One-third of all data breaches occur in small businesses: the
following piece provides excellent tips for protecting your small
business. It was written by freelancer Jason Turbow for BizWise, the
monthly Cisco newsletter for business owners.
In January, a credit
card payment-processing company found malicious software on its
network. It had compromised the private customer information held by
more than 200 financial institutions. A month before that, a U.S.
payment processor suffered cyber attacks on its ATM records that
affected 1.1 million people and resulted in $9 million in customer
losses. A cyber-crime battle has broken out across business networks
nationwide, and it's not just enterprises in the line of fire. A study
by Verizon Communications released in April found that one third of all
2008 data breaches came at the expense of businesses with 100 employees
or less. The scale of these breaches might not compare with those at
their enterprise counterparts, but for small businesses, the sting of
malware, botnets and Trojan horses can be just as sharp.
"A small
business' attention to customers has to remain paramount," says John N.
Stewart, vice president and chief security officer at Cisco. "Security
aimed at protecting your customers' information - as well as your own -
must be an integral part of how you operate."
Even as threats grow more exotic, small business owners can take some basic steps to reduce the risk of falling victim.
Step 1: Treat Your Business Like a Business
For many small businesses without dedicated IT personnel, the answer to technological needs is often a trip to the local retail store for an easily deployed piece of hardware. This saves on installation hassles, but it can also open up sensitive information to outside intruders. As a whole, built-in security features on devices designed for home use don't come close to those made for even the smallest businesses.
For many small businesses without dedicated IT personnel, the answer to technological needs is often a trip to the local retail store for an easily deployed piece of hardware. This saves on installation hassles, but it can also open up sensitive information to outside intruders. As a whole, built-in security features on devices designed for home use don't come close to those made for even the smallest businesses.
"You
can still walk into many small businesses and see an entry-level device
that's fine for a home, but totally insufficient for a business
entity," says Ryan Halper, president of Cynnex Networks, a
technology-support company in Seattle. "You need to go one step beyond
that if you have any type of business-critical, sensitive information to
protect."
Even business-class hardware that doesn't provide
security as a primary function - routers, for example - can provide
important layers of protection when it comes to securing a network.
Step 2: Protect the Perimeter
An effective firewall essentially serves as a virtual barrier between your network and the outside world. "Firewall protection should be obvious, but with many of our small business customers we see less than what we consider to be minimum perimeter security," says Cynnex's Halper.
An effective firewall essentially serves as a virtual barrier between your network and the outside world. "Firewall protection should be obvious, but with many of our small business customers we see less than what we consider to be minimum perimeter security," says Cynnex's Halper.
Even
entry-level business-class firewalls provide essential security
features such as packet inspection (to verify every piece of data that
passes through them) and intrusion protection. Firewalls can also
function on a "white-list" basis, allowing nothing but data from
approved domains to enter the network. This is especially important when
it comes to the subset of malware-infected sites and e-mail attempting
to pass itself off as having come from a legitimate organization. "It
doesn't matter what it looks like, it matters what it is," says Stewart,
the Cisco chief security officer.
Step 3: Stay Updated
The people who create malware are both smart and relentless. Should new security technology effectively block their efforts, they simply adjust their tactics until they're able to avoid the existing traps. For an example, look no farther than spam. Just a couple years ago junk e-mail was among the top security issues facing business networks, until a spate of anti-spam vendors stepped in and eradicated much of the risk. Problem solved? Not quite. Spammers got more creative, and soon the anti-spam contingent was once again scrambling to keep up.
The people who create malware are both smart and relentless. Should new security technology effectively block their efforts, they simply adjust their tactics until they're able to avoid the existing traps. For an example, look no farther than spam. Just a couple years ago junk e-mail was among the top security issues facing business networks, until a spate of anti-spam vendors stepped in and eradicated much of the risk. Problem solved? Not quite. Spammers got more creative, and soon the anti-spam contingent was once again scrambling to keep up.
"I just
need to look at my in-box for confirmation of this," says Charles
Kolodgy, research director of security products for market research and
analysis firm IDC. "I'll get a lot of items that should have been
filtered, then three to five days later, my e-mail will go back to
normal as the anti-spam programs figure out what this spam is doing and
either block or quarantine it."
"If the company whose security
measure you're using says there is a new version, you have to get it,
evaluate it, and ideally, deploy it," says Stewart. "You absolutely have
to keep your security posture current."
Step 4: Pay Attention
Botnets - collections of malware-infected machines that can be unwittingly controlled by a third party for nefarious activities such as mass spamming - are especially dangerous because there's often little tactile evidence they're even present. The best botnets work in the background, offering slightly slower processor speed as the primary clue to their activity.
Botnets - collections of malware-infected machines that can be unwittingly controlled by a third party for nefarious activities such as mass spamming - are especially dangerous because there's often little tactile evidence they're even present. The best botnets work in the background, offering slightly slower processor speed as the primary clue to their activity.
"You really have to look at your logs, which is
something small businesses aren't usually doing," says Kolodgy. "See
what communications are going on. Look at network traffic going to
strange IP addresses at various times during the day - places that a
business might have no reason to contact, like Russia or China."
Numerous
security companies have placed defense against bonnets among their
priorities, making updated anti-virus subscriptions and software patches
all the more vital.
Step 5: Protect Yourself from the Inside
In January, a study from Purdue's Krannert School of Management quoted 46 percent of the American companies it surveyed saying that "laid-off employees are the biggest threat caused by the economic downturn." A prime example of this happened last year when Terry Child, a disgruntled network administrator for the city of San Francisco, sat in jail for five days while refusing to divulge the passwords he used to effectively lock the government out of its own municipal data. Most small businesses don't have an employee with the same combination of know how and ill intentions, but that hardly grants them immunity from the problem. Cynnex's Helper recommends that companies employ a containment strategy, allowing employees to access only the portions of the network necessary to their duties. Similarly, network privileges can limit the types of tasks that can be executed from a given workstation, eliminating many options for those who seek to do something outside the scope of their regular job duties.
In January, a study from Purdue's Krannert School of Management quoted 46 percent of the American companies it surveyed saying that "laid-off employees are the biggest threat caused by the economic downturn." A prime example of this happened last year when Terry Child, a disgruntled network administrator for the city of San Francisco, sat in jail for five days while refusing to divulge the passwords he used to effectively lock the government out of its own municipal data. Most small businesses don't have an employee with the same combination of know how and ill intentions, but that hardly grants them immunity from the problem. Cynnex's Helper recommends that companies employ a containment strategy, allowing employees to access only the portions of the network necessary to their duties. Similarly, network privileges can limit the types of tasks that can be executed from a given workstation, eliminating many options for those who seek to do something outside the scope of their regular job duties.
But it isn't just disgruntled
employees who may create security breaches; employees who don't know how
to properly protect assets can also pose a risk.
"The blending of
work vs. home and public vs. private means that data can be accessed,
transmitted, stored and stolen from anywhere at any time," said Stewart.
"As a result, the approach to data protection must change."
That
means businesses must foster a security-aware culture in which
protecting data is a normal and natural part of every employee's job,
providing the tools and education that employees need to keep their
businesses secure.
"Everyone in the company has to understand why
they're protecting what they're protecting," says Stewart. "It's one
thing to tell everyone to lock the door on the way out, but they really
have to understand why they're locking the door. They need to know that
if we lose this data, it's business-impacting and possibly
business-threatening. We must understand that we're not just protecting
our customers - we're protecting ourselves."






0 comments:
Post a Comment