|
The Weakest Link in Network
Security
Your small-business network may be
protected by firewalls, intrusion detection and other state-of-the-art security
technologies. And yet, all it
takes is one person's
carelessness, and suddenly it's as if you have no network security
at all.
Let me give you an example. In
March 2006, a major financial services firm with extensive network security
disclosed that one of its portable computers was stolen. The laptop contained
the Social Security numbers of nearly 200,000 people. How did it happen? An
employee of the firm, dining in a restaurant with colleagues, had locked the
laptop in the trunk of a SUV. During dinner, one of the employee's colleagues
retrieved an item from the
vehicle and forgot to re-lock it. As fate would have it, there was a rash of car
thefts occurring in that particular area at that particular time, and the rest
is history.
The moral of that story is clear:
No matter how secure your network may be, it's only as secure as its weakest
link. And people--meaning you and your employees--are often the weakest link.
It's important to note that poor security puts your business, as well as your
partners, at risk. As a result, many enterprises and organizations, such as
credit-card companies, now specify and require minimum levels of security you
must have in order to do business with them.
So what can you do? Here are nine
ways to minimize the risks that people can pose to the security of your
company's data:
Password-protect your computers
and mobile devices--particularly laptops. One basic step toward defending
data is to require a password to launch Windows on a PC. It's not bullet-proof,
but it's a start, and it's a particularly important first defense for portable
computers.
Don't store passwords in
unprotected areas. The more complex a password is, the easier it is to
forget and you may want to record it somewhere. But don't store your passwords
in, say, a basic Word or Excel file or on a sticky note on your monitor.
Instead, there are inexpensive software programs available that let you manage
and secure multiple passwords.
Consider laptops with biometric
security. If you're in the market for a new laptop, consider one that comes
equipped with a biometric fingerprint scanner. The scanner reads fingerprints
and only allows access to files on the computer to a user with an authorized
fingerprint.
Encrypt confidential files.
Another way to protect sensitive data is to encrypt the files containing that
data. Encryption scrambles data so that only an authorized user can access it.
You can encrypt files using built-in tools in Windows XP Professional (but not
XP Home), though some third-party applications offer more--and sometimes
stronger--encryption tools.
Whenever possible, don't carry
confidential data on a portable device or removable media. For maximum
security, keep sensitive data off laptops, PDAs, BlackBerrys and other portable
devices. As illustrated by the financial services firm example, if the device is
lost or stolen, so is the sensitive data the device contains. If you must
physically transport sensitive data, consider storing it only on an encypted
flash-memory USB drive. Store the drive in your pocket and not in the laptop
bag, so that you'll still have it if the laptop is stolen or lost.
Lock your laptop when
traveling. Like bicycle locks, laptop security cables (costing $20 and up)
allow you to physically secure your portable computer to a post or other
stationary object. Most current laptops have a standardized security slot, into
which you insert a locking device, which in turn is attached to the cable. For
example, if you're leaving a laptop in a hotel room that doesn't have a safe,
you could insert the locking device into the portable PC's security slot, then
wrap the cable around the narrow base of the bathroom sink. Portable laptop
alarms are also available that emit a loud sound when your laptop is moved,
which is helpful when waiting for the plane or other crowded area.
Stay up to date. Keeping
apprised of new tools and technologies can help you continue to bolster the
security of your business's data. For instance, new software utilities allow you
to remotely erase all data on a lost or stolen smartphone just by sending a text
message to the phone. And in recent months, new laptop hard drives have become
available that automatically encrypt all data.
Be vigilant. Above all, you
and your employees must stay on guard to protect sensitive data. To help keep
everyone on their toes, post signs above shared printers and fax machines,
reminding users not to leave sensitive documents lying around. Place paper
shredders near recycling bins or other common areas and encourage employees to
use them.
Create and enforce a security
plan. Last, but not least: Your business should have a detailed, written
security plan for employees that includes specific policies and
procedures--including many (if not all) of the steps listed above. If security
procedures aren't in writing, it's far too easy for employees to use the "I
didn't know" defense. And a security plan only works if it's enforced and kept
up-to-date.
To devise a security plan, you may
want to consult your trusted IT advisor. Also, your network vendor may provide
online tools that can help you create a security plan. For example, Cisco
Systems offers the Cisco Security Policy Builder , an online tool that can help
you create a security policy tailored to your business's specific requirements.
Based on your answers to questions posed online, the tool will create a
customized security policy template as a Microsoft Word file and e-mail it to
you.
The Alternatives? Lost
Business, Lawsuits and More
Does all this sounds like a lot of trouble? Of course it does. But imagine what
would happen to your business if all your customers' credit-card information was
stolen--simply because an employee left a laptop containing that data in an
unlocked car? At a minimum, you risk angering and losing customers.
Also, many small businesses,
particularly those in financial and health-care services, must comply with
regulations that mandate information security. One stolen laptop, and your
business could be faced with heavy penalties due to non-compliance.
In short, better safe than sorry.
So get on the phone with your trusted IT advisor and start creating your
detailed security plan today. You'll sleep better tonight.
|
