This post provides examples of IT security threats and protection for small business to consider. In future posts I will expand on the examples by providing specific recommended configurations and setup.

When reading the examples it is important to remember that potential vulnerabilities will depend on your IT environment, and actual protection measures are a balance between risk and cost. As such, not all the examples in the table will apply to all small businesses.

Vulnerability Examples of threats Examples of protection
Telephone systems

Hacked Phone System Leaves Company with $50,000 Bill.

News of the World reporter hacked phones a thousand times.

Hack turns the Cisco phone on your desk into a remote bugging device.

Cordless telephone eavesdropping made easy.

Former telephone company worker tapped town phones to ring adult lines.

Nobody Encrypts their Phone Calls.

Caller ID shows your bank’s number – but it’s actually a fraudster.

NSA employee spied on nine women without detection.

Understand that telephone conversations, using traditional landline equipment, are not secure, and can be eavesdropped.

Consider encrypted solutions to protect sensitive conversations.

Change the default voicemail password, or turn off remote voicemail access if you don’t use it, on your mobile and your office telephone system.

If you VoIP handset includes a web server feature then consider disabling or restricting access to the feature.

Understand that caller ID does not prove the origin of a call.

WiFi

Wi-Fi–Hacking Neighbor From Hell Sentenced to 18 Years.

Facebooks and other online accounts easily hacked when used via shared WiFi.

Thieves create fake hotel Wi-Fi hot spots to steal your information.

Provide a WiFi service for visitors to your office that is separated from the WiFi service for your employees.

Use business strength authentication and encryption for your corporate WiFi service, or at a minimum remove the WiFi Protected Setup (WPS) feature.

Use a VPN (Virtual Private Network) back to your office network when using public WiFi (this applies to tablets and mobile devices, not just laptops).

Remote network access

Fired Gucci employee charged with hacking into network.

Texas executive convicted of hacking former employer’s computer network.

Swiftly remove computer access for departed employees.
Web browsing Internet Explorer zero-day exploit targets nuclear weapons researchers.

Keep your web browser software updates current.

Have anti-virus/anti-malware installed and updated.

Educate users on what a website with malicious intent looks like.

Web conferencing

Millions of Yahoo webcam images intercepted by British surveillance agency.

Security hole allows anyone to hijack your Skype account using only your email address.

Use a web conference service that includes encryption, but note that this is not always so simple to confirm.

Use a web conference service that includes two factor authentication.

Broadband router

300,000 home and small-office (SOHO) routers have been compromised by hackers.

NSA Laughs at PCs, Prefers Hacking Routers and Switches.

Example of a broadband router being hacked.

Don’t use the ISP provided router, or at a minimum, connect your own router to that provided by the ISP.

Disable remote administration interfaces.

For additional protection, consider an Intrusion Protection System (IPS).

Local wired network switch With the right tools, other users on your network can hijack your web sessions.

Segregate traffic types on your network to reduce impact of a vulnerability or intrusion (using a common feature on routers called VLANs).

Control how users and devices authenticate (consider using router features called port security and 802.1x authentication).

Select network switches that include security features to protect against vulnerabilities and intrusion (such as ACLs and DHCP snooping).

Email

More Than 70% of Email Is Spam.

Malicious attachments were detected in 3.9% of all emails.

Chinese Hackers Stole Every New York Times Employee’s Password (initiated by spam email).

Have anti-spam and anti-phishing installed and updated.

Have anti-malware/ anti-virus installed and updated.

Filter or delete email that contains .vbs, .bat, .exe, .pif or .scr file attachments.

Encrypt sensitive emails or reconsider sending certain sensitive information by email at all.

Educate users on what an email with malicious intent looks like.

Computers and servers

Virus can sabotage computers by deleting files.

New Worm Spreads Itself via Linksys Routers.

Dumped computers exploited in overseas fraud.

L.A. Breach Linked to Stolen Computers.

Have anti-malware/ anti-virus installed and updated.

Disable remote administrative access to your broadband router.

All computers should have a software firewall installed and updated.

User accounts on computers should not have administrative access to install programs (and thus be exploited by malware and phishing attacks).

Encrypt your hard disk data, and when the time comes, dispose of old computer equipment securely. This applies to PCs, file servers, mobile phones, tablets and even some printers.

Backup all files, with the ability to recover versions from various dates in the past (one week, one month, one year, for example).

Consider the physical security of devices and options such as Kensington locks and secure cabinets.

At the extreme end consider having your most sensitive information on computer/s that are not even connected to a local network or to the internet!

Documents

Unauthorized access to private information is rampant within companies.

Employee file sharing practices put corporate data at risk.

Understand data sensitivity and restrict employee access to files and folders stored on common drives.

Audit relevance of employee access at regular intervals.

Control who has access to administration accounts.

Have an employee policy restricting the use of unauthorised file storage or file transfer tools.

Printers

Intercepting print jobs and replaying them.

County agency leaves Arizonans’ sensitive documents in dumpster.

Understand your printer security options (corporate devices include options to encrypt printer traffic, encrypt printer hard disks, and include controls on who can collect a print job).

When disposing of a printer understand that it may include confidential information on internal hard disks.

Use a paper shredder, or secure waste disposal service, for surplus printed material.

Mobile phones

Apple Security Flaw Could Allow Hackers To Intercept Emails.

iPhone security flaw allows passcode lock bypass.

Here’s How Others Can Easily Snoop On Your Cell Phone.

Don’t trust that text: How the iPhone SMS spoof works.

Encrypt your mobile phone hard disk, use a passcode, and setup remote wipe capabilities.

Be aware that phone calls can be intercepted and that caller ID / SMS can be impersonated.

For security conscious investigate encrypted voice solutions.

Online services

How I Lost My $50,000 Twitter Username.

Dropbox employees can see the contents of a user’s storage.

Google Engineer Stalked Teens, Spied on Chats.

Sarah Palin Email Hacked.

Two million compromised accounts… including Facebook, Twitter, LinkedIn.

4800 Aussie websites evaporate after hack.

Man hijacks 90 eBay accounts… mostly by guessing passwords.

Burger King Twitter Account Hacked.

Use two factor authentication options (SMS or token used in conjunction to a password) if at all possible.

Use different complex passwords and store these securely with a password manager.

Encrypt sensitive files stored online.

Be suspicious of emails requesting you login using a provided link (rather visit the site directly and login).

Be suspicious if receiving warnings about “invalid certificates” when visiting an online service login page (don’t login, try again later, or phone the service provider).

Always use secure login webpages, indicated by “https” in the webpage address.

Read the cloud provider’s terms and conditions related to data security.

If using third party applications or plugins to your online services beware that this may compromise security.

Do your own website backup rather than rely solely on your service provider.

Spy devices

Keystroke logging used to spy on mob suspect.

World-renowned manuscript expert installed camera in disabled toilet.

Beware of unusual physical attachments on keyboards.

Beware of unusual or recent physical attachments, such as smoke detectors, coat hooks, clocks, in areas that are needed for private or confidential activities.

More security conscious companies may even employee third party companies to complete bug sweeps.