Houston, we have problem...

Houston we have a problem… NASA, our amazing national space program, wasn’t built from scratch. To keep startup costs down, the officials in charge of starting the program looked around at what the government already had built (such as  military bases, technical design centers, etc.) across the country and cobbled together a network of computers, manufacturing facilities and communications.  The first major, purpose built NASA facility came about when Lyndon Johnson was Vice President and selected Houston, in his home state of Texas, to be the official home of NASA. To this day, NASA’s network is located in part in Maryland, Florida, California and Alabama. And because these were existing facilities when NASA acquired them, they mostly had different operating system and database structures. Over fifty years after its inception, not much has changed with NASA’s scattered infrastructure. Houston we have a problem. Between 2010 and 2011 there over 5,400 “computer security incidents”.  These “incidents” involved malware being inserted into NASA’s computer systems, unauthorized access to critical systems and 47 documented hacks into the agency’s network, of which 13 actually succeeded. And what does “succeeded” actually mean? It means that the intruders in some way affected the operation of the targeted computers. In one case, "the attackers had full, functional control over our networks." That last quote, from a NASA official, was referring the International Space Station. NASA spends a lot of money every year. In 2010 NASA’s budget was $18.6 billion dollars. About the same as it is today without adjusting for inflation. In 1969, when Neil Armstrong stepped onto the moon, the budget was $2.3 million dollars, about $1.5 billion in 2015 dollars. So if NASA, with their enormous budget, can allow the International Space Station to get hacked, what hope do you have to protect your network? Here are some suggestions: 

1. Hire the right tech team. There are lots of IT companies out there. Some are better than others. Some have no idea how to handle security or what to do in the event of a server crash. Try to find the IT team that is willing to spend the many hours required every week researching the newest threats and how to block them or recover from an attack. 
2. Install a quality firewall, have it configured correctly and keep it updated regularly. Blocking some very popular websites like Facebook, YouTube, Instagram and Pinterest may not be very popular with your employees but then again they don’t have to pay to undo the damage that may be caused by visiting these sites. 
3. Install a web-based anti-virus program that is constantly updated. 
4. Utilize preventive maintenance on a regular basis, at least quarterly. 
5. Training. Training. Training. Learn how to protect your business by training your staff how to identify dangerous email and websites.  
6. Many businesses have their employee’s email available on their phones, laptops and tablets. While this is an efficient way of handling business communications, the users need to understand that these devices are now connected to your company’s server. A lost cell phone, laptop or tablet has an 85% chance of having that device used to try to infiltrate the company network. Of course, if the lost or stolen device isn’t password protected and the user has stored the password for their email account and access to company files this number goes even higher. This is true whether your server is at your place of business or in the cloud. The companies that sell cloud based services are very keen on telling potential clients that their data is safer in the cloud. It is not. 
7. Treat all email as suspicious, especially from those you know. If you weren’t expecting the email be skeptical. If anything about the email seems off, maybe it just doesn’t sound like the kind of message that person would send, call the person and verify they sent it. 
8. Do not click on links in emails.  
9. When on the Internet, if you didn’t go looking for it, you don’t want it. Those sidebar ads can be so tempting because they seem to know what you want. Well, they do. But it may not be what you get. 
10. Fess up! We all make mistakes. We all click on something we shouldn’t every now and then. If you do, stop what you are doing on the computer and call IT immediately. Acknowledging the mistake will get you in a lot less trouble than letting the problem fester and having IT find out (and a good IT team will find out) while they try to stop the spread of the damage done by the malware you let into the network.  
11. Have all USB drives checked by the IT team every time before they are allowed to be inserted into any computer on the network. USB drives used on an infected computer at home, an Internet café, a friend’s home or another business may pose a huge threat to your data. 
12. Backup. Backup. Backup. The most important for last. There should be a least three copies of your data backed up very regularly. There should be a backup that remains onsite. There should be a physical copy of the backup which is removed from the premises daily and there should be a cloud backup. How often and how your data is backed up will be determined by the level of risk that is acceptable and the cost feasibility. Some businesses think it’s okay to backup once a week. Some businesses think backing up every fifteen minutes isn’t enough. The more robust your backup plan the more likely it is that you will be able to recover your data in the event of a disaster. Of course, the better the backup plan the more costly it can be. The latest statistics show that 85% of businesses that suffer a major data loss will be out of business within six months. Talk to your IT team about what options are available. 
13. “My data is in the cloud and therefore it’s safe.”  Not true. Even if your data is stored in the cloud you still need to have that data backed up so you have a copy, preferably two or more copies, in hand.  

All of the above suggestions require a financial or time commitment or both. Security can no longer be viewed as a good idea that will be handled down the road. It must be an ongoing effort. New threats by the hundreds are being deployed every day. It is a moving target and not something to be handled by people that aren’t committed to understanding the threats and protecting your business.  For a free security assessment of your network please click here.