The Weakest Link in Network
Security Continued
by Peter Alexander
reprinted with permission from the
Microsoft Small Business Center
Your small-business network may be protected by firewalls,
intrusion detection and other state-of-the-art security technologies. And
yet, all it takes is one person's carelessness, and suddenly it's as if
you have no network security at all.
Let me give you an example. In
March 2006, a major financial services firm with extensive network
security disclosed that one of its portable computers was stolen. The
laptop contained the Social Security numbers of nearly 200,000 people. How
did it happen? An employee of the firm, dining in a restaurant with
colleagues, had locked the laptop in the trunk of a SUV. During dinner,
one of the employee's colleagues retrieved an item from the vehicle and
forgot to re-lock it. As fate would have it, there was a rash of car
thefts occurring in that particular area at that particular time, and the
rest is history.
The moral of that story is
clear: No matter how secure your network may be, it's only as secure as
its weakest link. And people--meaning you and your employees--are often
the weakest link. It's important to note that poor security puts your
business, as well as your partners, at risk. As a result, many enterprises
and organizations, such as credit-card companies, now specify and require
minimum levels of security you must have in order to do business with
them.
So what can you do? Here are
nine ways to minimize the risks that people can pose to the security of
your company's data:
- Password-protect your
computers and mobile devices--particularly laptops. One basic step
toward defending data is to require a password to launch Windows on a
PC. It's not bullet-proof, but it's a start, and it's a particularly
important first defense for portable computers.
- Don't store passwords in
unprotected areas. The more complex a password is, the easier it is to
forget and you may want to record it somewhere. But don't store your
passwords in, say, a basic Word or Excel file or on a sticky note on
your monitor. Instead, there are inexpensive software programs available
that let you manage and secure multiple passwords.
- Consider laptops with
biometric security. If you're in the market for a new laptop, consider
one that comes equipped with a biometric fingerprint scanner. The
scanner reads fingerprints and only allows access to files on the
computer to a user with an authorized fingerprint.
- Encrypt confidential files.
Another way to protect sensitive data is to encrypt the files containing
that data. Encryption scrambles data so that only an authorized user can
access it. You can encrypt files using built-in tools in Windows XP
Professional (but not XP Home), though some third-party applications
offer more--and sometimes stronger--encryption tools.
- Whenever possible, don't
carry confidential data on a portable device or removable media. For
maximum security, keep sensitive data off laptops, PDAs, BlackBerrys and
other portable devices. As illustrated by the financial services firm
example, if the device is lost or stolen, so is the sensitive data the
device contains. If you must physically transport sensitive data,
consider storing it only on an encypted flash-memory USB drive. Store
the drive in your pocket and not in the laptop bag, so that you'll still
have it if the laptop is stolen or lost.
- Lock your laptop when
traveling. Like bicycle locks, laptop security cables (costing $20 and
up) allow you to physically secure your portable computer to a post or
other stationary object. Most current laptops have a standardized
security slot, into which you insert a locking device, which in turn is
attached to the cable. For example, if you're leaving a laptop in a
hotel room that doesn't have a safe, you could insert the locking device
into the portable PC's security slot, then wrap the cable around the
narrow base of the bathroom sink. Portable laptop alarms are also
available that emit a loud sound when your laptop is moved, which is
helpful when waiting for the plane or other crowded area.
- Stay up to date. Keeping
apprised of new tools and technologies can help you continue to bolster
the security of your business's data. For instance, new software
utilities allow you to remotely erase all data on a lost or stolen
smartphone just by sending a text message to the phone. And in recent
months, new laptop hard drives have become available that automatically
encrypt all data.
- Be vigilant. Above all, you
and your employees must stay on guard to protect sensitive data. To help
keep everyone on their toes, post signs above shared printers and fax
machines, reminding users not to leave sensitive documents lying around.
Place paper shredders near recycling bins or other common areas and
encourage employees to use them.
- Create and enforce a
security plan. Last, but not least: Your business should have a
detailed, written security plan for employees that includes specific
policies and procedures--including many (if not all) of the steps listed
above. If security procedures aren't in writing, it's far too easy for
employees to use the "I didn't know" defense. And a security plan only
works if it's enforced and kept up-to-date. To devise a security plan,
you may want to consult your trusted IT advisor. Also, your network
vendor may provide online tools that can help you create a security
plan. For example, Cisco Systems offers the Cisco Security
Policy Builder , an online tool that can help you create a security
policy tailored to your business's specific requirements. Based on your
answers to questions posed online, the tool will create a customized
security policy template as a Microsoft Word file and e-mail it to you.
The Alternatives? Lost
Business, Lawsuits and More
Does all this sounds like a lot of
trouble? Of course it does. But imagine what would happen to your business
if all your customers' credit-card information was stolen--simply because
an employee left a laptop containing that data in an unlocked car? At a
minimum, you risk angering and losing customers.
Also, many small businesses,
particularly those in financial and health-care services, must comply with
regulations that mandate information security. One stolen laptop, and your
business could be faced with heavy penalties due to non-compliance.
In short, better safe than
sorry. Call your Account Manager at Databranch and start creating your
detailed security plan today. You'll sleep better tonight.
|