Security Advice to a Friend


"I was recently asked by a business owner and friend what he should be thinking about in terms of Data Security. After outlining the key priorities and vulnerability scenarios, I felt this is great advice for all business owners." - Ian Pavlik

image-asset (1).jpeg

Recently, a friend opened her own physiotherapy clinic. Striking out on your own to start a new business amid a global pandemic is not for the faint of heart and is full of its own set challenges; and with many proverbial “balls in the air,” important business planning aspects like information systems and data security tend to get overlooked, at least initially.

Simple things like secured internet connectivity, firewalls, and strong password policies are all important foundational business considerations to protect against security breaches, the potential loss of client data, and most importantly - broken trust and negative brand perception attached to these unwelcomed cyber-attacks. Suffice to say, a security breach is not something any small business is looking to experience.

Upon reflecting on this conversation with a friend who is in the early days of building her business, I came across a post from an industry friend of ours – Ian Pavlik. Ian obviously has the same types of friends asking the same types of questions. Here is Ian’s sage advice to a friend about security, and for what it’s worth, he is right 😉 Here is the rest of his post 5 Keys to Network and Data Security (pavliks.com)

Here are some things to think about when evaluating the security of your network.

Backups, Backups, Backups

The number one item is to make sure you have an effective backup strategy. Not just a backup. What I mean by that is you need to think about “what am I protecting myself from and what are all the elements I need backed up”. Backups have multiple purposes.

1.     They allow you to restore information that is deleted, destroyed, or missing. 

2. They allow you to restore a working system should it be required. i.e. restore an entire server and functioning software, rather than just restoring missing files. Say your server gets encrypted with ransomware, just restore the whole server rather than reinstalling and configuring from scratch. Restoring a whole server can take minutes whereas reinstalling a new server can take several hours, sometimes days.

3. They allow you to view the state of your data or system at a point in time in the past. Forensic analysis of your data or systems is sometimes required. For example; what did our system look like 4 months ago before we realized “Tommy” was mishandling files or money.

The strategy could be backing up your entire server daily and keeping that backup local to your network (but segmented in a way that a hacker cannot corrupt it) while backing up your data offsite to a secure backup system (again segmented from your network so a hacker cannot corrupt it).

The most important thing in all of this is the part about having a backup that IS NOT connected to your network. Ransomware attacks often include either an automated virus or an actual human accessing your network and poking around looking to encrypt your data and destroy your backups. So, if your backups are connected in a way that allows a hacker to reach them, then they are worthless. This includes any online file storage like DropBox. Copying files to something like DropBox IS NOT a good backup strategy.

Email Backups

Think about how your email is being backed up. Is it all in the Cloud? What if someone deletes their email before leaving the company? How can you get that information back? Consider a backup solution that can backup your email such that you can restore individual accounts or emails to a certain point in time. This is very important especially when you let someone go and they might have an opportunity to delete emails before you turn their system or access off.

Anti Virus

This is table stakes, make sure every device on your network has it installed. Have a central management console that allows you to see the status of each device, push out updates and manage the AV system.

Advanced Threat Protection

This is a system that monitors the action of your users, their communication patterns and communication content and looks for suspicious or irregular activities. This is not AV scanning for viruses, this is a system that tries to stop hackers from tricking your account department into changing the routing codes on the next wire transfer for example. These are AI and machine learning systems that are constantly evolving and add a layer of protection from social engineering hacking attempts. Remember, no system is 100% protective and in the end, your staff have to be smart about things.

Data Loss Prevention

This is another AI and machine learning layer of protection that scans all communications and data that is sent from your systems and looks for sensitive information. Like Credit Card numbers, Social Insurance Numbers, Bank Account numbers etc. This can be set up to either stop, notify or audit someone before they purposely or inadvertently send an email that contains sensitive info. It even scans attachments. Businesses are liable these days to take reasonable precautions to protect customer data and not let it out into the wild. This layer of protection helps mitigate the leaking of that sensitive data.

  1. These are the key items to look at, but obviously not the entire list to consider. Not sure where to start? We can help you by assessing your existing systems and security measures, identify the gaps and threats to your data, recommend and implement the solutions to fill those gaps.