|
The Weakest
Link in Network Security
By Peter Alexander
Reprinted with permission from
Microsoft Small Business Center
 Your small-business network may be protected by
firewalls, intrusion detection and other state-of-the-art
security technologies. And yet, all it takes is one person's
carelessness, and suddenly it's as if you have no network
security at all. Let me give you an
example. In March 2006, a major financial services firm with
extensive network security disclosed that one of its portable
computers was stolen. The laptop contained the Social Security
numbers of nearly 200,000 people. How did it happen? An
employee of the firm, dining in a restaurant with colleagues,
had locked the laptop in the trunk of a SUV. During dinner,
one of the employee's colleagues retrieved an item from the
vehicle and forgot to re-lock it. As fate would have it, there
was a rash of car thefts occurring in that particular area at
that particular time, and the rest is history.
The moral of that
story is clear: No matter how secure your network may be, it's
only as secure as its weakest link. And people--meaning you
and your employees--are often the weakest link. It's important
to note that poor security puts your business, as well as your
partners, at risk. As a result, many enterprises and
organizations, such as credit-card companies, now specify and
require minimum levels of security you must have in order to
do business with them.
So what can you do?
Here are nine ways to minimize the risks that people can pose
to the security of your company's data:
Password-protect
your computers and mobile devices--particularly laptops.
One basic step toward defending data is to require a
password to launch Windows on a PC. It's not bullet-proof, but
it's a start, and it's a particularly important first defense
for portable computers.
Don't store
passwords in unprotected areas. The more complex a
password is, the easier it is to forget and you may want to
record it somewhere. But don't store your passwords in, say, a
basic Word or Excel file or on a sticky note on your monitor.
Instead, there are inexpensive software programs available
that let you manage and secure multiple passwords.
Consider laptops
with biometric security. If you're in the market for a new
laptop, consider one that comes equipped with a biometric
fingerprint scanner. The scanner reads fingerprints and only
allows access to files on the computer to a user with an
authorized fingerprint.
Encrypt
confidential files. Another way to protect sensitive data
is to encrypt the files containing that data. Encryption
scrambles data so that only an authorized user can access it.
You can encrypt files using built-in tools in Windows XP
Professional (but not XP Home), though some third-party
applications offer more--and sometimes stronger--encryption
tools.
Whenever
possible, don't carry confidential data on a portable device
or removable media. For maximum security, keep sensitive
data off laptops, PDAs, BlackBerry's and other portable
devices. As illustrated by the financial services firm
example, if the device is lost or stolen, so is the sensitive
data the device contains. If you must physically transport
sensitive data, consider storing it only on an encrypted
flash-memory USB drive. Store the drive in your pocket and not
in the laptop bag, so that you'll still have it if the laptop
is stolen or lost.
Lock your laptop
when traveling. Like bicycle locks, laptop security cables
(costing $20 and up) allow you to physically secure your
portable computer to a post or other stationary object. Most
current laptops have a standardized security slot, into which
you insert a locking device, which in turn is attached to the
cable. For example, if you're leaving a laptop in a hotel room
that doesn't have a safe, you could insert the locking device
into the portable PC's security slot, then wrap the cable
around the narrow base of the bathroom sink. Portable laptop
alarms are also available that emit a loud sound when your
laptop is moved, which is helpful when waiting for the plane
or other crowded area.
Stay up to date.
Keeping apprised of new tools and technologies can help
you continue to bolster the security of your business's data.
For instance, new software utilities allow you to remotely
erase all data on a lost or stolen smart-phone just by sending
a text message to the phone. And in recent months, new laptop
hard drives have become available that automatically encrypt
all data.
Be vigilant.
Above all, you and your employees must stay on guard to
protect sensitive data. To help keep everyone on their toes,
post signs above shared printers and fax machines, reminding
users not to leave sensitive documents lying around. Place
paper shredders near recycling bins or other common areas and
encourage employees to use them.
Create and
enforce a security plan. Last, but not least: Your
business should have a detailed, written security plan for
employees that includes specific policies and
procedures--including many (if not all) of the steps listed
above. If security procedures aren't in writing, it's far too
easy for employees to use the "I didn't know" defense. And a
security plan only works if it's enforced and kept up-to-date. To devise a
security plan, you may want to consult your trusted IT
advisor. Also, your network vendor may provide online tools
that can help you create a security plan. For example, Cisco
Systems offers the Cisco Security Policy Builder , an online
tool that can help you create a security policy tailored to
your business's specific requirements. Based on your answers
to questions posed online, the tool will create a customized
security policy template as a Microsoft Word file and e-mail
it to you.
The
Alternatives? Lost Business, Lawsuits and More
Does
all this sounds like a lot of trouble? Of course it does. But
imagine what would happen to your business if all your
customers' credit-card information was stolen--simply because
an employee left a laptop containing that data in an unlocked
car? At a minimum, you risk angering and losing customers.
Also, many small
businesses, particularly those in financial and health-care
services, must comply with regulations that mandate
information security. One stolen laptop, and your business
could be faced with heavy penalties due to non-compliance.
In short, better
safe than sorry. So get on the phone with your trusted IT
advisor and start creating your detailed security plan today.
You'll sleep better tonight. | 