Your Small Business' Security

Small businesses are emerging as a popular target among online criminals. According to the most recent Symantec Internet Security Threat Report, small businesses were the second most targeted industry between January 1 and June 30, 2005 (Education was the most targeted industry). The report surmises that because small businesses are less likely to have a well established security infrastructure, they are more vulnerable to attacks. 2005 was a banner year for cyber attacks, and 2006 promises to be no different, as attackers continue to become more innovative, and their modes of attack more complex. As another new year begins, now is a great time to assess your small business information assets and current state of security and address it with a security plan that is supported by the right solutions.

Assess your current situation

Before you can work on a security plan, you need to consider what you need to secure, and who has access to the network. Here are some things you should think about:

Your network -- What kind of protection do you currently have in place? What kinds of connections are being made into the network? Are any employees connecting remotely?

Devices used -- How many, and what kinds of devices are making connections into your business network? Wireless must be addressed in a different manner than wired devices, for example. What kind of security is being used on the devices?

Information assets -- What is your sensitive business information and data, and where is it kept? This most valuable information requires special attention to security.

Who are the users? -- Think about who can access what information on your network, and what kinds of passwords are required.

Thinking about these things will help you determine where your security exposures are and what security measures you need to use to minimize these exposures.

Build a security plan

Every business, regardless of the size of their network, should have a security plan, and there are some basic elements that should be part of every security plan. Remember that a security plan should define appropriate user behavior and identify the security tools and procedures that should be in place. Here is a rundown of important issues that should be covered with your security plan:

• Access rights -- This boils down to trust, and trust of employees and users doesn’t always come right away. A business has three options when it comes to trust: 1) Trust everyone all the time, 2) Trust no one at any time; 3) Trust some people some of the time. Each approach has its benefits and drawbacks, but the third option is typically the most common model followed by businesses.

• Internet Access -- For all of its many uses, the Internet also poses many dangers. Viruses, spyware, computer hacking, and electronic spying are just the beginning. It’s estimated that the average employee uses the Internet for personal purposes at least 2 hours a day. And it isn’t just how long they’re on, it’s what they’re doing. Many illegal websites load spyware on to your corporate network and slow down the Internet for legitimate uses. That’s why we developed the DataShield™. Read all about it here: http://www.itsolutions-inc.com/our_solutions/shared_vision/ITS%20DataShield.pdf

  • Remote access -- A security plan should dictate safe computing practices for any remote users. This will include the use of antivirus and firewall on the computing devices, and how to make a secure VPN connection.
  •  Information protection -- Guidelines for processing, storing, and transmitting your business sensitive IT assets should be outlined.
  •  Virus prevention -- Security software and user education can help reduce your business exposure to viruses. Outline the necessary security solutions that should be employed at the network, perimeter, and client levels, and provide users with a primer on safe computing practices.
  •  Password use -- Requiring regular changing of passwords is a good idea, as is requiring alphanumeric, eight digit passwords.
  •  Backup and recovery -- Ensuring continuous backup of your important data, as well as a plan for recovering data in the event of a network disruption is important. Ask about our DataVault backup to disk system – http://www.itsolutions-inc.com/our_solutions/shared_vision/ITS%20DataVault.pdf

As you write your security plan, bear in mind that it must:

  • be implementable and enforceable
  •  be concise and easy to understand
  • balance protection with productivity

Once you have the plan down on paper, go through it with your employees. Once training is complete, audit your employees to make sure security practices are being followed. Also, make sure every new employee is briefed on the plan. Intentional or not, user error is often behind many security problems. Revisit your plan every six months to see if anything should be updated. The security landscape is never static, and your security plan shouldn’t be static either. Give yourself peace of mind this year by assessing the current state of your security and developing a plan to keep your business secure in 2006