What cyber security steps are you taking?

[stugster]

Interested to hear what SMEs are doing in the UK to up their game in the IT security field. Given the fast pace of change in the cyber landscape, it's no longer enough to have a laid-back attitude towards security (unless you know what you're doing in the first place!).

Who's thinking about their cyber exposure?

Anyone going to do Cyber Essentials, or already done it?

Is anyone thinking about ISO 27001 or an alternative?

What is your Disaster Recovery process?

 

[fisicx]

It’s all on my server in an password protected folder. Got a USB SSD that gets plugged in once a week to do a backup.

That’s about it.

 

[billybob99]

I have an external SSD that I keep in an underground basement, in a waterproof vault, at just the correct temperature.

 

[Mark Dodds]

My experience is that no one really cares about their cyber exposure until something happens.

Personally, the basic version of Cyber Essentials is substandard and would only advise the plus version and that's only due the 3rd party involvement.

My 2 cents:

- Enable 2-factor authentication on everything that allows it
- Encrypt your laptops/computers
- Use a password manager tool so you can have a different password for each service/website

All of these cost nothing or very little in the grand scheme of things.

 

[fisicx]

- Use a password manager tool so you can have a different password for each service/website.

https://www.theregister.co.uk/2019/02/20/password_managers_security_bugs/

 

[Mark Dodds]

I've read this before...

"The report doesn't by any means suggest you should not be using a password manager. Even with the mild flaws ISE found, a password manager remains by far the best way to keep your login credentials secure"

Would I still use a password manager?

Yes, you bet i would

Why?

Cause i've seen what happens when someone uses the same credentials for multiple services

 

[Deleted member 315707]

https://www.theregister.co.uk/2019/02/20/password_managers_security_bugs/

Nothing is ever 100% and spreading this content may make people stop using managers thinking it's not more secure. To give the balanced argument, the protection a password manager offers far outstrips the ability for a hacker to extract a password of an already compromised computer from memory after the master password has been typed...

There are much easier ways for a hacker to get a password than this...

 

[billybob99]

I use a local one KeePass (I may or may not work for them).

 

[estwig]

I use the same short easy to remember password for everything, no need for a passport wallet.

They won't catch me out!

 

[Mr D]

A DS system with mirror functionality for starters. Backups stored off site.
Use both commercial and more specialist software.

 

[stugster]

I use the same short easy to remember password for everything, no need for a passport wallet.

They won't catch me out!

You still got that Windows 2003 Server running?

 

[EmC007]

Statistics show that over 80% of SMEs are not even doing the basics. I know some organisations that did not even have antivirus software. Crazy but true.

 

[fisicx]

Anti virus isn’t that necessary if you have good IT discipline. I don’t have anti-virus software, never needed it.

And our plumber does everything on his phone so he doesn’t need it either.

 

[estwig]

You still got that Windows 2003 Server running?

I've been a one man band for a while now, no need of those fancy trappings.

 

[EmC007]

Anti virus isn’t that necessary if you have good IT discipline. I don’t have anti-virus software, never needed it.

And our plumber does everything on his phone so he doesn’t need it either.

You're kidding me right?

 

[billybob99]

You're kidding me right?

Yes, he does like to joke around a lot.

 

[ffox]

Unless your one of the less than 10% (UK Gov stats 2017) of business' that have very poor Internet access the simple answer is - cloud services.

One Drive Live (free), Google Docs (free) and Box all use versioning on the storage platform. Office 365 and G-Suite also use versioning on the platform. This means that for any file stored in the cloud and then updated at a later date, the latest version is live and the previous version is retained as a dated version.

If a file is infected with a virus, or malware, or ransomware the infected version will become the live version, but there will be one or more good versions, all dated, stored behind it. These will only be visible to the account holder if the file store is viewed through an Internet browser. They do not appear on the replication drive on the local device.

So, the rules are -

• Store in the cloud
• View and edit in the cloud via an Internet browser whenever possible and avoid editing local replicated versions of files.
• Where possible use SaaS (software as a service) applications to create and modify files.
• Always replicate critical files back to a local device and copy/store offsite against the possibility of loss of Internet.

If the need to store files locally is reduced and the need for local software is reduced then so is the need for large storage capacity on local devices. This results in lower cost PCs.

If the operating system of one of these becomes compromised by virus or malware, simple wipe it and rebuild it. Whilst this is being done, move to another machine, log on to your cloud resource and continue working. The same can be said if fire, flood or theft affect the local machinery.

For those business' large enough to see a need for a local area network. Move to a cloud data model and bin the servers, switches and cabling - they are no longer necessary.

I would still always use basic anti-virus software on local machines, if only to reduce any threat from common bugs that may be inadvertently introduced by download or email.

 

[Mr D]

Anti virus isn’t that necessary if you have good IT discipline. I don’t have anti-virus software, never needed it.

And our plumber does everything on his phone so he doesn’t need it either.

Can get a virus on your phone.

Random chance or visiting the wrong site.

 

[Mr D]

Statistics show that over 80% of SMEs are not even doing the basics. I know some organisations that did not even have antivirus software. Crazy but true.

There are also some who spend thousands on electronic security and ignore direct access security - can sit in the car park outside some places accessing their wifi without password (or company name as password!) and browse the office files at leisure.
Or take a laptop out of a business without anyone noticing, all files on laptop unsecure...

 

[Nico Albrecht]

Anti virus isn’t that necessary if you have good IT discipline. I don’t have anti-virus software, never needed it.

And our plumber does everything on his phone so he doesn’t need it either.

I assume you are kidding here. More than ever good antivirus security software is vital in combination with off site backups

 

[Nico Albrecht]

One Drive Live (free), Google Docs (free) and Box all use versioning on the storage platform. Office 365 and G-Suite

Worst advise ever. None of those companies and products you mentioned gives you any real data security. There TOS are very clear since you recommend consumer products. They do actual not really backup your data and serve you on a no guarantee base. ( TOS worth checking )

Skipping local servers next bad advise and a dangerous one too. A single point of failure but they do offer a hybrid environment solution which is very good. I can operate my business on local servers if the internet goes down in your scenario with cloud only you would be screwed.

 

[Clinton]

I don't say this just to wind ffox up but my security involves primarily not uploading to "the cloud". Relying blindly on someone else is a crap "solution" that suits lazy people.

I'll never understand the logic behind ffox's argument of reducing storage costs. I remember in the nineties when I paid a bomb to get my first 200 MB (yes, MB) hard disk drive. Storage is a tad cheaper now

A3 storage is currently a little over 2p a GB a month. To store a TB of data is over £240 a year. It takes a special kind of logic to prefer that on cost grounds given the price (and quality) of hard disks / SSDs today.

But focus on 2p, folk, focus on 2p. As with all SaaS, and the general con of (most) subscription services out there, focus on the small number.

I take backups on external hard disks. I have long term storage - things like family photos and videos where old files aren't going to change - with which i take a new incremental backup very couple of months and on different hard disks I have copies of my work machine stuff. This is backed up more often and with at least 2-3 copies with one copy offsite.

 

[ffox]

None of those companies and products you mentioned gives you any real data security.

I agree. Which is why I also said -

Always replicate critical files back to a local device and copy/store offsite against the possibility of loss of Internet.

This thread is about cyber security which encompasses much more than simple backup.

Any cloud strategy must include business continuity without Internet access, but this is achieved far more simply and at lower cost than any LAN setup ever will. The tools are there - just use them.

I'll never understand the logic behind ffox's argument of reducing storage costs. I remember in the nineties when I paid a bomb to get my first 200 MB (yes, MB) hard disk drive. Storage is a tad cheaper now

It's not just storage costs. It's all IT costs. A good cloud strategy cuts storage, device, network infrastructure and in house or external technical knowledge costs.

I quote the use of One Drive Live and Google Docs free services to demonstrate that good IT can be achieved even by those struggling to survive by keeping costs down.

Why buy an expensive laptop or desktop when free cloud storage, a smart phone or tablet and a good idea of what you need to do will achieve the same result?

Why buy a server, switches or hubs and cabling when data can be shared via the cloud far more securely and effectively?

 

[Mr D]

I don't say this just to wind ffox up but my security involves primarily not uploading to "the cloud". Relying blindly on someone else is a crap "solution" that suits lazy people.

I'll never understand the logic behind ffox's argument of reducing storage costs. I remember in the nineties when I paid a bomb to get my first 200 MB (yes, MB) hard disk drive. Storage is a tad cheaper now

A3 storage is currently a little over 2p a GB a month. To store a TB of data is over £240 a year. It takes a special kind of logic to prefer that on cost grounds given the price (and quality) of hard disks / SSDs today.

But focus on 2p, folk, focus on 2p. As with all SaaS, and the general con of (most) subscription services out there, focus on the small number.

I take backups on external hard disks. I have long term storage - things like family photos and videos where old files aren't going to change - with which i take a new incremental backup very couple of months and on different hard disks I have copies of my work machine stuff. This is backed up more often and with at least 2-3 copies with one copy offsite.

Yes you are doing the right thing - multiple backups to multiple storage media.

Its what some professional organisations do recommend for clients.

 

[Nico Albrecht]

This thread is about cyber security which encompasses much more than simple backup.

True it seems to become a backup thread.

To get started in regards to internet security here are my thoughts

1. router - if it came from your isp , bin it and get a draytek one ( vpn , firewall )
you want intelligence packet analysis in your firewall and draytek does a good job at a fair price.

2. no open ports or port forwarding e.g cctv, ftp, rdc . Draytek router offers private vpn out of the box. open ports to the web is a massive security risk. Should never be done. RDC can be triggerd by app via vpn in W10, great feature to create vpn for only certain apps or AP.

2a. Get ubiquity wifi AP ( good price for enterprise tech ) and run isolated NAT AP for guest access. Have monitoring activated on them.

3. no admin accounts on any computer, no user should ever have admin access and even an admin should only have a user account with elevated privileges

4. train your staff ( pretty much hopeless ) they will fall for the scamming sites or click on links

5. secure the devices with anti virus software, my personal fav. are Kaspersky and Eset . Both companies are serious about it.

6. run server for centralised data storage and have a replication backup system ( dealers choice )

7. have an off site backup via drive , cloud or tape

8. learn from being hacked and pay somebody to find out how.

Not to brand loyal but the brands I mentioned do a pretty good job for small business at a fair price point.

 

[ffox]

It's a good list @Nico Albrecht . No one can argue with the principles you pursue for network Cyber Security. It could almost have been lifted from a Network Security Engineers handbook.

But, it's out of date. For considerably less ££££ you can have a G-Suite, or Office 365 setup that is more secure, more resilient and easier to maintain.

Corporates have already got the message and are transforming steadily to cloud. The proof of this can be seen in the financial press - Google, Amazon and MS are trillion $ companies - all through cloud sales - https://www.theverge.com/2019/4/25/18515623/microsoft-worth-1-trillion-dollars-stock-price-value.

Take a look at the Microsoft business buckets in that article.

The SME sector are also coming around to the new way of thinking and this will accelerate with emerging millennial entrepreneurs. These will look at LAN solutions and in-house servers and say - "why bother?"

 

[Alan]

I wonder, for the SMEs here, how many employ on their staff or have an outsourced contract for information security /cyber security specialist(s)?

 

[ffox]

That @Alan is a very good question. I suspect the answer is "hardly any". Those who have employed in-house expertise will probably have hopelessly under estimated the skill level required and pitched the role at a very low rate.
My own experience, plus interaction with these forums, tells me that those who have taken a DIY approach have failed to understand the basics of a cloud strategy, and have therefore missed the point and potential savings of G-Suite and O365.

It's not that a cloud strategy is a complex thing, but it does require a step away from the old fashioned 'file and folder' structure of electronic data storage.

 

[EmC007]

Other things to consider are Web security, USB devices, user access control, data segmentation, user monitoring.

 

[ffox]

Other things to consider are Web security, USB devices, user access control, data segmentation, user monitoring.

Absolutely. Cloud solution utilising Office 365 -

Data is in the cloud and is encrypted at rest
Web Traffic is always HTTPS encrypted in transport
USB Devices - why would you use one when authenticated users can access all shared data from any device at any time (provided there is an Internet connection)
User Access control is via Azure Active directory and data can be shared by file to individuals or groups as required
Data segmentation - not sure what context you are thinking of here
User monitoring - Office 365 tracks file changes by user name at all times

And that folks is what you get in the out-of-the-box configuration in all O365 plans except the Home version, the Basic Business Plan and 365 ProPlus.

You can adjust the levels of security to your own business needs without high levels of technical expertise.

In addition you can implement the in-built mobile device management features for phones, laptops and tablets.

 

[Nico Albrecht]

Absolutely. Cloud solution utilising Office 365 -

Data is in the cloud and is encrypted at rest

Still this a very dangerous game running everything from a single point of failure in the cloud. Any decent medium to large enterprise goes with a hybrid setup which reduces the single point failure. You hope that Google and Microsoft get it right and they do not screw up.

They do offer real enterprise solutions beyond 365 but they are much more expensive and not affordable for SME's at all with proper SLA's and backups.

I am a huge fan of 365 and get the value but even in their business packages the SLA's are shit at best. No guarantee or time given in case they screw it up.

 

[ffox]

@Nico Albrecht

You say -
"I am a huge fan of 365 and get the value but even in their business packages the SLA's are **** at best. No guarantee or time given in case they screw it up."

SLAs are SLAs - at BEST they will offer remote logon or site attendance within xx hours of a reported issue. The customer can reduce the value of xx by paying more £££, but the only guarantee you have is that someone will look at the problem within the stated time. SLAs NEVER guarantee a fix and return to business within a specified time.

My experience in the field (often as IT lead on a site) with SLAs is that you never want to have to call them in. Much better to ensure that your disaster recovery is retained in house whenever possible.

My experience with Office 365 and the support from Microsoft (7 years) is that I've never known an outage of any significance, I've never had any data loss and the three times I've needed to log a support ticket (usually queries on how to achieve something) my ticket has been successfully closed within a few hours.

This applies to my own O365 and those of several customers.

 

[Deleted member 315707]

I haven't had anti virus software in years... bonkers... most of them introduce more holes in security. I should maybe caveat that I use Linux and if someone gets access to my devices I have bigger problems..

 

[EmC007]

I haven't had anti virus software in years... bonkers... most of them introduce more holes in security. I should maybe caveat that I use Linux and if someone gets access to my devices I have bigger problems..

It's not necessarily Linux that is the issue but the applications that are installed. Search Zimbra and you'll see some recent issues.

 

[Deleted member 315707]

It's not necessarily Linux that is the issue but the applications that are installed. Search Zimbra and you'll see some recent issues.

I would say is you could Google for almost any company and find some kind of security article as no system is 100% but the reality is that my point still stands, I have had 0 issues and anti virus software is not necessary.

In fact some add so many additional security vectors they do more harm than good and why anyone would put their trust is companies from Moscow etc is beyond me.

 

[Nico Albrecht]

I haven't had anti virus software in years... bonkers... most of them introduce more holes in security. I should maybe caveat that I use Linux and if someone gets access to my devices I have bigger problems..

https://hackersonlineclub.com/hiddenwasp-undetectable-linux-malware/

Always amazes me how people got blind trust in one OS. Security software should be installed on any OS. Also, not sure how Linux is going to protect from fishing sites and browser injection scripts.

 

[The Byre]

A3 storage is currently a little over 2p a GB a month. To store a TB of data is over £240 a year. It takes a special kind of logic to prefer that on cost grounds given the price (and quality) of hard disks / SSDs today.
But focus on 2p, folk, focus on 2p. As with all SaaS, and the general con of (most) subscription services out there, focus on the small number.

So one 10TB project would cost us £2,400 a year! That's TEN TIMES the cost of a 12TB drive!

Only we have to store stuff almost indefinitely - so at least ONE HUNDRED TIMES THE COST just for the first ten years! And we'll need the material much longer than that!

'The Cloud' seems to be the perfect solution - for the problem "How do I make money out of Sweet Fanny Adams?"

'The Cloud' and SaS seems to target the hard of thinking!

 

[Kerwin]

So one 10TB project would cost us £2,400 a year! That's TEN TIMES the cost of a 12TB drive!

Only we have to store stuff almost indefinitely - so at least ONE HUNDRED TIMES THE COST just for the first ten years! And we'll need the material much longer than that!

'The Cloud' seems to be the perfect solution - for the problem "How do I make money out of Sweet Fanny Adams?"

'The Cloud' and SaS seems to target the hard of thinking!

That 12TB drive might be ten times cheaper than 12TB of cloud storage, but if that drive fails you are screwed. What you need is multiple drives. Either RAID 1, RAID 5, RAID 6, RAID 10, RAID 50 or RAID 60. Each of which is significantly more expensive than the single 12TB drive price you quoted. Oh and then you need offsite backups as well. So that costs even more in hardware.

 

[ffox]

So one 10TB project would cost us £2,400 a year! That's TEN TIMES the cost of a 12TB drive!

Now that's what I call whacky logic.

You are in a niche business. The largest document storage system I ran contained 1.2 million scanned documents and supporting meta data, serving around 200 users across 5 departments - barely 1.5Tb storage required.

Office 365 E1 licence costs £6 per month per user and provides 1TB per user of storage.

But, it's not the storage that matters, you also get -

• Email hosting with 50 GB mailbox and custom email domain address
• Web versions of Outlook, Word, Excel, and PowerPoint (desktop versions of applications not included)
• File storage and sharing with 1 TB OneDrive storage
• Inform and engage with communication sites and team sites throughout your intranet using SharePoint
• Host unlimited HD video conferencing meetings with up to 250 people
• Host meetings for up to 10,000 people with Skype Meeting Broadcast or Microsoft Teams live events.
• Get a hub for teamwork with Microsoft Teams
• Collaborate across departments and locations with Yammer
• Use intelligent video to create, manage and share live and on-demand content across your organization
• Search and discovery with Delve
• Plan schedules and daily tasks with Microsoft Teams
• Manage tasks and teamwork with Microsoft Planner
• Maximum number of users: unlimited
• FastTrack deployment support with purchase of 150+ seats at no extra cost
• 24/7 phone and web support

The most important element is Infrastructure-as-a-service. Which means you don't need any servers, you don't need any switches, you don't need as much cable and you don't carry the cost of all that overhead.

Another plus is that you can work with your data from any device (Microsoft, Android, MAC, IoS, Linux) from anywhere.

Security is Azure Active Directory, easy to manage and better than anything on a local or hosted server.

Use which services you require, there is no extra charge for any of them, and ignore the rest. At £6 per month that's pretty good value don't you think?

All in all a better bet for any small business than paying through the nose for a bunch of servers and all the cost and headache of supporting them.

Your call -

 

[The Byre]

You are in a niche business.

Niche!!!

I work in the creative industries - that's 8% of the UK economy! One point behind manufacturing!

Now go to a manufacturer and tell him/her that they are in a niche business!

The largest document storage system I ran contained 1.2 million scanned documents and supporting meta data, serving around 200 users across 5 departments - barely 1.5Tb storage required.

That's just office stuff. Laptop territory! There's more to life and business than running books and tracking widget sales. That smells like retail - a fate worse than death!

Our biggest project this year will be South of 10TB. Next year we have just signed up for a project that will run to 86TB in finished form, but a great deal more before we start pruning. (Scan Computers will be chuffed!) And that will have to be stored forever. As in infinity. i.e. after I'm dead - after that, it's somebody else's problem!

I would love to just be able to shove stuff up to some 'cloud' but I know that it is just another data centre and not long for this world.

The entire issue of long-term bulk data storage is one that nobody seems to have dealt with, other than having a series of hard disks in a vault somewhere and hoping for the best!