Small to Medium Enterprises (SMEs) are just as vulnerable to cyber-attacks as large corporations. This means that you need to consider and implement protection where needed to protect your business.
There are three key categories for protection:
- Physical – physical equipment e.g. Flash Drives & CDs, computers, server & network infrastructure, phones & other network connectable devices. See our blog on Physical protection here
- Network – the ‘data’ layer, internal network configurationg. security groups, User accounts, restriction policies. See our blog on Network protection here
- Cloud - Services that you have limited control of, e.g. Accounting software, Office 365. You may have a level of administration in terms of creation users and managing permissions, but the important security protocols and procedures are ultimately controlled by the host company
With many new applications being offered as Software-as-a-Service (SaaS) and cloud storage becoming the common location to store backups, it is imperative that consideration is given to which service provided is selected to protect your precious data. You may have a level of administration in terms of creation of users and managing permissions, but the important security protocols and procedures are ultimately controlled by the host company.
It is important to remember that even though you are not personally holding the data, you are still legally responsible for ensuring the protection of your customer’s sensitive information. Read more about your legal responsibilities regarding data protection here.
Some things to take into consideration when choosing a service provider:
- Policy and Compliance
- Industry certification
- Service integrations and features
Policy and Compliance
Review the service provider’s data use policy. Any reputable provider will have a policy outlining the use of your data and the methods they will use to secure your data. Look for things such as the location of data storage or where the servers/infrastructure are hosted. This will play a big role in what kind of compliance and regulations the service provider needs to adhere to and these may not align with your responsibilities. A good example of this is Data Sovereignty.
Data Sovereignty at a basic level stipulates that information is subject to the laws of the country in which it is located. Different countries have varying laws surrounding the storage and access of data, for example one country may require a third party to hold a warrant to access your data for legal reasons, where other countries may not require this.
Just like most industries, providers can earn industry certifications by ensuring their service, hardware or environment meets documented standards or regulations. For example, the Australian Signals Directorate has created and maintains the IT Security Manual that sets strict guidelines and requirements for a data service to meet ‘security levels’. If an environment meets a certain level, you are assured that security of your data is maintained to this level.
Account & Password Management Policies
The level of integration and features the provider has available should also be taken into consideration. If they have self-contained usernames and passwords, ask how these passwords can be retrieved and what security restrictions are in place.
The following are various items that should be considered when selecting a service provider. Generally the presence of these features or functions is advantageous and offers better protection, specifically in relation to account security:
Separate registered emails address – requires you to approve a password reset from another valid email address
Secret question and answer – in addition to requiring the user to submit a passphrase only known them, it is important that they enforce policy not to use any of the generic questions like 'Where did I go to school' as this kind of information is very accessible through a raft of measures.
Lock out policy – how many failed login attempts does the system permit before locking the user out? If no restriction is in place, it leaves the system open to someone trying millions of password combinations until something works.
Password length and complexity – while it can be annoying to add additional characters and numbers etc. complex passwords provide an extra level of protection. If users are not required to use complex passwords, they tend to use basic dictionary-based passwords which can be brute forced in no time.
Multi Factor authentication – a policy that requires the user to not only enter a username and password but to follow it up with one or more other methods of authentication such as inputting a temporary code sent to a predefined mobile number or token.
Directory integration – some providers offer integration with your IT business directory meaning that their system will accept the same login details used to log onto the work computer. This brings some of the security control back under organisation.
A service provider’s reputation goes a long way, the choice between Microsoft and a start-up company might be obvious, but it's not always so clear cut and other factors come into play such as cost or product features. Spend some time researching the potential service you're looking into, see if you can find some reviews or blogs to assist with understanding the organisation in more detail and look over the support portal and see if problems and queries are addressed quickly and satisfactorily.
Even when all things are taken into consideration, the IT world is ever evolving, and new and clever ways are always being developed to access what shouldn't be accessed. Your security practice should be subject to continual reviews and updates to provide the best protection possible. Avoid relying on a few measures and instead combine all methods at your disposal for the most effective results. Understanding that people are going to (intentionally or unintentionally) attempt to access things they shouldn't, delete information or introduce malicious software means you can take proactive steps to mitigating these risks to your organisation.
F1 Solutions' cloud services benefit from a data centre and network architecture built to meet the requirements of the most security-sensitive organisation. Talk to us today about how our cloud hosting services can help your business. Contact Us
About F1 Solutions
For over 23 years F1 Solutions has been building quality software solutions for Federal and State Government departments, small and large not-for-profits, and businesses in Canberra and across Australia. We also provide organisations with trusted IT support and advice, as well as a range of other services.
- IT Support
- Cloud Hosting