By Jonathan Schmidt | Guest Column
Almost 38 years ago, I got my first computer – a Timex Sinclair 1000. Over the years, I moved up to the Commodore 64, the Commodore Amiga, Windows laptops, and now Macs. I’ve been working with computers, programming them, learning how they work, tearing them apart and putting them back together again for almost as long as I can remember.
By anyone’s account, I should have gone into computer science – but I didn’t see myself slaving over a computer for eight-plus hours a day. So what did I do? I majored in communications with an emphasis on electronic media, and went to work at the now-defunct online service called CompuServe.
I worked there for five years and then began my career as a consultant. I have worked on projects at and for Fortune 100 companies over the years including AT&T, Nationwide Insurance, Merrill Lynch and Chase. I have worked on projects for the U.S. Army and the Arizona Superior Court.
You might wonder why I am telling you this. Since I am now an attorney, I thought a little introduction of myself to you was in order in hopes of establishing a measure of credibility for this column on computer and cloud security.
Good security is hard
For many people outside of the technology industry, making sure computers are as secure as possible is a mystery. In the past, I’ve been accused of being too concerned about security. My response is that people and companies are not concerned enough about it. You simply can’t do security better than big players such as Microsoft, Google and Apple.
According to a 2017 study by the Clark School of Engineering at the University of Maryland, there is a security breach every 39 seconds on average – that’s 2,244 attacks per day. One of the most interesting things from that study is the computers that they used to test attacks were essentially dummy computers. The computers had no value to hackers, yet hackers were attacking them anyway.
The reason for this is simple: most attacks are automated. You can’t get into the mindset that you aren’t a target because you are too small or that your information wouldn’t be attractive to a hacker. If any of your computers are connected to the internet, they are a target. And, if any one of the computers on your network is connected to the internet, all of the computers on your network are at risk. The hackers only need find one vulnerability.
So, what are we to do about it? First, acknowledge your strengths and your weaknesses. If you aren’t in the technology business, you need to acknowledge that you aren’t going to be able to secure your systems properly by yourself. You will need help.
For in-house IT staff, make sure that they have the resources they need to be successful, including training, education and even outside help when necessary. Make sure that your IT staff contains personnel who are trained in cybersecurity defense. It is not as simple as making sure you have the latest version of your favorite anti-virus software.
The most important thing you can do is to avoid thinking it won’t happen to you. That’s because it probably already has and you don’t even know it. It’s hard enough to try to keep your computers secure, but it is harder still to detect when something bad has happened.
A word about IT consultants
Whether you have an in-house IT department or not, you may decide to employ outside consultants. But I’ll tell you a secret that not everyone knows: Anyone can claim that they are a computer consultant/expert, but that doesn’t mean that they know what they are doing.
The problem with hiring an IT consultant is that there is no way for most people to understand and verify their credentials. And to further complicate matters, many people don’t even know what questions to ask a would-be consultant before hiring them.
References from other companies who have worked with the consultants could be helpful, but unless you trust the people making the recommendation have done their own due diligence, it’s still a crap shoot. My advice here is to ask questions and be skeptical. Remember that the IT person (whether in-house or outsourced) wants to sell you something.
Here are a few questions I suggest you ask:
“What do you recommend in terms of a timeframe for replacement of aging computer hardware?”
This seems straightforward enough, right? Most people I have talked to over the years have plans to replace computers every three to five years. They do this not for financial planning reasons, but because that’s what their computer consultants have told them.
In my opinion, the answer to the question is, “it depends.” Does your current computer do what you need it to do? If you are using the computer for only email and Word, a 10-year-old computer can do that. You don’t need to buy a new one because the current machine is X years old.
“What are your thoughts on installing regular firmware, software, and operating system updates?”
If the IT person is hesitant about installing the latest software and firmware updates in any way, my advice is to run away. Updates should be set up to be installed automatically. Not having the latest software and firmware patches installed is a huge reason there are so many successful attacks. Right now on the internet, there are millions of computers looking for outdated computer software to exploit.
If there are concerns about legacy hardware or software support, I approve of testing the rollout of such updates before they go to the entire company. But that requires dedicated IT lab and staff that many smaller companies lack. If you don’t have a dedicated IT lab environment, you should install all updates automatically.
Don’t fear the cloud
The use of cloud-based services is catching on among many computer users, but it remains a scary proposition for some. Companies and individuals alike are possessive about their private data, and no one wants to have their data compromised. However, if you care about security and you acknowledge that you can’t do security any better than the big tech companies, your choices are to 1) remove your data from all devices that are connected to the internet, 2) accept that your data is not secure and know that there may be consequences, or 3) embrace the cloud and feel more secure, not less.
I advocate for the third option in many cases. Think of Microsoft, Google, Apple and the like as a security system not unlike one you might have at home. Their job is to give you access to your data (or your home) through the use of a password, while at the same time keeping others out (the security part), and notifying you if something bad does happen. If you agree that you can’t do security better than the big players, you should consider moving your data and systems to the cloud.
One of the biggest risks for businesses using any form of technology to store data comes from the use of bad usernames or passwords. According to the Clark School study, a great number of attacks come in the form of attempts to guess usernames and passwords. The study recommends that you do not use any of the following as your username: “test,” “guest,” “info,” “admin,” “mysql,” “user,” “administrator” or “oracle.” But the username is only part of the solution.
The bigger problem for most people is the use of bad passwords. In my opinion, the best way to overcome the use of bad passwords is to use a password manager. I have been using them for years and they are a huge timesaver while at the same time providing a greater level of security. My favorite password manager is called 1Password (1password.com). It increases your security by allowing you to quickly generate long, randomly generated passwords. It also saves time by storing your passwords and auto-filling information into websites, and it synchronizes between phones and desktop computers via the cloud.
The security of data is crucial to the success of any business. In my case, it also happens to be an ethical obligation, as I must maintain my clients’ data in a secure fashion. However, when I started my new law firm last year, I decided that I was not going to store any of our data on our local network. I admit it. I can’t do security as well as Microsoft or Google or Apple. As a result, we don’t save data to our computers and we don’t have a single server. We access all data through various cloud services. In my view, that is the safest place for my clients’ data to be. •