This article was submitted by contributing author, Vic Berger.
My business
practice focuses on helping organizations understand their risks related to
security. Cyber Security is one risk every organization struggles with. Small
businesses face the same types of risks as bigger companies but lack the
staffing and resources to respond the same as a large organization. I am frequently
asked by small business owners “What cost effective recommendations would you
make for my business to make it more secure?” Here are my top ten recommendations
for small businesses when dealing with information security.
1.
Have A Written Security Policy
Every business needs a
good written information security policy. This is the basis for your security
plan, as well as your legal safety net when something happens. There is no
single action a company can take that is more important. Yet this is often the
first issue I find in audits of companies of every size, and in every
sector. The plan needs to be well
written; read and understood by every employee in the company; and consistently
maintained. There are numerous templates
and examples of security policies on the internet. Many consulting companies
will tailor a stock plan to suit your organization.
2.
Encrypt Everything
The first rule of I.T. security
is “no solution is perfect 100% of the time”. You cannot always trust
prevention methods to keep your data safe. The only way to consistently assure the
protection of your data is to encrypt it so it cannot be read. This is
especially important with cloud or internet based storage accounts. Dropbox,
Google Drive, OneDrive, Box, and Egnyte are all great tools, but no cloud
provider will guarantee the security of your data, and all have recently been
breached. My basic rule of thumb is: if it is on the internet, consider it
public access unless you have encrypted it. You can encrypt your cloud storage
using a simple to use (and free for personal use)
encryption program from nCryptedcloud that supports Dropbox, Box, Google Drive,
OneDrive, and Egnyte available at https://www.encryptedcloud.com/
You can also use a portable USB format hardware encryption and key
management device from BlackSquare called Enigma, at www.blacksquaretechnologies.com for personal and small business encryption on portable
devices, computers, and cloud accounts.
3.
Protect Your Website
Current information security
statistics indicate that 85% of all websites have one or more significant
security vulnerabilities. I apply patches to my websites almost daily to keep
up with newly discovered vulnerabilities. There are three basic types of
websites, with three different recommendations based on what you use:
A. A static web page with basic company
information that doesn’t change. Your biggest risk is disruption or defacing of
this type of website. Your hosting provider or ISP will take care of the
service disruption. For defacing, keep a good site backup and do a complete CLEAN
restore as soon as possible (hackers leave behind gotchas).
B. An interactive or dynamic web site
with user content and/or e-commerce. Often these are created using a standard
Content Management Software (CMS) package like WordPress, Joomla, or
Drupal. These are best left to a
professional company to update and manage if possible. If you must do it
yourself, get a good book on securing your type of CMS. Subscribe to the
vulnerability notification feed for your CMS type (all of the common solutions
have this). Check your website against new vulnerabilities often.
C. A site dedicated to internet
e-commerce or a highly interactive site where users log in to access
content. Hire this one out! Do not try
to do this yourself unless information security is your core business, or you
have an I.T. staff with specialized training and certifications in internet
security.
4.
Data Backups
I see irreplaceable data
lost almost every day. I have seen it in government agencies, fortune 500
companies, and in every industry vertical. It can be from a data breach, a hardware
failure, a natural disaster, or from human error. Whatever the reason, there is
no excuse for not having good backups. You should have at least one full data
backup per week. More if your data changes frequently. Store the backups
offsite, and somewhere safe. I suggest
the granite vault at Perpetual Storage www.perpetualstorage.com, it is the safest storage site in the country. You
should also buy a GoBox and store everything you would need
to rebuild your business after a major disaster.
5.
Avoid Consumer Grade
If you can buy an I.T.
product at a local box store, electronics retailer, or office supply store it
is probably consumer grade, and not designed for business. This includes
firewalls, routers, wireless access points, servers, storage, networking
devices, tape drives, or anything that protects, moves, or manages your data.
Yes, commercial grade is more expensive, for a reason: It Is Commercial Grade!
Consumer grade security equipment was designed to protect a few ports and protocols commonly used by consumers. Business
applications use different ports and protocols. It either does not run behind
consumer grade equipment or you have to poke holes in your security to make it
work. Consumer grade security is also easy to breach. Commercial grade uses
much better security methods, and is consistently tested. Call your local I.T.
reseller and ask them what they recommend.
6.
Know Your Risks
Knowing what you have,
that would be of value to someone else, helps you determine what to focus on to
protect. Do you have sensitive or privileged data? Is your data unique or valuable?
Are there government regulations like HIPAA or Sarbanes-Oxley that affect your
industry? Are customers or consumers ever given access to your data? How many
employees do you have, and what risk areas do they create? Beyond what is
already addressed elsewhere in this whitepaper, as a minimum you need:
Antivirus (web search free antivirus), Anti spyware (web search free
anti-spyware), and a good security shell for your organization (Try Arellia www.arellia.com). If you have customers that are
EVER by your work computers you need an anti-keystroke logging solution
(StrikeForce www.strikeforcetech.com). Your mail and web should have
mandatory content filters (either through your ISP or your firewall).
7.
Plan For BYOD
BYOD stands for bring
your own device. This is a huge shift in the government and
corporate sector, but probably business as usual in small businesses. Small businesses often use what they
have, even if it is a personal device. This is increasingly creating security
issues. What your employees, knowingly or unknowingly, have on their devices,
and what they do with them in their own time is now brought into your
environment. This can open up security holes as well as create liability
issues. Make sure that BYOD is clearly defined and covered in your security
policy. There is technology that can restrict the security vulnerabilities of
personal devices, so ask your local I.T. reseller for assistance. Finally, make
sure your employees clearly understand your expectations and limits where BYOD
is concerned.
8.
Who Is Guarding The Sheep
This applies whether you
are a fortune 500 company or a small business. I.T. administrators have great power.
They can view privileged information, and have an extremely high level of
system access and control, more than even the owners and senior executives of
the company. This is a great responsibility, but also a huge temptation. It is very
common to discover that I.T. administrators have been inside payroll files, HR
files, or other personal or sensitive material. A good security shell like
Arellia (see #6) creates log files to review, but that means that someone has
to faithfully do this. Again, start with policy and clearly define
responsibilities and expectations. Two person integrity is always prudent where
money and manpower permit. And as always, rule #2 applies: Encrypt everything!
9.
Physical Security Is Information
Security
Theft is about opportunities,
and criminals use them very effectively. Data from a stolen laptop is easier to
obtain than hacking. Why brute force passwords when you can easily install a
keystroke logger. A screwdriver to the back door is as good as a key if there
is no other security. You must have good physical security policies and
practices to have good information security. Cameras are effective and have
become reasonably cheap. Programs that wipe stolen devices are commonly
available. Keeping sensitive information and records locked away after hours
deters opportunistic thieves. Think like a criminal, and then protect yourself
from what you would exploit.
10.
Know When To Call For Help
I am a passable plumber, marginal carpenter, and
just plain dislike auto mechanics. I can do all three if required but usually
end up spending more time, effort, and money than what I had intended. I can
tackle small jobs but I leave the major projects to the professionals. I.T.
Security is a highly specialized field with significant training and experience
necessary to operate at a professional level. Your whiz kid nephew, who is good
with computers, does not have that level of training or the required experience.
This is especially important when there is an incident. Less than 3% of all
I.T. professionals have the security experience and certification necessary to
handle a data breach. I leave significant plumbing, carpentry, and auto
mechanics jobs to the professionals, leave your major I.T. security issues to
the professionals as well.
This article was submitted by a contributing author:
Vic Berger
CEO, Opsis Technologies
855-99OPSIS
For more information on protecting your office regarding this issue or additional HIPAA, OSHA, HR, and Medicare resources, please visit our web site: http://www.hcsiinc.com or email support at: support@hcsiinc.com.
You are better off contacting them and having it turn out to be nothing, than risk infecting your computer or corporate network with malware. By following a few simple tips, you can better protect yourself and your business from getting hooked by a phishing scam. Melbourne CCTV Systems
ReplyDeleteGreat to read this complete information. Cloudnosys is a SaaS platform secures your cloud against vulnerabilities, achieve entire visibility & control of cloud security and compliance in AWS & Azure.
ReplyDeleteI am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job ! Criminal Records Deletion
ReplyDelete