Even if your company has as few as 10 employees (or even if it’s just “you”) make sure a specific person is responsible for information security.

Hire a reputable consultant to come in and evaluate your Information Technology program. Often, there are low-cost / no-cost things that you can do to dramatically improve your Information Security posture.

Here are the big-ticket items:

- Make sure you have a firewall

- If you have any internet-facing servers, make sure you have TWO firewalls….. your internet-facing server should be separated from your “main” servers by an additional firewall. This is known as a “DMZ”. If you have one server doing everything, BUY ANOTHER SERVER. If you don’t do this, you are what is called “hacker bait”.

- If you access your server from home, do it through VPN. Many small businesses make the mistake of opening e-mail or other critical services directly to the internet. Instead, it’s more than likely that your server supports “PPTP” VPN, that’s built in to the operating system and free to use. VPN acts like a “local” network connection, preventing sensitive services like e-mail or file sharing from being exposed to the internet.

- Use encryption for sensitive data. This includes your Accounting files, customer lists, and ANY customer data you store on your server(s). Windows has built-in encryption that prevents unauthorized access to sensitive information.

- DO NOT log in as Admininstrator. This sounds easy, but I’ve audited hundreds of small businesses where the President / CEO has administrator rights. Set up separate IDs that have administrative privileges, and force your employees to log in as “normal users”. Use administrative IDs ONLY when administrative tasks need to be performed. This drastically reduces the likelihood that an administrative ID will be compromised and used to breach the servers. Example: userID is “Bob”, administrative ID is “admn-bob”.

- Force password security. I know people b!tch about changing passwords, but that’s one of the first keys to security. There are password policies on the server that can be set to:
— change passwords every 90 days
— minimum password length 8 letters
— require complexity (requires numbers and symbols))

- Train your “front line” staff on social engineering. If you have a customer support desk, receptionist, or help desk, make sure they know how to detect a phony employee or customer. Make sure they know not to EVER forward a call to an outside number, or grant “temporary” access to ANY server (NO MATTER WHAT) without second-level approval. Most data breaches are PEOPLE breaches, not technology breaches. The mythos of the lone hacker solving a machine’s security defenses like a puzzle is quite false — good hackers hack people, NOT machines

- Invest in “real” antivirus. Don’t run anything free. Buy a “real” product like McAfee or TrendAV. Symantec (and Norton) $uck$ but it is somehow continuing to fool everyone in to thinking they are a tier-1 product.

- Make sure you have backups. Invest in an off-the-shelf tape backup solution, and store tape backups offsite. In the event of theft or fire, OFFSITE backups ensure your critical data is safe.

- Make sure there is someone in your organization responsible for the following items, and that they have a “weekly checklist” that they follow:
— update virus definitions on all servers and workstations
— Check event logs on all servers. Look for system and security events
— Check your backups. Make sure a full backup was completed for each week for each system. Test your backups MONTHLY by restoring a file.

- DISABLE terminated employees immediately. If you have an HR person, make sure the person performing the HR function notifies you immediately of new hires and terminations. Make sure that HR has to authorize new network accounts, and informs you of employees who change status.

This is the BARE MINIMUM, but will put your business head-and-shoulders above other companies, yielding greater security, competitive advantage, and customer assurance.