Every small business needs to defend its data from hackers and employees with ill will. Here are some of the basics of information technology security that every small business should have:
Put Up a 50 Foot Wall
Every business needs a real firewall – one that will handle all of your basic routing needs, but one that also can detect and prevent hacking attempts (IPS & IDS) and denial of service attacks (DOS). This is especially important if you have a public facing server, such as an Exchange or web site server. A real firewall is not a router that your Internet service provider gives you or that you can buy at the local electronic store. These devices use something called Network Address Translation (NAT) for a basic form of security, but it is not enough. Common firewall brands are SonicWall (my personal favorite), WatchGuard and Cisco Pix (my least favorite and the most expensive).
While I don’t recommend software firewalls to protect the company network, I do recommend that they be enabled for laptop users. If you are using Vista or Windows 7 laptop, make sure that the office is setup as a Work network and that users are trained to select Public when they connect anywhere else. This will ensure that the built-in Windows Firewall is on in those locations.
What’s the Password?
Ideally you’ll have a server that is running Active Directory so that you have a centralized database of user passwords. (Active Directory-enabled servers have some other important security features as well that we will discuss later). At a minimum, you should enforce strong password complexity to avoid people using common passwords like “1111” or “qwerty” or something easily guessed such as the name of a loved one, pet or a birthday. Good passwords should be no less than 8 characters, contain, letters, numbers and symbols, and, some of the letters should be in CAPS, others not.
Who Did What & When?
Auditing is a feature also built into all Widows operating systems that allows network admins to see who tried to access what network resources, at what time, and whether or not they were successful. This feature, in conjunction with setting file and sharing permissions, helps you to ensure only the right people have access to the files that they are allowed to ad let’s you know when they are trying to access files they are not allowed to .
Away Foul Beast!!!
Anti-Virus software is a no brainer and a must. It needs to be installed on every workstation and every server. My personal preference is AVG Internet Security Edition for businesses (note that your business might need other editions if you are running an Exchange server). Whatever software you choose, make sure that it protects you form viruses and spyware (the two together are often called “malware” in IT circles). Makes sure that real time protection is enabled and that all machines perform full scans at least once per week (preferably nightly).
No More Meat in a Can
Believe it or not, anti-spam software/service has its place as a basic IT security best practice. Why? Because so much malware is transmitted via email. It’s is best if it is stopped before it can even reach your email server, much less your network. For this reason I recommend an anti-spam service such as Postini, which “washes” email before it hits your email server(s).
Other Resources:
Google Answers regarding computer security statistics (lots of other links here)
U.S. Department of Justice, Cybercrime Division
