer provide updates or fix security
flaws exposed after that date. In essence the
servers are sitting ducks.
While Windows XP dying made a splash this
year, this issue is even larger. Servers are the
backbone of many networks and if they are not
upgraded, everything from files, applications
and more could be compromised and used by
those looking to breach a company’s security.
The single largest event for many businesses
is this end-of-life for the core of their
networks. Upgrading or replacing a server
operating system requires more than just
buying a new version and installing it. There
are a number of things to consider:
Can your hardware handle the upgrade? If
you have a server that is five-plus years old,
does it have the horsepower to run the new
operating system? Server 2003 would run with
much lower requirements then the new 2012
R2 editions.
Is your server under warranty? Older servers
will be out of coverage and it becomes a business
decision to continue to utilize hardware
that cannot easily be repaired.
Will all your applications work on the new
operating system? Often applications like
Quickbooks need to be upgraded to the latest
version. If this is not planned for it can cause
a slowdown in the upgrade path and increase
unexpected costs.
What other functions does that server provide?
Does it run the company’s printers? Does
it allow users to connect remotely? Does it run
the email services for the company? Defining
these items and addressing how they will work
moving forward is fundamental to a successful
install of a new server and operating system.
Upgrading an operating system on your
home computer is far less intensive than the
upgrade of an operating system on a server.
Looking at these issues can make the process
a lot less painful.
This is just one of many things that will
help ensure that a company is protected, other
items like proper virus protection, firewalls,
VPN’s, policies, mobile device management,
web security, and more will make the environment
less prone to vulnerabilities. Discussing
Windows Server 2003 going end of life, should
be on every company’s road map for 2015, and
the time to plan for that is now.