This post is not intended to be comprehensive IT security guide. The intent of the post is to educate business (and even home) users to common risks that they may not even be aware of. Business owners/managers have enough to worry about and they cannot be expected to be an IT expert. Though I cannot provide step-by-step instructions on how to secure your systems, I can point you in the right direction.
*Before making any changes to your systems, please make sure you have a complete system backups in case of software conflicts. See our backup post for suggestions on proper backup procedures.
The Problems
A few years ago I provided IT support and I was shocked at the conditions of computer systems at businesses. I expected this from inexperienced home users, but not businesses. What I quickly learned was that businesses were [understandably] trying to save money. These businesses also did not understand the risks involved. One compromised computer can lead to the infection of other systems on the network and leak company and client data. Having a client’s information stolen by malware is not a great way to do business.
Many businesses have good intentions and they have their employee computers locked-down to prevent the employee from installing unauthorized software or damaging the operating system. This tends to keep the system running trouble free longer than it would if unprotected from changes by inexperienced users. One major problem is that these systems tend to not get software and operating system updates. This leaves vulnerabilities wide open and let’s face it, employees may violate the computer policy and visit non-business websites (personal email, Facebook, etc.). This puts the system at serious risk of infection/intrusion.
Other business do not have any restrictions on their computer systems and employees have the ability to install whatever they like. These systems tend to be in very bad shape and it is very common to have issues with viruses.
Another risk I saw often was software vulnerabilities. The first is Microsoft’s web browser, Internet Explorer (IE). I know Microsoft has worked hard at securing IE, but it seems like I am constantly reading about IE exploits. Even worse, I see older versions of IE at businesses for compatibility reasons. Many businesses have programs that use IE as the interface and this software may not work on newer, more secure versions of IE. This is a major security risk when an employee is using that browser to click on links all over Facebook.
Other risks were the next usual suspects – Java and Flash. Many businesses need, or think they need, Java. Many computers come with Java installed and it never gets used. It’s just sits and provides a way for the system to be infected. Next comes Adobe’s Flash for watching video or dynamic effects on websites. Most computers have Flash installed because most video on the internet was in the Flash format and flashy websites were major trend for a while. On a side note – Flash is being replaced with the implementation of HTML5, but it still may be around for a while.
The Solutions
I like to use my car metaphor when describing why you should maintain computers. If you do not have regular maintenance you will likely have poor performance and eventually you will have a major breakdown. This major breakdown may cost more than the sum of regular maintenance. This breakdown may also have the additional expense of loss of productivity and loss of data. This could be catastrophic for many businesses.
The first solution is to have regular maintenance. The best IT professional is the one you think you do not need. This is because nothing bad ever seems to happen and you never need to call them. Yes, you could have someone who does not do much of anything for a few months and things seems fine until there is a major issue that makes this obvious. They key is obviously finding someone you can trust. Talk with other business or people you trust and check references. Another thing to remember is that depending on the size of your business, you most likely will not need a full-time employee. I had a business that wanted me to come by once a month for regular maintenance on two computers. They did not request that I spend a specific amount of time at the business and I was paid a set fee, even if I were there for only ten minutes. If I exceeded one hour, then I was paid an hourly wage. I don’t think I was ever there over an hour and things were running smoothly. These days remote access works so well that IT support will rarely need to be there in person. This will save businesses money because many IT professionals will factor travel time in a fee.
Another tip is to avoid using Internet Explorer unless necessary for running specific programs. If you must use IE with software, use it only for that purpose. I recommend you also have Google’s Chrome web browser installed and use it as your main browser for the web. Google appears serious about the security of this browser. This is made obvious by their regular challenge to find vulnerabilities in Chrome. If someone does find a vulnerability, Google may pay them. How much they are paid depends on the seriousness of the vulnerability. People have been paid thousands for locating certain exploits.
Use a good antivirus, and this does not mean Norton or McAfee. These companies do tailor their software for business and they have managed to secure a lot of big clients, but I just do not care for their products. I actually prefer Microsoft’s Security Essentials much more than Norton or McAfee. I use Security Essentials on all of my systems and it has not failed me yet. Security Essentials is free for home use and free for businesses with up to ten computers. If you prefer another solution, I recommend ESET’s products. I have never used their business solutions, but their NOD32 antivirus is my favorite paid antivirus.
My final suggestions are to rid your systems of unnecessary software and keep installed software updated. You should first target the removal of the programs that pose a serious security risk (yes, Java and Flash). If you need to keep either of these programs make sure you keep them updated to the most current versions unless it will cause compatibility conflicts with essential programs. If this is the case, these systems should not be allowed access to the internet (if possible). If you want a simple way to check your installed programs for updates, try installing FileHippo’s Update Checker. This small program checks for updates for free software available on the FileHippo website. I know the name is odd and mention of free software may set off some alarms, but it is all legitimate. FileHippo’s Update Checker will locate updates for programs such as Adobe Reader, Flash, Java, Skype, and many other commonly used free programs. You can set the program to run at Windows start and even to list beta versions. The next major updating issue is Microsoft (MS) products. Windows Update is usually running on most systems, but it is not set to find updates for “other” Microsoft products by default. Other products includes MS Office – and there are a lot of serious updates for Office. You need to run Windows Update and look for a message that says “You receive updates: For Windows and other products from Microsoft Update.” If you do not see that message, there will be a link to activate this feature. MS releases updates every second Tuesday (known as patch Tuesday) so your systems should be updated at least every two weeks. This is because if the people writing viruses did not know about certain MS vulnerabilities, they will when the updates are released.
I could go on and on, but IT service is not our focus and I have not kept myself as proficient with that side of the tech industry. My goal was to make you aware of potential problems that are very real. Hopefully this information is beneficial and you never experience a major tech catastrophe. I am hoping a close friend that provides IT support will agree to have his information posted on this site. This friend is very skilled, but very busy and I do not know if he has time for new clients. I will update this post once I hear back from him.