Making IT Your Business

Company security is everyone's responsibility

Sometimes it seems as if everything is about security these days. Homeland security, physical security, digital security— there’s constantly a new security issue that needs attention.

The common thread, and threat, in all these areas is people. You can’t lock up your staff or seal their mouths, so you need a process to keep your most valuable assets from turning into your worst nightmare. There was a lot of truth behind the old wartime saying “loose lips sink ships.” Businesses have many areas of risk that are as vulnerable to careless behaviors and communication as the Atlantic convoys were during World War II.

Homeland security affects travelers and anyone near a critical area. Physical security affects people who use keys to enter a facility or who must remember to shred a sensitive document. Digital security affects people every time they turn on computers and includes passwords, anti-virus software to protect systems online and backup systems to get users back on track if something happens.

While most people don’t have a lot of individual control over homeland security issues, employees are able to control many aspects, both physical and digital, of their business security by creating and implementing a security policy—the glue that holds it all together and gives businesses a fighting chance at survival. The layered security model shows how important such policy is in securing a business.

Beyond Common Sense
Most actions taken are common sense, but it can be surprising how many small businesses skip one or more of the essentials. Whatever else you economize on, smoke detectors, an alarm system and a fireproof safe should not be among them. But what about the paper shredder? And do you keep a record of the number and distribution of master keys? Yes. If you don’t know who has keys and where those keys are at all times, the door might as well be wide open.

Physical security starts with good insurance. It’s important that the insurance policies you choose to protect your business are the right ones. Help your insurance agent understand your business and what is most valuable to you. Most insurance policies offer discounts on a sliding scale, depending on what you do to protect the business.

Physical security also is essential for critical servers and other computers. A motivated person with physical access can get into any Windows®-based device without knowing the user name or password— something you need to remember when putting a basic security policy together.

New Challenges
Passwords need to be hard to guess and changed frequently, which all too often means that people write their passwords down. For every manager who keeps his or her passwords in a “little black book” that’s stored in the fireproof safe, there are 10 employees whose desks are littered with password-inscribed Post-it® notes.

Passwords go some way toward protecting laptops left in taxicabs, for example, but a better way to go is to make it policy to encrypt laptop hard drives. Encryption software is easy to use, widely available and inexpensive. It will nearly guarantee that a thief can’t access the data stored on the machine. It’s also about the easiest way there is to ensure that your business is in compliance with government regulations regarding data protection and privacy.

You’ve probably figured out how to manage virus, spyware and spam problems. But what’s going on now on the Web is entirely different. The game has changed dramatically—and so have the risks.

Organized crime has taken to the Web in a big way. The criminals—and their digital weapons—can be completely invisible. One pixel on the screen can hold a poison dart that can exploit a common software application like Internet Explorer and steal information without anyone noticing. Microsoft’s much-vaunted “Patch Tuesday,” when security fixes are released, is now routinely followed by “Exploit Wednesday.”

Your employees also are busy adding new programs to their systems that make them even more susceptible to security breaches. Social networks like Facebook and IM and VoIP applications like Skype are tunneling into and out of your business. If you thought keeping control of spam and stopping users from opening e-mail attachments was tough, welcome to the brave new world of Web 2.0.

Web 2.0 is all about two-way, synchronous communication. All of the abovementioned activities might be convenient for getting business done, and can save a considerable amount of money, but they come at a cost.

Business Security Resources

General business security information:
Small Business Administration: www.sba.gov

Allbusiness.com, a portal for everything related to managing a business effectively: www.allbusiness.com

Local chamber of commerce—often a great resource. If there’s a local technology group, as well, join it.

Training and security information:
Tips for businesses to protect personal information: www.ftc.gov

NCSA resource—Stay Safe Online: www.staysafeonline.info

Security awareness training course: irtsectraining.nih.gov

Home network security: www.cert.org

Identity theft resources: www.ftc.gov

Policies, standards and guidelines:
SANS security policy resource page—probably the best place on the Web to start when creating a security policy. There are free examples here, but make sure you consider all aspects of securing your business. www2.sans.org

Saving money means a trade-off elsewhere. And in the case of these real-time activities, the big downside is lack of security. Sharing data and keeping that data secure is like mixing oil and water. You can either share data or secure data, but not both. And while it would be nice to simply lock everything down and block consumerdriven applications, it’s simply not realistic to expect users to live with that level of inflexibility—or they’ll be spending half their time trying to get around it.

Computer security is an ever-changing landscape. At a minimum, users need antivirus, anti-spyware, anti-exploit, antispam, firewall, encryption and backup— and everything needs to be kept up to date at all times. Plus, security measures need to be as transparent to your users as possible. If security gets in the way of working, users will work around it.

If you’re like most small businesses, you simply don’t have the bandwidth, the manpower or the expertise to deal with all of this. So you need a reseller or consultancy with security expertise to help guide you through this security maze.

The Human Factor
People security starts with the hiring process. It’s so easy these days to check a person’s history online that there’s no reason not to do it, and there are plenty of reasons why you should. There are firms that will do this for you, as well, but be sure that when you search under the term “background checks” the site you click on is not dishing out malicious code.

Make security part of the new-hire orientation process. If you can educate your people to understand the risks they are exposing the business to with some of their behaviors, there is a good chance you can start to tilt the balance in your favor. It only takes one weak link to break the security chain and potentially expose everyone to the risk.

The big roadblock for businesses implementing training and awareness programs is time. Security training is crucial to business. Since time also is crucial, find a way to make ongoing security training relevant and fun. Make it worth the employees’ time to understand why security is so important to the business.

Tying it All Together
Security awareness really needs to be embedded in the fabric of your business, which means policies must be in place for all aspects of security. Make security part of everyone’s routine by establishing security policies in writing and making sure they’re implemented correctly. Repetition, consequences and follow-through will pay off.

The section of the policy on physical security needs to cover, at a minimum, essentials like who has keys to what, the process for issuing new or replacement keys, changing smoke alarm batteries, alarm-setting and maintenance responsibilities, and the factors that determine which documents should be shredded and when.

The section on digital security should cover password management and electronic acceptable-use policy. Every employee should be provided with a standard computer setup to minimize the number of configurations that need to be managed and maintained— any employee wanting additional applications should be required to make a business justification for that application or install that application himself.

Some applications require users to have administrative rights—rarely a good thing when you think of what users can do with those rights—so be careful when choosing which applications to allow.

In some ways, digital security policy is easier to manage than physical security, because much of it can be enforced from the server. If you still have a peer-to-peer network, move to a managed domain as soon as possible. Windows Active Directory allows different usage policies to be applied to different users so, for example, financial records are only accessible to the accounting department and senior management, whereas documents like the employee handbook are accessible to everyone.

If you don’t have the time or expertise in-house to create and implement serverbased policies, find an expert to help. But make the time to determine who can have access to what applications and under which circumstances. No one can implement a policy, standard or guideline for your business if they don’t know what is critical to the business. Remember, too, that this is all a work in progress and must remain flexible.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus

Digital Edition

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety