With all the repeated hacking attempts, data breaches, and spying in recent tech news articles, it would be difficult to argue against the importance of several layers of security when it comes to computer security. However, despite an abundance of examples of such compromises in security, many small to midsize business owners still operate on the idea that their companies are a “small fish,” and therefore don’t need to invest in security for their more modest computer network infrastructures. On the contrary, this misconception couldn’t be further from the truth. Any network that is connected in some way to the Internet is a target. In fact, many malware exploits and phishing scams are specifically targeted at small business, because these criminals bank on the very same misconception that business owners use to justify ignoring their IT security needs.
Though we IT professionals continue to stress the need for security regardless of company size or network complexity, it is hard to really understand the damage caused by a security breach until your business experiences one. So, here is an example of a business who learned this lesson the hard way. I am posting it here in the hopes that the wise business owners out there will learn from the mistakes of the others out there who didn’t think they could be a target.
We were called in to a small business in the construction industry with all three of their PCs infected with the Cryptorbit virus, a variant of Cryptolocker. In case you’re not familiar with this type of malware, these infections will encrypt data found on the compromised PC, as well as spread via network shares and server drives. They will then hold your data hostage, demanding ransom money (in this case, delivered via Bitcoin) to decrypt your data. This company employs general applications like Microsoft Office, but also uses Quickbooks for their financial data and AutoCAD for project design. So, although there are some tools available to decrypt and clean certain types of files, the AutoCAD and Quickbooks files did not have a fix. They also did not have a recent good backup. For all intents and purposes, their data was unreadable and therefore unusable, and their business was dead in the water.
Let’s take a step back from this to understand just how many “little” details contributed to this particular company’s overall security hole:
Missing antivirus / antimalware
Some of this company’s PCs had no antivirus software at all, while others had antivirus that was not up-to-date on its virus signatures. None of the machines had a unified or managed antivirus, making it difficult even for a small business to keep track of which machine was missing updates. There’s really no excuse for this. There are several good antivirus vendors with small business packages that cost around $30 per PC per year, and don’t require a server for management. It will cost you $100’s more to clean up an infection. Now, I will admit that there’s no antivirus out there that will catch every threat, but I like to tell my clients that antivirus is like a fire extinguisher in your kitchen at home. It doesn’t necessarily prevent all fires, or put out all fires, but it’s still a good idea to have one. Managed antivirus software is better than free antivirus, because you’ll be able to better keep track of updates. Antivirus that is not updated is only marginally better than no antivirus at all.
No acceptable use policy
Perhaps a web content filter is out of your budget. That’s ok, but you should definitely have what’s often called an “acceptable use policy.” This is nothing more than a written statement in your employee handbook, or a posting in your workplace, that outlines what employees can and cannot do on the company computers. In the case of the company we’re discussing, the infected PC was originally acting as a “server” of sorts, but a user was allowed to use that PC as her regular workstation when her original one failed. Unfortunately, this PC still housed their Quickbooks data file and AutoCAD master files. Maybe if that PC was known to be “off limits,” they could have prevented an infection. Of course, there’s no guarantee that your employees will follow the guidelines you set, but it couldn’t hurt. It is possible that your employees may not even know what’s allowed if they’ve never been informed.
No one is checking backups
Having a backup service that is both storing data offsite and is regularly checking backup integrity is great, but it may be out of your budget. Luckily, there are a lot of low cost backup solutions, but many of them require more manual management and babysitting. Don’t expect that your $10 a month cloud backup is always working; regularly check the backup logs and the folder or repository where the backups are stored. Also, it’s very important that you know if you’re moving data around on your PCs, that you don’t move an important file or folder out of a location where it’s getting backed up. This particular company moved their Quickbooks data file several months prior to the infection incident, so though their backup job had run, it was no longer backing up that critical file.
No one is “minding” the IT “store”
While we are on the topic of human interaction and responsibility, we should not neglect to mention what is probably the most important aspect of IT security: management. We are always surprised when a business of any size neglects even the most basic management of their computer systems. From the largest enterprise to the smallest three person construction company, almost all businesses cannot run without their computers. There is an illusion that pervades the small business sector that if a business owner spends a couple thousand dollars on a few new PCs, then those PCs will:
A) Last indefinitely and run as well as the day they were purchased
B) Not need regular maintenance beyond the operating system updates
C) Only have issues that will be covered by the manufacturer’s warranty
Those ideas should sound ridiculous (I hope), but the fact is, many business owners of small shops actually believe them, at least subconsciously.
Here are some facts any business owner should know about their computer systems:
PCs generally have a life cycle of 3-5 years, so budget for that cycle, and don’t expect a 5 year-old PC not to at least have some compatibility issues.
OS updates and bug fixes won’t fix everything, just like oil changes won’t fix everything in your car. Budget for repairs.
A computer running a business is NOT the same as a computer for home use. Don’t confuse the two. You’ll have different issues on a business PC, because it is performing different functions.
Ask yourself some simple questions: how well will my business run if I pull the plug on one of my computers right now? How about all my computers? How about just the Internet connection?
Even if you cannot afford a managed service plan from a good IT provider, you should still budget for repairs and maintenance, and you should appoint someone at your office to be in charge of checking on things like antivirus updates, backups, etc. You may find that it’s more cost-effective in the long run to use an IT provider, but if not, at least you’ll be working towards preventing bigger, more expensive IT problems in the future.
Luckily for the small business we’re discussing, one of our techs was able to locate a copy of the Quickbooks file which hadn’t yet been encrypted by Cryptorbit, so we were able to restore most of their functionality. However, they still spent a considerable amount of money to fix a problem that may have been preventable. In short, it’s worth investing in and budgeting for information technology, even if you are a “small fish.”