Small Business Internet Safety
January 26, 2016 7:55 AM Subscribe
Hey all. I'm looking for advice as well a good novice level resources to beef up the IT security at my workplace regarding use of the internet.
Here's the background. We're a small food manufacturing factory. Our new production, inventory and sales portal will be running on a cloud with access through a web browser. We have one server with 8 admin people on the network.
Currently the server is fire walled and each workstation is running ESET.
Last week the CEO got a virus on her personal computer which isn't mapped to our network but would have connected to our wireless. On the weekend our COO listened to a tech show which apparently talked about Facebook and he learned that it as he put it 'would talk to your computer and send data back and forth and sucks all our computers power and we can't have that'. Also something about the danger of pop-ups. This has led to both of them and I'm not exaggerating being now terrified of the internet and I was pulled into an emergency 'internet' meeting.
The security concern is real. I do understand that. However I need some help in calming the fears so we can address them realistically. Right now the CEO wants to shut the internet off altogether.
Part of the issue is that they don't have a basic understanding of how IT systems and the internet and websites work. They also aren't super aware of other ways to protect beyond a basic antivirus like ESET. For instance when the COO asked me about how I know (at home) what is a good pop-up or potentially a bad one I said I don't get pop-ups I block them and he was surprised that you can even do that. I googled to try to find some sort of educational resource that talks about how things work and things you can do for people at a basic level and mostly just found ones trying to sell something. I know he won't trust anything that has something for sale.
If anyone knows some good resources that cover this sort of stuff at a super basic level it would be appreciated. At least then we can hopefully converse in the same language.
I could also use some advice on what can be done IT wise when it is necessary for a persons job to use the internet. I will be blocking on the production and warehouse devices. That's basic enough. I'm also aware that blocking specific sites and types of sites is possible. As I said above the CEO is really worried about infections and said we should just block everyone from everything and people can just use their smartphones if we need to look something up.
This is not realistic at all as different admin positions use and need it for certain job tasks (as well as expecting people to have smartphones and use their own data for work stuff is just ugh). Things like looking up business addresses, directions for drivers, getting government regulations, looking at safety updates, purchasing, researching and for me googling for IT troubleshooting. Our IT department is pretty much me and Google.
I could use some advice or resources on policies and things that can be done to reduce risk when internet use is necessary. This is both for practical purposes as well as to show the CEO that realistically we can't just turn it all off entirely without making it impossible for people to do parts of their jobs but that we can make surfing less risky.
Oh and also I suggested looking at talking to a IT security consultant and yeah no go at this point. I was told to just go look things up on the internet and we'd talk again.
Here's the background. We're a small food manufacturing factory. Our new production, inventory and sales portal will be running on a cloud with access through a web browser. We have one server with 8 admin people on the network.
Currently the server is fire walled and each workstation is running ESET.
Last week the CEO got a virus on her personal computer which isn't mapped to our network but would have connected to our wireless. On the weekend our COO listened to a tech show which apparently talked about Facebook and he learned that it as he put it 'would talk to your computer and send data back and forth and sucks all our computers power and we can't have that'. Also something about the danger of pop-ups. This has led to both of them and I'm not exaggerating being now terrified of the internet and I was pulled into an emergency 'internet' meeting.
The security concern is real. I do understand that. However I need some help in calming the fears so we can address them realistically. Right now the CEO wants to shut the internet off altogether.
Part of the issue is that they don't have a basic understanding of how IT systems and the internet and websites work. They also aren't super aware of other ways to protect beyond a basic antivirus like ESET. For instance when the COO asked me about how I know (at home) what is a good pop-up or potentially a bad one I said I don't get pop-ups I block them and he was surprised that you can even do that. I googled to try to find some sort of educational resource that talks about how things work and things you can do for people at a basic level and mostly just found ones trying to sell something. I know he won't trust anything that has something for sale.
If anyone knows some good resources that cover this sort of stuff at a super basic level it would be appreciated. At least then we can hopefully converse in the same language.
I could also use some advice on what can be done IT wise when it is necessary for a persons job to use the internet. I will be blocking on the production and warehouse devices. That's basic enough. I'm also aware that blocking specific sites and types of sites is possible. As I said above the CEO is really worried about infections and said we should just block everyone from everything and people can just use their smartphones if we need to look something up.
This is not realistic at all as different admin positions use and need it for certain job tasks (as well as expecting people to have smartphones and use their own data for work stuff is just ugh). Things like looking up business addresses, directions for drivers, getting government regulations, looking at safety updates, purchasing, researching and for me googling for IT troubleshooting. Our IT department is pretty much me and Google.
I could use some advice or resources on policies and things that can be done to reduce risk when internet use is necessary. This is both for practical purposes as well as to show the CEO that realistically we can't just turn it all off entirely without making it impossible for people to do parts of their jobs but that we can make surfing less risky.
Oh and also I suggested looking at talking to a IT security consultant and yeah no go at this point. I was told to just go look things up on the internet and we'd talk again.
Email requires internet access and is just as often a vector for infection as internet pop-ups. One that won't be blocked by stopping users web browsing.
Anyway, SANS.org / CIS.org is a great resource for free videos and information on infosec. Pay careful attention to their 'Top 5' critical controls.
The NSA (yeah that NSA) also has a PDF document called 'the NSA Manageable network plan' that covers basic security processes and how to get started implementing them.
For the internet usage, you basically have two options - client based or network based. Make sure the clients are updated regularly, users aren't using admin credentials, have current AV, have an ad blocker. Then look at network-based solutions - layer 7 firewalls or proxy servers with AV. The goal is layers of defense.
posted by anti social order at 9:03 AM on January 26, 2016
Anyway, SANS.org / CIS.org is a great resource for free videos and information on infosec. Pay careful attention to their 'Top 5' critical controls.
The NSA (yeah that NSA) also has a PDF document called 'the NSA Manageable network plan' that covers basic security processes and how to get started implementing them.
For the internet usage, you basically have two options - client based or network based. Make sure the clients are updated regularly, users aren't using admin credentials, have current AV, have an ad blocker. Then look at network-based solutions - layer 7 firewalls or proxy servers with AV. The goal is layers of defense.
posted by anti social order at 9:03 AM on January 26, 2016
You might want to look at a Unified Threat Management box. You can build your own, too.
It wouldn't be the whole solution, but it would a solid part of one.
posted by sandettie light vessel automatic at 9:51 AM on January 26, 2016 [1 favorite]
It wouldn't be the whole solution, but it would a solid part of one.
posted by sandettie light vessel automatic at 9:51 AM on January 26, 2016 [1 favorite]
Relevant, from Google: New research: Comparing how security experts and non-experts stay safe online
Basically: Keep everything updated, and use strong, unique passwords for every site, enabling two-factor authentication wherever possible.
Hopefully none of the computers are running anything older than Windows 7 (assuming they are running Windows at all) and are fully updated and patched.
Our new production, inventory and sales portal will be running on a cloud with access through a web browser.
It'd be particularly important for the logins you use to access those portals to have strong passwords, and definitely talk to whoever is hosting them about setting up two-factor authentication if it's not already in place.
posted by Pryde at 5:52 PM on January 26, 2016
Basically: Keep everything updated, and use strong, unique passwords for every site, enabling two-factor authentication wherever possible.
Hopefully none of the computers are running anything older than Windows 7 (assuming they are running Windows at all) and are fully updated and patched.
Our new production, inventory and sales portal will be running on a cloud with access through a web browser.
It'd be particularly important for the logins you use to access those portals to have strong passwords, and definitely talk to whoever is hosting them about setting up two-factor authentication if it's not already in place.
posted by Pryde at 5:52 PM on January 26, 2016
Response by poster: Thanks all. These answers and resources are great help for getting some direction in figuring out how to tackle this. Appreciate it.
posted by Jalliah at 6:58 AM on January 27, 2016
posted by Jalliah at 6:58 AM on January 27, 2016
« Older How can I maximize my take-home working for a... | How do I say no to cat sitting a diabetic cat? Newer »
This thread is closed to new comments.
3 basic rules for online security
Tools for a safer PC
Not sure if that's basic enough for what you need, but its' some solid advice.
posted by gemmy at 8:32 AM on January 26, 2016