Making IT Your Business
Company security is everyone's responsibility
- By Monte Robertson
- Feb 14, 2008
Sometimes it seems as if everything
is about security these
days. Homeland security, physical
security, digital security—
there’s constantly a new security issue
that needs attention.
The common thread, and threat, in all
these areas is people. You can’t lock up
your staff or seal their mouths, so you need
a process to keep your most valuable assets
from turning into your worst nightmare.
There was a lot of truth behind the old
wartime saying “loose lips sink ships.”
Businesses have many areas of risk that are
as vulnerable to careless behaviors and
communication as the Atlantic convoys
were during World War II.
Homeland security affects travelers and
anyone near a critical area. Physical security
affects people who use keys to enter a facility
or who must remember to shred a sensitive
document. Digital security affects people
every time they turn on computers and
includes passwords, anti-virus software to
protect systems online and backup systems to
get users back on track if something happens.
While most people don’t have a lot of
individual control over homeland security
issues, employees are able to control many
aspects, both physical and digital, of their
business security by creating and implementing
a security policy—the glue that
holds it all together and gives businesses a
fighting chance at survival. The layered
security model shows how important such
policy is in securing a business.
Beyond Common Sense
Most actions taken are common sense, but
it can be surprising how many small businesses
skip one or more of the essentials.
Whatever else you economize on, smoke
detectors, an alarm system and a fireproof
safe should not be among them. But what
about the paper shredder? And do you keep
a record of the number and distribution of
master keys? Yes. If you don’t know who
has keys and where those keys are at all
times, the door might as well be wide open.
Physical security starts with good insurance.
It’s important that the insurance policies
you choose to protect your business are
the right ones. Help your insurance agent
understand your business and what is most
valuable to you. Most insurance policies
offer discounts on a sliding scale, depending
on what you do to protect the business.
Physical security also is essential for
critical servers and other computers. A
motivated person with physical access can
get into any Windows®-based device without
knowing the user name or password—
something you need to remember when
putting a basic security policy together.
Passwords need to be hard to guess and
changed frequently, which all too often
means that people write their passwords
down. For every manager who keeps his or
her passwords in a “little black book” that’s
stored in the fireproof safe, there are 10
employees whose desks are littered with
password-inscribed Post-it® notes.
Passwords go some way toward protecting
laptops left in taxicabs, for example,
but a better way to go is to make it policy
to encrypt laptop hard drives. Encryption
software is easy to use, widely available
and inexpensive. It will nearly guarantee
that a thief can’t access the data stored on
the machine. It’s also about the easiest way
there is to ensure that your business is in
compliance with government regulations
regarding data protection and privacy.
You’ve probably figured out how to
manage virus, spyware and spam problems.
But what’s going on now on the Web
is entirely different. The game has changed
dramatically—and so have the risks.
Organized crime has taken to the Web in
a big way. The criminals—and their digital
weapons—can be completely invisible. One
pixel on the screen can hold a poison dart
that can exploit a common software application
like Internet Explorer and steal information
without anyone noticing. Microsoft’s
much-vaunted “Patch Tuesday,” when security
fixes are released, is now routinely followed
by “Exploit Wednesday.”
Your employees also are busy adding
new programs to their systems that make
them even more susceptible to security
breaches. Social networks like Facebook and
IM and VoIP applications like Skype are tunneling
into and out of your business. If you
thought keeping control of spam and stopping
users from opening e-mail attachments
was tough, welcome to the brave new world
of Web 2.0.
Web 2.0 is all about two-way, synchronous
communication. All of the abovementioned
activities might be convenient
for getting business done, and can save a
considerable amount of money, but they
come at a cost.
Business Security Resources
General business security information:
Small Business Administration: www.sba.gov
Allbusiness.com, a portal for everything related to managing a business effectively: www.allbusiness.com
Local chamber of commerce—often a great resource. If there’s a local technology group, as well, join it.
Training and security information:
Tips for businesses to protect personal information: www.ftc.gov
NCSA resource—Stay Safe Online: www.staysafeonline.info
Security awareness training course: irtsectraining.nih.gov
Home network security: www.cert.org
Identity theft resources: www.ftc.gov
Policies, standards and guidelines:
SANS security policy resource page—probably the best place on the Web to start when
creating a security policy. There are free examples here, but make sure you consider all
aspects of securing your business. www2.sans.org
Saving money means a trade-off elsewhere.
And in the case of these real-time
activities, the big downside is lack of security.
Sharing data and keeping that data
secure is like mixing oil and water. You can
either share data or secure data, but not
both. And while it would be nice to simply
lock everything down and block consumerdriven
applications, it’s simply not realistic
to expect users to live with that level of
inflexibility—or they’ll be spending half
their time trying to get around it.
Computer security is an ever-changing
landscape. At a minimum, users need antivirus,
anti-spyware, anti-exploit, antispam,
firewall, encryption and backup—
and everything needs to be kept up to date
at all times. Plus, security measures need to
be as transparent to your users as possible.
If security gets in the way of working,
users will work around it.
If you’re like most small businesses,
you simply don’t have the bandwidth, the
manpower or the expertise to deal with all
of this. So you need a reseller or consultancy
with security expertise to help guide you through this security maze.
The Human Factor
People security starts with the hiring
process. It’s so easy these days to check a
person’s history online that there’s no reason
not to do it, and there are plenty of reasons
why you should. There are firms that will do
this for you, as well, but be sure that when
you search under the term “background
checks” the site you click on is not dishing
out malicious code.
Make security part of the new-hire orientation
process. If you can educate your people
to understand the risks they are exposing
the business to with some of their behaviors,
there is a good chance you can start to tilt the
balance in your favor. It only takes one weak
link to break the security chain and potentially
expose everyone to the risk.
The big roadblock for businesses implementing
training and awareness programs
is time. Security training is crucial to business.
Since time also is crucial, find a way
to make ongoing security training relevant
and fun. Make it worth the employees’ time
to understand why security is so important
to the business.
Tying it All Together
Security awareness really needs to be
embedded in the fabric of your business,
which means policies must be in place for
all aspects of security. Make security part of
everyone’s routine by establishing security
policies in writing and making sure they’re
implemented correctly. Repetition, consequences
and follow-through will pay off.
The section of the policy on physical
security needs to cover, at a minimum,
essentials like who has keys to what, the
process for issuing new or replacement
keys, changing smoke alarm batteries,
alarm-setting and maintenance responsibilities,
and the factors that determine which
documents should be shredded and when.
The section on digital security should
cover password management and electronic
acceptable-use policy. Every employee
should be provided with a standard computer
setup to minimize the number of configurations
that need to be managed and maintained—
any employee wanting additional
applications should be required to make a
business justification for that application or
install that application himself.
Some applications require users to have
administrative rights—rarely a good thing
when you think of what users can do with
those rights—so be careful when choosing
which applications to allow.
In some ways, digital security policy is
easier to manage than physical security,
because much of it can be enforced from the
server. If you still have a peer-to-peer network,
move to a managed domain as soon as
possible. Windows Active Directory allows
different usage policies to be applied to different
users so, for example, financial
records are only accessible to the accounting
department and senior management,
whereas documents like the employee handbook
are accessible to everyone.
If you don’t have the time or expertise
in-house to create and implement serverbased
policies, find an expert to help. But
make the time to determine who can have
access to what applications and under
which circumstances. No one can implement
a policy, standard or guideline for
your business if they don’t know what is
critical to the business. Remember, too,
that this is all a work in progress and must