Common IT Security Issues in Small Business

Often in a small business, IT security is only thought about after there has been a security breach. As the saying goes, it’s no good closing the door after the horse has already bolted! Today, I want to discuss some of the common security issues that go unconsidered in a small business.

Passwords

We all hate them, and we all forget them too regularly, but passwords are an important part of your IT security. I’ve heard it said that passwords are like underwear – they should be kept private and changed regularly! However, I frequently find small businesses who have been using the same password(s) for years without giving it any thought. Common password issues:

· Passwords are not regularly changed.

· Passwords are very simple (I can’t count the number of times I’ve seen “password” being used!)

· Passwords are written down on a post-it note.

· Passwords are known by all staff members.

· Passwords haven’t been changed even after staff have left.

· Passwords aren’t in use at all!

As I’ve said, passwords should be changed regularly (at least every 90 days), should be complex enough to not be easily guessed, should not be written where they can be seen, should be kept private, and should be changed when staff leave the business (especially common shared passwords like wi-fi). A disgruntled ex-employee who still has access to the business wireless can do serious damage!

Wireless

As mentioned above, if the wireless password is known by staff, it should be changed when a staff member leaves. Otherwise, it could be used maliciously by that staff member, or anyone who has access to their devices (mobile phones etc). Yes, this is annoying, but is it not better to have a short time of annoyance than a crippled IT system?

The other common wireless issue is not keeping up with the latest security standards. When wireless first came out, WEP (Wired Equivalent Privacy) was the only security protocol. Then came WPA (Wi-Fi Protected Access), then WPA2 and more recently WPA3. Nowadays, WEP takes about 8 seconds to crack. WPA is not much better. WPA2 security was cracked in 2017. Some WPA3 vulnerabilities have already come to light, but it is the best pick of the current bunch.

Underneath these, most Wi-Fi routers provide the option for either TKIP or AES encryption. TKIP was introduced with WEP and has similar vulnerabilities. AES is both more secure and faster than TKIP. Ideally, you should be using WPA3 with AES. However, I’ve seen many networks that are using WPA/WPA2 (both protocols active for backwards compatibility) and TKIP. This creates potential security vulnerabilities.

Keeping up with security does mean running newer hardware devices. Modern Wi-Fi/Internet routers are relatively inexpensive (approximately $200, though more expensive devices will be faster), and even older PCs can be fitted with a modern USB Wi-Fi dongle for as little as $50. That’s a small price to pay to keep your data secure!

Drive Encryption

Your office gets broken into and your laptop gets stolen. You have a strong password on it, but what’s to stop someone removing the HDD or SSD and accessing the data on another machine?

If you’re running a business machine with Windows 10 or 11 Professional, you can enable BitLocker to encrypt the entire contents of your drive. This key gets stored in hardware and is used automatically while the drive remains in the machine. As soon as it is removed and accessed elsewhere, the BitLocker key is required, and the drive remains encrypted without it. Your data remains safe.

BitLocker has been included with Windows since Windows 7. In recent releases, Microsoft has limited BitLocker only to the Professional editions of their Operating System. Computers purchased through big brand retailers are more likely to be running the Windows Home Edition, which does not include BitLocker. This is all the more reason to purchase your IT hardware from a trusted commercial provider like Raspberry IT! You can check which version of Windows you are running by searching for “About My PC” in both Windows 10 and Windows 11.

Not understanding risk

I’ve been previously asked “Why would a hacker be interested in my systems?” There are many different reasons. They may be looking for financial or personal information they can use for their gain. Or they may want to use your system as a “zombie” system to attack someone else. Or maybe they want to use your system to cover their own illegal activities so that you get the blame. Or maybe you’re just an easier target than the next person.

That last one is critical. I like to suggest that anything digital is inherently insecure. My job in securing your systems is to make it sufficiently difficult for a hacker that they move on to another target.

How secure are your IT systems? Contact us today for a free security assessment!