Safety Net
By Peter Hammes
Weak security can be detrimental to any company. With new threats emerging daily, new systems being deployed and highly sensitive data being shared over larger networks, business owners play a never-ending game of chess with internal and external threats. So when security fails, or data is lost, it’s never a little problem. It’s a huge problem—affecting company finances and careers. For many small to mid-sized businesses, data loss can cost up to £75,000 in lost revenues, costs to regenerate data, lawsuits and fines—to say nothing of the loss of customer confidence and damage to the company’s reputation.
In today’s complex business environment, small businesses and entrepreneurs face the challenge of keeping their networks open and easily accessible to clients, colleagues and partners. At the same time, they must protect their networks from hackers, virus attacks and spyware, which may come from outside sources or from malicious individuals with easy network access. They also need to consider how to protect data from equipment malfunction, accidental destruction, theft, power surges, and natural disasters and fire.
More emphasis on paperless business processes and work environments creates more reliance on electronic data—and greater risk of critical data loss.
Before the Internet, managing network security was simple and straightforward. Companies could protect their networks from security intrusions by shielding themselves with a firewall, along with some other intrusion detection system (IDS) scanning the network perimeter. But with the increasing migration of business applications and transactions to web-based platforms, networks are exposed to a seemingly endless array of security intrusions and disruptions. Businesses need to adopt a holistic and proactive approach to securing their networks and look for solutions beyond simple firewalls and IDS.
This is crucial to protect an intangible but essential asset—information.This includes everything from human resources, customer records, inventory, accounting and business process information to sales transaction data. In the global information marketplace, protection of critical information has become a prime focus for companies of every size.
To help navigate the minefield of data storage, security, loss prevention, back up and recovery, here are some tips and suggestions to secure data and minimize risk.
1. Be aware of security compliance requirements and understand the liability issues. Fines, legal costs, and civil penalties can add up quickly for small businesses that fail to implement security best practices in the event of a break-in or a compromise of privacy data.
2. Protect stored customer data. Tracking data from credit cards should be deleted as quickly as possible, ideally, within one year of the transaction. Always delete customer information at regular, defined intervals. If the POS doesn’t encrypt card data, either enable truncation of the card data and after-batch closure or delete it.
3. Make sure that sensitive information is encrypted during transmission across public networks. Secure your wireless devices, encrypt traffic and change the default wireless ID without broadcasting it. Whenever possible, use virtual private networking (VPN) technology for remote access.
4. Implement and enforce company policies that address information security issues. Educate employees about importance of data security and the necessary steps to maintain it. Review and update security policies on a regular basis. Use content management tools to increase productivity, prevent misuse and decrease the potential for employees to accidentally visit malicious web sites.
5. Develop and maintain secure systems and applications. Update spyware scanners and security software on a routine basis, while keeping the operating system up-to-date with the latest security patches. Program software to notify users about updates. Regularly test security systems and processes and schedule network penetration tests to determine whether unauthorized access is prohibited.
6. Implement layered security at the network and PC level, plus your network firewall and PC firewall. A layered security approach using firewalls, anti-virus, anti-spam, anti-spyware and intrusion prevention will provide more robust security and help detect malicious activities and attacks.
7. Use and update antivirus software regularly. Routinely update virus definitions, and regularly schedule virus scans on all systems. Treat all email as potential source of malicious code. Scan all incoming and outgoing e-mail and regularly back up critical data.
8. Use passwords wisely. Don’t use vendor-supplied defaults for system passwords and other security parameters; don’t use default passwords for the firewall, router, POS, computer accounts, etc. If a wireless network is used, change the default SSID without broadcasting it.
9. Back up all critical data on a daily and weekly basis to help minimize the impact of a data loss. Consider offsite storage for backup data to prevent loss of both primary and backup data to a single event such as theft, natural disaster, or fire. Backup media is extremely valuable collection of consolidated data, and should be protected in limited access area.
10. Test and document your recovery process at least once a year to ensure restoration can be done in an effective and efficient manner.