Blog

Stay Updated With The
Latest IT News

closed-open

Small Actions Make a Big Difference

Click to listen

I want to tell you about a recent computer hack that has implications for your business and how it safeguards its technology.

First, some important context…

We all rely on software in virtually every aspect of our lives, both business and personal. Outlook, PowerPoint, Zoom, Chrome… the list goes on and on.

Most commonly used software is “closed source.” This means the company (or person) that owns it allows you to run the program but does not provide the underlying computer code behind it.

“Open source” software is different. Here, not only is the program made available, but the source code which makes it run is released as well. This allows those who want to customize the software the freedom to make changes, either for their own use or to enhance it to make it better overall.

The most well-known open source software is Linux. It’s an operating system software, like Windows and Mac and is frequently used in computer servers or as the foundation for web sites. In other words, it’s everywhere.

Linux is maintained by technical people who are, for the most part, volunteers. They offer their time and expertise to keep it updated and running as it should. To date, this model has worked well because the people who maintain the various pieces of Linux have been people of integrity.

That is, until recently.

Because last month it was discovered that a bad actor had, over the course of two years, gained the trust of an authorized Linux programmer and was able to insert a “backdoor” into a piece of the code, something which had the potential to cause significant and widespread harm.

Fortunately, the hack was discovered (quite by accident, apparently) before it was released broadly.

That’s good news, of course. But it highlights how vulnerable we are as businesspeople if the “wrong” people — whether acting deliberately to do bad things or simply making errors — gain access to the technology that keeps our respective businesses running as they should.

With that in mind, here are some simple steps you can take to reduce the likelihood of this kind of thing happening to you…

#1. Maintain Control

Here at SMR, we maintain the internal IT systems of our clients. To do that effectively, we are given “top level” access to everything: hardware, software, networks, email, security, etc.

However, as a matter of policy, we make sure someone inside the company also has all the top level permissions, log-ins, and passwords (typically the owner if it’s a small business, the CFO if it’s larger).

Why? Because if an external provider has access to certain aspects of your IT infrastructure — and you don’t, because you handed them the keys — they can make life difficult if you decide you no longer want to work with them.

Make sure you have all the required information and authorizations (and ownership of your domains), so you have the freedom to choose a different provider if necessary.

#2. Limit Access

Our bookkeeper can log into our bank and credit card accounts. She can see anything — but her ability to do certain things (write checks, make withdrawals, add payees, etc.) is deliberately and specifically curtailed.

This type of restriction is what’s known as RBAC (Role Based Access Control) and it applies to all sorts of things across an organization. Who’s authorized to make changes to the company web site? Who can add a new company email account? Who can sign checks and for how much?

Different people are entitled to different levels of access based on their responsibilities within the company. And while it may be simpler and even more efficient in the moment to give a lot of access to a lot of things to a lot of people, doing so is a recipe for trouble.

#3. Build in Redundancy

In the unlikely event someone inside your company with a high degree of responsibility is hurt, missing, or otherwise unavailable, you’ll want someone else in the company to step in and keep things rolling.

They don’t need the same skillset, but as with external partners, they should have access to all the permissions, logins, and important information. If too much is in the hands of one person, you risk things coming to a screeching halt until and if that person is once again available.

#4. Trust But Verify

Perhaps what’s most interesting about the Linux hack is that it was a “social engineering attack.”

In other words, the breach didn’t occur because of a virus or malware or anything “technical.” It happened because someone with the authority to make changes trusted the wrong person, giving them access they should not have had.

As I’ve written about previously, the people in your organization represent your greatest cybersecurity weakness. They need to be trained and tested systematically and regularly to lessen the chances of a social engineering hack into your company.

Don’t Wait

Keeping your company safe, whether from well-meaning errors or deliberate bad actors, takes training and ongoing vigilance.

And while there is no 100% solution, these are some small, simple actions you can take to reduce the likelihood of experiencing significant problems.

Andrew Cohen

Andrew Cohen

Having a reliable strategic partner in the realm of IT services and solutions is essential for achieving sustained growth through effective technological strategies. Our CEO, Andrew Cohen, is dedicated to helping clients optimize their technology to gain a competitive edge in their industries. At SMR, Andrew leads a team of highly dedicated professionals who are fully committed to providing exceptional IT services and solutions. With his extensive expertise and practical experience, Andrew ensures that clients receive unparalleled support and guidance for their IT projects. You can trust SMR to elevate your business systems and stay ahead in today's fiercely competitive business environment.