And for those that do most won’t follow through on what I suggest. Sorry to get your attention this way but there are several games a foot when it comes to your IT and if you aren’t listening and taking action you will likely be on the wrong end of transactions that will harm you and your business. So there are 3 items that should be top of mind when it comes to your business, it’s data and the security of both.
First Microsoft Windows Server 2003 is End of Support on July 14th 2015. What does that mean to you? Like any businesses with a product, Microsoft puts an end to their obligation to support a product. So on July 14th 2015 Microsoft will no longer release patches and updates for Server 2003. Which they did for Windows XP last year. So what is the big deal if you have a server running Windows 2003? I mean your software still supports it or you are only using it as a file/print server right. Well the issue just like Windows XP many exploits are likely being saved up by those that are aware of them so they can take advantage of them once Microsoft gives up on it. While most people think these are going to be focused on only big corporates these exploits aren’t aimed as much as they are “released” which means they will take advantage of any sever they can find. Which means your staff may inadvertently let those exploits have access to the server through one of many different exploits that take advantage of email or even phone calls now. So short answer is if you aren’t sure you have any Windows 2003 Servers left in your environment, find out now! Now there are exceptions when you can’t get rid of a Windows 2003 Server but in those rare cases you need to be very aware of how you need to keep it in your environment so that it is secure as you can make it.
ENCRYPT YOUR DATA! Wow that was loud I know. But I continue to see more and more exploits where data is lifted from a PC or server because an exploit got access to an end user device that shouldn’t have had access to the data and if it had been encrypted it wouldn’t have. This may pertain to databases more than anything else but even if the data is on a PC and lost no one can gain access. Matt Drinkwine, our VP of Service, called me the other day to tell me someone had broken into his car and stolen his laptop bag. The bag had his IPAD and the company laptop he uses. I was more upset and worried about his IPAD than the laptop because I knew he had enabled the encryption that came with it such that even if they took the hard drive out of the unit it would be of no use to them. Yeah it was a pain to replace but at least we didn’t lose any data of ours or our clients. So what should you be doing to address this? First you have to know where you have data that matters, that is the hard part unless you what to have to encrypt everything. After you know were the data is you need to review what encryption options are available to you. You may have to consider software based encryption if the system doesn’t support it built in. This may be third party or Bitlocker by Microsoft if you use Windows 8.1 Pro or Enterprise. May new laptops and PC come with hardware based encryption for the system baked in but likely will add a few dollars to the cost of the system. For servers this may be a no brainer for those covered by HIPAA, SOX or one of the other regulations but for PCs and laptops you have to consider how likely the device is to have important data on it. Lastly you need to consider your policy for use of online data storage like Dropbox, Box, and Live Drive. Most of us have at least one if not all 3 of these services for personal use and it is very easy for us to start also using it for work which takes the businesses data outside of the controls we set out for the business. If you aren’t actively using one or more of these for your business with rules and controls in place consider setting them all down or at least those you don’t want used via policy in your firewalls or other security appliances in the network.
My last piece of advice is to change your passwords for all of your systems both internal and external right now. I know what you are saying, “Rob, you are out of your mind, I have 300+ passwords and changing them all is crazy”. But I am willing to bet for most of you there are less than 10 unique passwords across all of them unless you are already doing what I am about to suggest. I agree managing passwords is a complete pain in the XXX. But until all sites, services and programs use 2 factor and/or biometric ID we have to deal with them. That said there are ways to reduce the management overhead of using a unique password for each site that takes advantage of the maximum security allowed for the password. For me I use a program called LastPass. It allows me to have one very complex and unique password o gain access to an encrypted database (See I said encrypted) on my device. Once inside I can ask the program not only to store my passwords but to create them so I don’t have to worry about doing that. I have the program store each one as I create them. I also use the note section to record the questions and answers to security questions I answer. By the way I never actually answer the question. I just put words into fields that make no sense and record both the questions and answers in case I ever need them in the future. There are a number of programs like this out there so don’t feel mine is the only one. Here is an article I found that was doing a recent review of several that I know other people use: http://www.pcmag.com/article2/0,2817,2407168,00.asp
So like I said most didn’t bother to read this article and those that did won’t take the steps needed to protect your data but when “Microsoft” is calling people every day (no not the real Microsoft but hackers) to get access to your PC both to ransom access back to you but also to gain access you have to really consider doing something. If you happen to be a partner or contractor of other organizations where you might have access to their data you become an even bigger target as hackers like to leverage 3rd parties to gain access when they can. So what are you doing to protect yourself? Prove me wrong and let me know.
Also if you are still not sure what to do keep an eye out on our next few newsletters as we will be letting you know about when and where our 2015 educational events will be so you can learn even more from the team and our valuable partners.