Security: Ten Steps to Protect Your Business 

The internet has gone from being a nice cozy town to a big bad city. There are people out there that do not share your values and either want to profit from stolen data or see how destructive they can be. 

Here are ten essential methods of protecting one of your most important assets your corporate data. While there are no guarantees, by implementing all items on the list your company will be far more secure and will potentially avoid down time and expense to recover from an attack that could have easily been prevented.

  1. Ensure that there is physical security to your servers and backup tapes. If someone takes a backup tape (or one of your servers itself!), all of your confidential documents are gone.

  2. Ensure that your data backups are functioning properly each and every day. Sometimes the only way to recover from an attack is a complete restore. If you do not have a recent good backup, you are out of luck. 

  3. Put in a firewall and ensure that it is configured as restrictively as possible. Best practices dictate a hardware firewall such as Sonic Wall, WatchGuard, Cisco PIX, or Microsoft ISA in front of the internet connection and a software firewall such as that found in Norton Internet Security on each pc. 

  4. Keep all operating systems on servers and workstations up-to-date. You must download and apply full service packs manually but can have the Microsoft Windows Update site notify each user that interim patches are available and action is required. Service Pack 4 is out for Windows 2000. Service Pack 1 is available for Windows XP Pro and Service Pack 2 will soon be released for this operating system. Note, occasionally a patch creates problems depending on the state of your pc when it was installed. Make sure that System Restore is turned on if you are running Windows XP Pro before installing patches. 

  5. Ensure that you have a corporate-wide antivirus strategy. The server should obtain its updates from the manufacturer and then the workstations automatically obtain their updates from the server. The two programs we like are Computer Associates InnoculatIT and Norton Antivirus Corporate Edition. We also highly recommend a first level of defense against email-based viruses through use of a low cost internet-based mail filtering service that will also filter SPAM email. 

  6. Prepare a written policy statement and provide training on potential social engineering threats. Spammers are getting very clever on finding out whom you typically correspond with and it is not unusual to get an email that purports to be from someone you know but is not. Tell company employees to not open any suspicious email and especially not to open any attachments they are not expecting. In addition, if they get a call on the telephone from someone purporting to be from the computer tech support group or from a vendor of a software they are using, be cautious. Train employees on proper settings for internet explorer, to not click on pop up messages, and to only download files that are needed for business purposes. 

  7. Install a spyware remover on each pc and instruct users to run it regularly. Spybot Search and Destroy is a good one and it is free unless you want to make a donation to the author.

  8. Lock down security on your network. We believe it is more important to have secure passwords than to constantly be changing them. The password should be approximately eight characters, have uppercase and lower case characters, have at least one unusual symbol, and at least one number. Also, it should be memorable so that the user does not need to write it down on a post-it note and stick it to his or her monitor. 

  9. Remove all sources of external file sharing such as kazaa or gnutella. If you are going to permit users to use an instant messaging product, ensure that file sharing capabilities are disabled or install centralized software to enforce the policy. 

  10. Review points one through nine at least once each quarter and take immediate corrective actions.

                                                                     

                                                                           Copyright 2013 Beachwood Systems Consulting, Inc.    *    216-823-1800