Security was little more than an afterthought for the original designers of the Internet. Networks were either cordoned off, private and secure, or fully open to the public. But network security is a critical concern for businesses these days. IT managers and, in smaller businesses, the owners themselves must balance access and functionality against reliability and the need to safeguard data.
Taking time to prioritize your network security needs and understanding best practices to ward off threats is essential. For most IT managers, the approach involves both technology and employees.
There are several smart steps IT managers can take, say experts. These will minimize your network risks:
- Configure your firewall or hire someone else to do so. Most small businesses run the firewall set just as it came from the factory, and most firewalls are set to let everything go out, says Luke Walling, founder of North Carolina-based Walling Data, an IT outsourcing, management and support firm. Make sure your firewall limits attempts to connect to suspect service ports. Also, says Walling, consider an additional stand-alone device, such as those manufactured by Cymphonix, to filter content and block attempts to bypass your firewall.
- Protect in depth. It’s not enough to protect at the network level. Make sure each workstation is also protected against spyware, malware and viruses.
- Understand your limitations. Frequently, small businesses don’t maintain security software, says Michael Davis, CEO of Savid Technologies, a security consulting company in suburban Chicago. “Pick a technology that is auto-updated or easily and inexpensively updated.”
- Run a separate network. Consider segregating sensitive data on a network that has no connections to the outside world.
- Use effective logging data. Log management doesn’t have to be a headache for small to medium businesses, says Davis. For instance, Splunk is a free open source management tool handling limited amounts of data each day. “It can help you when you have an actual incident,’’ Davis says.
- Manage portable devices. Lost laptops, USB drives, and other portable devices comprise one of the biggest security threats today. Using encryption for portable devices and even limiting USB capability on workstations can minimize threats. Some government agencies go so far as to place epoxy in the USB ports on computers.
The human factor
Black Monday, the Monday after Thanksgiving noted for an explosion in cyber sales, got its name for good reason. Before the widespread advent of fast, home Internet connections, employees returned to work and shopped at will on their workstation computers. Employees don’t often recognize boundaries and limitations when it comes to workplace computer use, says Walling. “The typical person walks into work and uses the computer just as they would at home,’’ Walling says. “The biggest single hindrance is any single business is the fact that people don’t understand what they’re doing could be a threat.”
Managing the human factor takes a four-pronged approach, say experts.
- Define limitations. “The balance between functionality and security is constantly getting worse as the number of things people want to do with their computer increases,’’ says Paul Kocher, president of Cryptography Research, a San Francisco-based data security firm. “Are users allowed to be able to go to any website they want? Watch YouTube during the day? Should users have any access to the Internet during the day?” Define an acceptable use policy, a step most small businesses don’t take, says Walling.
- Educate employees. Firewalls work, says Davis. Most threats to your network security will come at your employees’ workstations, as they download that funny video or screensaver or click on that url in an email. Attacks are so slick these days that even sophisticated users can be easily fooled, points out Davis. He cites the example of a supposed draft of an earning announcement supposedly sent from the CEO of a large corporation to company executives. The e-mail included a Powerpoint presentation using the corporate template, but it was fictitious. When executives opened the attachment, the company network was compromised.
- Communicate regularly. Have a personable IT employee who regularly makes the rounds, talking with employees about issues that arise and noting their security practices, says Kocher. If your company isn’t big enough for a dedicated IT staff, make sure you’re modeling good security practices. Often, says Kocher, senior management personnel are the most difficult to convince when it comes to taking precautions. Executives want immediacy and convenience and may not think about the potential consequences.
- Test and review. Develop a survey about best security practices and have employees take the survey at least once a year, suggests Davis. Follow through on incorrect responses.
The good news is attacks on small andmid-sized businesses are usually an afterthought. Directed attacks are usually aimed at bigger prey, such as large corporations. Your greatest vulnerability lies in your employees. “Most of the time, it’s literally an employee doing something they shouldn’t do,’’ says Davis.