News

This site uses cookies and similar technologies.

If you do not change browser settings, you agree to it. Learn more

I understand
You are here: Fraud and Cybercrime

Fraud and Cybercrime

Rate this item
(0 votes)

 Fraud and Cybercrime

Article 2 - Technical Requirements of a Computer Network

Introduction

The problem that most businesses face is that they do not have access to appropriate, professional Information Technology (IT) staff or advice. Any IT company or supplier that interfaces with a business, is generally trying to sell them what they have in the cupboard, at that particular time. Further, IT is seen as a necessary evil, when it should be considered as the most important resource of a business, after the staff. It is quite bizarre that company cars, which generally contribute nothing to the running of a business, are often prioritized over spending on IT, which is fundamentally required, for continued operation. The Sales Manager wants a £30,000 car but a £7,000 spend on a new server, which would last for 5 years, is out of the question.

If your company has no Disaster Recovery Plan (DRP) or Data Protection Policy (DPP) that you actually understand and you employ an odd job man to ‘do your IT’, because he doesn’t charge a lot, then you are heading for trouble. This probably applies to about 90% of UK SMEs.

What we will see in this series is that whilst the technical aspects of a network are important, it is equally important that a business is actually managed. This means that the staff know what they can and can’t do in relation to a company’s IT systems, generally in the form of local management and an Appropriate Use Document (AUD). If the staff have never been told that they can’t use Amazon for their purchases, send email to friends from their company email account and browse any website that they fancy, then they can’t really be blamed for doing it, even though their actions may have serious financial consequences for their company.

Technical Requirements of a Secure, Compliant Company IT System

There is a lot of free, good advice regarding this subject, all of it far too complex to understand, for businesses that operate without dedicated IT staff or in an inappropriate relationship with an IT support company. The big problem is that having a secure network, with policies in place, is a legal requirement. IT support companies generally understand the IT but not the law and the company seeking their help, normally understand neither.

A good source of advice, in fact the best that I have seen, is on the Information Commissioner’s Office website. Whilst you are there, look at all the firms that have been fined, normally in excess of £50,000, for breaching data protection rules. Some offences are as minor as sending an email to the wrong person. One ex RedDrum client said to me ‘I am always doing that (sending email to the wrong person), I am far too busy to worry about it’. Interestingly, that person worked in the legal sector!

https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf

Nitty Gritty Requirements for an SME IT network

1) Policies, Policies, Policies.

Appropriate Use Document, Data Protection Policy and Disaster Recovery Policy. These three policies are a bare minimum.

2) Firewall

Technology has moved on, in relation to firewalls. Previously, they required an understanding of different command languages but now they are much simpler to use. Cisco have been the industry leaders for many years and their latest offering, Meraki, is inexpensive and simple to configure. An appropriately configured Cisco Meraki will protect your network from viruses, hacking attacks etc. provide usage reports and allow connection to external users, offices or other sites. An invaluable resource.

3) Router

Not so important, if you have a Meraki firewall. A good quality Draytek would be fine.

4) Switches

Managed switches control data and segment networks into different virtual LANs (VLANs). For example, Accounts, Sales and Operations could all be on the same LAN but they would be separated off into 3 VLANs. If there is a problem on one of the VLANs the others remain unaffected.

Meraki switches are fantastic, allowing for simple remote, single port control, with automatic features to shut down ports that have a problem computer plugged into it. However, Meraki can be considered to be expensive for switches and the Ubiquity range is a less expensive option.

Non managed switches, which can be found in many organisations, simply let any data pass through them and are not recommended.

5) Server(s)

In the near future, many organisations will be operating without having any physical servers on site, or indeed without actually owning any physical servers. Some do now. RedDrum own no servers and are a paper free office, apart from a reluctant accounts department, even though this has not been by design. The process has been evolutionary and all RedDrum software, including accounts, is cloud based, in Amazon, Microsoft or with other cloud based providers.

Most companies still require a local server to control user access and to run third party programs that have yet to be put into the cloud. HP and Dell are popular choices. What is important is that the servers are protected and managed, normally via a combination of management, virus protection software and manual checking, to ensure that they are constantly patched and updated. This updating process protects the servers from known faults or problems that can leave them vulnerable, if they are not applied.

The server should also be configured correctly, with the latest version of the Operating System, using Group Policy, to ensure that access to resources is strictly controlled. If a server is installed and then just left to its own devices, then it can be a major security risk.

The storage and protection of data, programs and any other resources on a server should be dealt with in a DRP. This policy should be checked at regular, specified intervals. If a series of back ups are taking place, then they should be checked/restored, in an appropriate manner. One unfortunate non RedDrum client, diligently took a backup tape, to their local bank, every evening. When the backup tape was needed, it was discovered that it had nothing on it. It had never been checked.

Unfortunately, RedDrum have seen servers installed in toilets and other interesting places. A server should be in a locked, air conditioned room. There can be no substitute for this simplest of all level of security; physical security.

6) Workstations

This is the area where invariably businesses are most at risk. This is because all staff have now have an international communications centre on their desks, normally with very little control over what they can and can’t do with it. Obviously, any workstation should have a current Operating System on it, for example, Windows 7, 8 or 10. All machines should have virus protection and monitoring software to ensure that they are fully patched and protected.

The AUD policy should determine exactly what a member of staff can and cannot do, with their machine. The firewall and server configurations should then enforce that policy. Examples of this include where data can be stored, normally just on a server, which websites can be accessed and what software can be installed upon a workstation. Users come and go, companies generally continue. The IT policies must overrule the specific desires or requests of a particular user, in the company’s interests.

There is much here that hasn’t been discussed. Bringing your own devices (BYOD) and personal use of company laptops are two examples. These two topics show what a minefield this area is.

View Fraud and Cybercrime Part 1
View Fraud and Cybercrime Part 3
View Fraud and Cybercrime Part 4
View Fraud and Cybercrime Part 5

Alun Griffiths

Alun Griffiths Contractors

When we started working with Alun Griffiths, one of the largest privately owned civil engineering contractors in the country, we were keen to find…
Caradog Hotel Group

Caradog Hotel Group

Another area of expertise that RedDrum IT has is creating IT business management solutions for hotel groups. Since we began working with Caradog…
Dragons Rugby

Dragons Rugby

Although we have no favourite clients, The Dragons are definitely a great organisation to work with. Their belief in what we do, and their…
Cardiff City Football Club

Cardiff City Football Club

Cardiff City FC is perhaps one of RedDrum’s most well known clients. Certainly, Cardiff City FC is one of the most famous clubs in Wales, but they…
Fraud and Cybercrime

Fraud and Cybercrime

Article 4 – Current Cybercrimes - RansomwareIntroduction Fortunately, for most of us that live in Western liberal democracies, the threat of being…
Fraud and Cybercrime

Fraud and Cybercrime

Article 3 - Current Cybercrimes - SpearPhishingIntroduction In the 1960’s criminals were much more visible. They would dress up in balaclavas, carry…
Fraud and Cybercrime

Fraud and Cybercrime

Article 1 - Required TerminologyIntroductionAccording to Symantec, there were over 1 million web based attacks, against people, per day, in 2015.…
Fraud and Cybercrime

Fraud and Cybercrime

Article 5 - Manage the Threats to your Business Introduction Having worked with and advised many, many clients, across a wide range of Public and…
Fraud and Cybercrime

Fraud and Cybercrime

Article 2 - Technical Requirements of a Computer NetworkIntroduction The problem that most businesses face is that they do not have access to…
Gwyn George Partnership

Gwyn George Partnership

Gwyn George Partnership (GGP) are a well-known Welsh law firm who offer their services throughout Wales, across their four different locations. One…
Ikaros Solar

WElink

Founded in 2007, the WElink Group is a specialised renewable energy company with extensive experience of solar project development and the design…