Why aren’t companies taking IT security more seriously?
Any device connected to the internet presents a potential security risk. Phil Tann asks why so many businesses are running the risk of old hardware and software exposing their network and data.
Being online is a risk every time we do it, with risks such as phishing, social engineering, brute force and man-in-the-middle attacks constantly happening worldwide. One of the problems that system integrators and IT service agents face in keeping their clients safe is the battle to get clients to maintain current security standards and hardware.
ADVERTISEMENT
Poor security practices on your network pose multiple risks. Starting at the basics, you need a good-quality router with an updated firewall. A ten-year-old router that no longer gets firmware updates from the manufacturer offers no protection against vulnerabilities discovered and shared online.
One easy consideration to help decide if your router is currently secure and whether it is worth replacing is the age of the device; if it’s three to five years, you should be fine, but any longer and it’s probably time for a replacement. This is due to general wear and tear, including potential heat damage, which can reduce performance. With a new router comes more control, modern protection and greater general safety for your network, although nothing is bulletproof.
Once you get past the network’s entry point, further needs should be addressed. Your wireless network should be secured by the latest encryption standard; currently, WPA3 and older standards are considered insecure.
It’s not just the encryption that can be of concern regarding wireless networks.
Surfside Custom Systems was founded almost three decades ago in South Australia and the company’s owner, Stuart Pope, highlights some of the risk he comes across that his clients aren’t always aware of: “I see it all the time; recently, one of my customers had a client attend their site and needed internet access to grab some files and send an email. They just gave their client the corporate WiFi password.
“I couldn’t believe it, particularly when I told them how simple setting up a guest network is and that it would isolate their client machine away from the business computers and data.”
Then come the PCs and laptops on the network…
For many businesses, this is where the “if it ain’t broke, don’t fix it” approach starts. Many companies still have Windows 7 machines (or earlier) on their network. On the surface, that’s not that big of a deal until you check that mainstream support for the operating system finished on 13 January 2015.
After some backlash, there was an extension of free Extended Security Updates (ESU) to some business users that was end-dated 14 January 2020. This leaves computers without a security update for over two and a half years on corporate networks. In practical terms, even Windows 10 PCs are coming towards their end of life, with support for the OS ending on 14 October 2025 and many of these machines are unable to update to Windows 11 as they don’t meet the minimum specifications.
Conversely, many businesses run a bring-your-own-device (BYOD) program. In the short term, this can be a huge cost savings to the company, but it creates a management nightmare, with network administrators unable to access machines, enforce security policies or even prevent access to sites.
There’s a trickledown effect in play here: The hardware needs to support the latest software, which needs to have support and support the latest security standards and be maintained by someone with the know-how to keep your network secure and running, but it all makes sense.
Stuart went on to discuss one client who was previously running remote desktop services but didn’t have appropriate security in place and was attacked, resulting in a crypto locker attack on their server. This was hugely costly to the customer in terms of downtime, data recovery and, of course, lost productivity time.
So, what barriers and arguments are IT professionals dealing with when discussing updating and upgrading?
There are plenty of reasons businesses argue against changing hardware, and one is blatantly obvious: the cost. Upgrading systems involves costs, which can be significant at scale, running in the tens to hundreds of thousands of dollars. But then the question becomes: what would it cost you if your network was compromised due to an out-of-date system?
IT systems are often seen as tools, but their value is usually not realised until they are gone.
In a discussion with Stuart, a few consistent stories were presented about why businesses continued to run the gauntlet by not upgrading. Interestingly the argument comes down to three simple and consistent stories: function, age and budget. Discussions that regularly include the following phrases: They’re working fine; there’s no problem, they’re not that old and the budget just isn’t there.
It’s clear that there is an uphill battle for integrators to convince their business customers it’s time to upgrade.
Individual businesses know their clients best and how hard they can push, but some great suggestions emerged from discussions with Stuart. The ideal starting point is to invest time, potentially a lot of it, to help clients understand the risks they’re taking. Discussing best practices, current standards versus what they’re currently running and, if you’ve supported a client through them, some of the horror stories of old systems resulting in significant time, productivity and data loss.
One such story shared with me was about a client with Windows servers that were significantly past their expected service life. A power supply blew, causing a total outage for two offices and expecting a 13-week wait for replacement parts to be manufactured to spec in the USA. The calculations were such that they were going to be fully operational again in less than two weeks by building new servers; now with far better backup (adhering to 3:2:1 best practice) setup and redundancy to cover hardware failure. Understandably, this was the direction they chose, not before losing some important data, significant work time, and, sadly for them, a long-standing client they were unable to service during the downtime.
By building their knowledge about software, particularly security updates and when software distribution updates cease, they increase the risk of compromise to their system or network and the likelihood of data loss.
This flows quite naturally into productivity gains from updating your systems and increasing the time efficiency of tasks.
A little bit of profit margin on a system isn’t going to make or break your business; consider taking a hit on systems (let the client buy from one of the big retailers) and continuing to support your client. The value added from your knowledge and experience can transform that mass retailer system from a functional tool into a secure and trusted work platform.
There’s no magic wand but there are several very effective tools you can utilise to sway your client towards updating to modern, more secure systems. Ultimately, you need to be confident in yourself and that the services you provide are the best option for your client and then you can sell it.
It’s through continual time investment, education and development of understanding that you’ll provide your client with a pathway to avoid unnecessary stress, downtime, potential data loss and minimise business impact in the online world.
-
ADVERTISEMENT
-
ADVERTISEMENT
-
ADVERTISEMENT
-
ADVERTISEMENT