7 key steps for data security in small businesses
March 16, 2010 by Steve HannafordPosted in: In this week's e-newsletter, Latest News & Views, Security
Even small companies have a big problem with data security. It’s inevitable that there will be some critical data (employees’ records, credit card numbers) on the computer system. But in a small company, the most basic security steps often get overlooked.
The Better Business Bureau (BBB), in alliance with software company Symantec, credit card company Visa and several other security-related companies, now offers a free and easy-to-use downloadable package. This package contains help for the non-expert, including checklists, procedures, explanations of risk, and links to other resources on the Web.
The program is called “Data Security – Made Easy.”
It includes lots of practical information on how to get started with data security procedures, how to identify vulnerabilities, and how to evaluate the costs and benefits of new security initiatives. Again, it’s aimed at the owner or manager of a small business who needs to know the basics. Even if you plan to get outside help, you should know what you are paying for and which features you really need.
The BBB outlines a seven-step plan to developing a data security policy:
- List what types of data the company stores (names, addresses, account numbers, etc.)
- List how that data is stored (paper files, electronic documents, etc.)
- List all the places where it’s stored (cabinets, computers, smartphones, external storage)
- Make an inventory of how data is moved and who has access to it
- Identify which security controls your company has in place, and which you don’t (the BBB provides a checklist)
- Evaluate the costs vs. the benefits of the different practices, and identify which ones make sense for the kind of data you have to protect, and
- Write them down.
Another particularly useful section is entitled “If Customer Data is Stolen or Lost — What to Do Next.” That’s a situation few businesses are prepared to deal with, and the site gives a checklist of sane procedures to limit damage and liability:
- Create a breach notification policy
- Train employees to recognize breaches
- Gather the facts immediately after a breach
- If financial info was taken, notify appropriate financial institutions
- Talk to outside counsel, and
- Notify affected customers.
It’s an impressive, well-designed site. Even more sophisticated data managers would do well to take a look.
DocuCrunch.com delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.
Click here to sign up and start your FREE subscription to DocuCrunch!
Loading ...
March 17th, 2010 at 9:28 pm
Small businesses are particularly vulnerable, because the Information Security role is usually not clearly defined.
Even if your company has as few as 10 employees (or even if it’s just “you”) make sure a specific person is responsible for information security.
Hire a reputable consultant to come in and evaluate your Information Technology program. Often, there are low-cost / no-cost things that you can do to dramatically improve your Information Security posture.
Here are the big-ticket items:
- Make sure you have a firewall
- If you have any internet-facing servers, make sure you have TWO firewalls….. your internet-facing server should be separated from your “main” servers by an additional firewall. This is known as a “DMZ”. If you have one server doing everything, BUY ANOTHER SERVER. If you don’t do this, you are what is called “hacker bait”.
- If you access your server from home, do it through VPN. Many small businesses make the mistake of opening e-mail or other critical services directly to the internet. Instead, it’s more than likely that your server supports “PPTP” VPN, that’s built in to the operating system and free to use. VPN acts like a “local” network connection, preventing sensitive services like e-mail or file sharing from being exposed to the internet.
- Use encryption for sensitive data. This includes your Accounting files, customer lists, and ANY customer data you store on your server(s). Windows has built-in encryption that prevents unauthorized access to sensitive information.
- DO NOT log in as Admininstrator. This sounds easy, but I’ve audited hundreds of small businesses where the President / CEO has administrator rights. Set up separate IDs that have administrative privileges, and force your employees to log in as “normal users”. Use administrative IDs ONLY when administrative tasks need to be performed. This drastically reduces the likelihood that an administrative ID will be compromised and used to breach the servers. Example: userID is “Bob”, administrative ID is “admn-bob”.
- Force password security. I know people b!tch about changing passwords, but that’s one of the first keys to security. There are password policies on the server that can be set to:
— change passwords every 90 days
— minimum password length 8 letters
— require complexity (requires numbers and symbols))
- Train your “front line” staff on social engineering. If you have a customer support desk, receptionist, or help desk, make sure they know how to detect a phony employee or customer. Make sure they know not to EVER forward a call to an outside number, or grant “temporary” access to ANY server (NO MATTER WHAT) without second-level approval. Most data breaches are PEOPLE breaches, not technology breaches. The mythos of the lone hacker solving a machine’s security defenses like a puzzle is quite false — good hackers hack people, NOT machines
- Invest in “real” antivirus. Don’t run anything free. Buy a “real” product like McAfee or TrendAV. Symantec (and Norton) $uck$ but it is somehow continuing to fool everyone in to thinking they are a tier-1 product.
- Make sure you have backups. Invest in an off-the-shelf tape backup solution, and store tape backups offsite. In the event of theft or fire, OFFSITE backups ensure your critical data is safe.
- Make sure there is someone in your organization responsible for the following items, and that they have a “weekly checklist” that they follow:
— update virus definitions on all servers and workstations
— Check event logs on all servers. Look for system and security events
— Check your backups. Make sure a full backup was completed for each week for each system. Test your backups MONTHLY by restoring a file.
- DISABLE terminated employees immediately. If you have an HR person, make sure the person performing the HR function notifies you immediately of new hires and terminations. Make sure that HR has to authorize new network accounts, and informs you of employees who change status.
This is the BARE MINIMUM, but will put your business head-and-shoulders above other companies, yielding greater security, competitive advantage, and customer assurance.