Back in 2001, Craig McDonald founded MailGuard after one of his businesses was devastated by an email-borne virus. He’s learnt a thing or two about security since then, building Melbourne-based MailGuard into “the world’s largest software-as-a-service cloud security company”.
BIT recently spoke to McDonald and tapped into his vast experience to find out what’s required to protect today’s organisations from increasing, and more advanced, threats.
Here’s his security checklist that small business owners need to consider when securing their IT systems.
1. What’s in place?
Start by thinking about the defensive measures you have already put in place, and consider what may be needed to fill any remaining gaps.
2. Where to deploy?
Don't assume that security software installed on PCs takes care of everything. Some threats are better detected and blocked in the cloud before they even reach your systems.
3. Who checks what's happening?
Most business owners don't want to keep paying experts to clean up after security breaches, but they need to protect their place in the supply chain and maintain their reputation. It's not enough to put security measures in place: someone needs to check that software is being updated and patched on schedule, that backups are actually being made, and so on.
4. What's your USB policy?
Thumb drives loaded with malicious software have been sent to businesses and households via Australia Post, McDonald said, and others – sometimes marked with respected brand names – have been dropped in car parks in the hope employees will pick them up as they arrive at work.
So he recommends that such devices should be banned from workplace computers unless they have been purchased specifically for business use. “That policy should be highly enforced,” he said. If there is a specific need to examine any other thumb drives, that should be done on computers that are isolated from the network.
5. What’s your email policy?
Something like 90 percent of emails are malicious but around 90 percent of people can't identify them. Education is therefore important, but doesn't seem to be working very well. As it is, the use of "trusted brands" in malicious emails persuades people to drop their guard either because they are curious or because they fear an adverse outcome if they ignore the message.
An email filtering product like MailGuard is a good starting point. Because of the massive mail volumes handled, they can detect campaigns very quickly, even when the bad guys are doing A/B testing to work out which version of an email is more likely to be opened.
In the last couple of months MailGuard detected 160 variations of an email within an hour. Distributing malware and other malicious code is “easy money for these guys, [so] they're going to keep doing it”.
Since such a big proportion of email is malicious and employees' personal email accounts, McDonald recommends a formal acceptable use policy (AUP) covering personal email in the workplace regardless of how it is received (such as on a privately-owned smartphone, or via webmail on a company notebook). One rule could be that no non-work-related attachments may be opened.
But you need to make it simple enough so your employees can easily comply with the AUP, and also “make sure the workplace isn't stifled”, he suggested.
Also, McDonald said, MailGuard's WebGuard web filter mail can help protect against intrusions from personal accounts and webmail. It does this by blocking access to phishing and other bad sites, by preventing malicious attachments from running, and so on.
6. Do you on- and off-site backup?
Ransomware isn't the only risk to your data, but whether you lose access to important business files due to ransomware, hardware failure or some other problem, a good backup is about the only way you can be sure of recovering from the situation.
In most cases, local backup is the quickest and most convenient, whether the destination is a NAS or a drive connected directly to the computer. The problem is that those devices can themselves fall victim to ransomware, and are just as vulnerable as the computers they are intended to protect in the event of fire, flood and similar disasters.
So McDonald recommends at least one cloud-based backup, using a system that doesn't present itself as a network share. (One example is Mozy, though there are several others.)
When McDonald asks people if they have ever tested their backup strategy, around one in a hundred say they have. So, he wonders, how do the rest know if they'll be able to recover from ransomware?
There are two parts to this. Firstly, it is important to keep checking that backup is actually happening on the schedule you intended. So get into the habit of checking the logs or notifications generated by the software. If you're relying on systems being backed up every hour, you wouldn't want a week to pass without noticing something has gone wrong.
"You do need to check regularly that it is taking a backup," he advised.
The second part is to make sure you really can restore one or more of those important files from backups. This means actually testing the process from time to time. And that will let you answer the next question, which is...
7. How quickly can you restore?
If all you need to do is recover a few backed-up files to another computer so you can keep working while the affected one is thoroughly cleaned out or repaired, that should be something you can do yourself and it shouldn't take too long.
But if your only option is to get someone in to do a full reinstall of the operating system and applications, and then restore the data files, it could take a day or even longer.
So you need to know how long it will take, and how you will cope while the work is being done.
8. Do you have communication plans?
Australia may still be waiting for laws governing mandatory disclosure in the event of data theft, but McDonald believes businesses should plan now to communicate with affected parties following such incidents.
9. Who will plug the hole?
If you don't have the in-house technical skills needed to restore normal operation and take whatever steps are needed to prevent or at least reduce the likelihood of a recurrence, where are you going to find them?
Most business owners don't want to keep paying someone to clean up their IT mess, he says, but there are "so many tangible and intangible things to think about" and they don't want to overtax themselves. So having a plan and establishing relationships before disaster strikes can be of great benefit.
10. Should you consider cyber insurance?
Cyber insurance can be a useful fallback if the worst happens, he suggests.
A business that considers all of these points in advance "will be in a stronger position and less likely to be affected," said McDonald, stressing that protective measures aren't expensive.