How small-to-mid-sized companies should tackle security
Generally thought of as having up to 500 employees, small businesses constitute the vast majority of companies in the United States, making them a critical part of the economy. Their customers naturally expect personal and financial data to be kept secure, and a data breach is a painful and expensive ordeal. Like the larger enterprises, small businesses that accept payment cards have to follow Payment Card Industry rules. It can be daunting for a small business that may not even have an IT department to think about how to tackle network security.
1. When disposing of old computers and other devices that store data, remove the hard disks and destroy them. This goes for other types of media, too. And don’t forget paper holding sensitive information as well.
2. The era of mobile smartphones and tablets is here and it’s disruptive. Whether a transition to using smartphones or tablets in your business has begun or not, the recognition needs to be there that they represent new operating system platforms with different security requirements and methods of updating and control than older PCs and laptops. Though the mobile-device marketplace is fast-paced in terms of change, both business and IT managers alike should be strategizing on the management and security options — and that includes “Bring Your Own Device” situations where employees are allowed to use their own smartphones and tablets for business. It will mean balancing the security needs of the business with the personal data usage of the individual, who after all, owns the device.
3. Trust but verify, as the old saying goes. Do official background checks on prospective employees to check for criminal history (some companies are even evaluating prospective employees by looking at what their public social media history might indicate about them). And when it comes to technology vendors or cloud service providers, make sure whatever they promise is in a signed contract with some kind of consequences spelled out for failure to deliver. Consider paying a visit to data-center operations operated by business partners with whom you plan to electronically share your customer data, for example, and have them provide details on their security, backup and personnel involved.
4. Train employees about the nature of today’s cyber-attacks. SMBs tend to think that cyber-criminals are going after the really big guys, not them, but that’s simply not true. Cyber-criminals in particular target SMBs to compromise the PCs they use for online banking and payments in order to commit fraud in a big way by emptying out business accounts. Unfortunately, there’s actually less protection for recovery of stolen funds under the law for businesses than for consumers. Banks may even give the small business a hard time, questioning the security it has in place. How does cybercrime often begin? In many cases, the victim opens a “phishing” e-mail message with an attachment laden with malware that will let the attacker begin infiltrating the network. To tamp this down, spam filters should be in place to try and catch phishing e-mails and other junk. But some of it, especially highly targeted, will get through and employees should be trained not to open anything that seems even remotely unusual. Because web-based malware is also commonplace, applying Web-surfing controls on employees’ Internet use is also a good idea. The big companies are starting to use advanced malware protection systems that can track targeted attacks in various ways, and small businesses should too — if it’s affordable. There is also a strong argument to consider setting up a dedicated computing resource strictly for online funds transfer. There are many phone-based social-engineering scams out there now as well and employees need to be wary.
5. Though the business may be small, think big. Focus on policy. That means devising an employee acceptable-use policy that clearly defines how employees are expected to behave online, how data is to be shared and restricted. Have them read and sign it, making it clear if there’s monitoring of online activities. There should be possible penalties for non-compliance. But just clamping down on employees is not usually a way to encourage the kind of creative thinking and productivity that businesses need in the world where online communications is critical. The challenge is finding the right balance.
6. Get detailed when it comes to each individual’s access to data. This takes time, but determine what employees or outside business partners really need to have in terms of network and applications to do their jobs. Keep a record of this and consider using more than passwords, perhaps two-factor authentication or even biometrics. This also goes for systems administrators, whose jobs give them huge power over all the information systems in use. Options include requiring a dual-authentication process — something the National Security Agency claims to be doing more vigorously after former NSA tech contractor Edward Snowden leaked all those secrets. Your business is probably not as top secret as the NSA’s, but your internal network and all the most critical data may well be under the control of a sys admin whether you think about that or not. And finally, have procedures for immediate de-provisioning of access and credentials when an employee departs or a business arrangement is altered.
7. Don’t forget physical access in all this. There should be a way to prevent unauthorized individuals from getting near business computer resources. That might mean the cleaning crews at night as well. Challenge unexpected visitors in a polite but determined way.
8. Bad things happen to good businesses. Floods, fires, earthquakes, the outside thief and the insider threat, and of course malware are all factors that can impact the safety of stored data. Automate the back-up process. Since virtually every business now depends on some form of computer processing, ask the question how employees could proceed if your physical site is suddenly not available. Plan for disruptions that could last weeks if not months — and test it to make sure it’s viable.
At the very least, BYOD raises legal questions since business data is no longer being held on a device issued directly by the business. Mobile-device management software is often in consideration for use, with the question of whether to move to so-called “containerization” options for data segmentation. If it’s any comfort, the big companies are all struggling with questions like these as part of the mobility revolution. There are no pat answers.
9. Deploy the security basics. That means firewalls for wireless and wired-based access points, and anti-malware on endpoints and servers, acknowledging that traditional signature-based anti-virus is a limited form of defense. Consider technologies such as ‘whitelisting’ to prevent computer software downloads. Over the years, security vendors have frankly conceded they’ve often had a hard time marketing to SMBs, establishing channels of sales and support, and often tried to create editions of their basic products oriented towards fewer numbers of users and less technical expertise to manage them. But some practices are critical for all: Be rigorous about patching all operating systems and applications as quickly as possible. If your business is short-staffed in terms of security expertise, seek outside technical support under a managed security services arrangement. If there’s a malware outbreak, for instance, you will need that expertise. Read articles, join technology user groups, speak with industry colleagues to get tips about outside assistance. Keep in mind that if your business accepts payment cards, it’s mandatory to adhere to the data privacy requirements spelled out in the PCI guidelines, which also includes encrypting sensitive information. The government’s HIPAA and HiTech security rules also require encryption of personally identifiable information in the healthcare industry. Encryption of data at rest and in transit is just a good idea — so why not do it?
10. Business managers need to gain the basic knowledge of where the most important data is held, whether it’s on site in traditional desktops and servers, or in cloud services and mobile devices (including possibly those in “Bring Your Own Device’ arrangements). Whether this knowledge is presented by the in-house IT manager or an outside technology provider, the data storage, access permissions and data processing should be documented, including whatever security controls are in place. There needs to be a conscious decision by business and technology managers, preferably with legal advice, that these security controls are adequate relative to risk. That lays the foundation for what is also needed: a back-up and disaster recovery plan.