security rules for smes to follow
TRANSCRIPT
1
SECURITY RULES FOR SMES TO FOLLOW
Modern IT systems have grown increasingly powerful over recent years in response to continuous technological development. As a result, many companies of all types, major corporations and small and medium sized enterprises (SMEs) alike, have begun to treat their IT infrastructure as a mission critical asset.
Unfortunately, along with the increased utility of modern-day IT systems has come increased security breaches and activity focused on obtaining data from such systems illicitly. SMEs can face heightened risks in this regard as they may not have the budget to spend as much as larger companies in securing their data from theft, therefore making them easier targets for hackers and other malicious individuals.
The following security rules are designed to help SMEs construct a robust IT security policy to help minimise their likelihood of suffering a serious data breach:
Identify your most valuable IT assets
When formulating your data security policy, it is important to identify the assets (equipment and data) that are most valuable to your company then determine which of these assets are most essential to the functioning of your business. One way to do this is to ask yourself which IT assets would it be hardest to run your business without.
2
For instance, a firm selling goods online is likely to determine their online ordering site as absolutely crucial to doing business with downtime for this system equating to lost revenue. Additionally, inventory managing software allows the tracking of the goods it has on hand and ship them out to customers when an order comes in. A company storing financial records for consumers or other companies would likely specify the servers which contained the stored data as essential to conducting its business.
Once you’ve identified your most valuable IT assets you should analyse them for vulnerabilities and therefore devise an overall IT security plan.
Analyse your most important IT assets for vulnerabilities
Once you’ve identified the IT assets which are crucial to running your business, run a series of tests to determine how vulnerable they are to being exploited. For instance, if your computer services are in a room accessible by staff from other companies, what policies are in place to prevent non-authorised individuals from gaining access to the computers storing your data?
If your website performs a mission critical function does it have anti-DNS (denial of service) protection. Do you have business continuity arrangements in place so that if your website does go down an alternate hosting service can restore functionality until your main web server is once again functional?
Penetration testing can also be performed to test the efficacy of any firewall protection of the computers hosting your most critical data. Any vulnerabilities discovered in the testing phase should be corrected to ensure maximum system security.
Create a documented security policy
The best security plans in the world will come to naught if your employees don’t heed them. Crucial to this process, especially as employee count rises, is to create documentation explaining your security policy to your staff. The documentation should cover all aspects of your security policy so that it is clear to employees what is expected of them.
3
Items to cover in the policy documentation include:• Device usage parameters, including company-provided devices and employee-owned devices,
if their use is allowed for business purposes
• Password security policy
• Email policies and procedures
Install a firewall and test it regularly
A firewall is designed to prevent outsiders from accessing your private network. Enterprise connections should be shielded from cyber attack by a firewall that performs stateful packet filtering at minimum. Filtering of this type follows protocol rules only allowing appropriate state transitions. To keep costs reasonable, SMEs should consider utilising appliance-based firewalls or consulting with a managed services provider (MSP) about outsourcing their security needs.
Technology changes rapidly, and not all firewalls are able to keep up with the rapidly evolving threats IT users face. In addition, as a company’s IT needs change, adjustments to its firewall policy may be necessary. As a result, a firewall review should be conducted at least once a year (and more often if need be) to review the coverage provided by the incumbent solution to see if any changes should be made. Consultants certified by major firewall vendors are available to perform this task if you prefer to outsource the process. Online tests can also be used to get a basic report on how effective your firewall is: The “Shields Up” test found here is one such test.
Protect your email server system with anti-virus software
The most common source of security breaches involving SMEs is email, typically via links clicked on by unwary employees. Your email server should be protected by a commercial antivirus (AV) solution, either in the form of a hardware appliance or software installed on your equipment. Multifunction appliances can be good for SMEs because of their reasonable cost, solid protection, and the ease with which they can be set up, configured and maintained. However, they aren’t as scalable or easy to adjust when necessary as AV software.
Companies with more complex networks will typically be better served by network AV software or high-end appliances. Although they can take more time and be more difficult to properly set up, they are better able to deal with changing IT infrastructure requirements as your company and its IT system grow and evolve. An IT consulting firm can help you install and provision your AV solution if your company lacks the in-house expertise to do so.
4
Your AV solution should scan as many types of files as possible. This should be done so that all files are scanned before they are transferred to employees’ computers. The solution should be set up so it requires signature updates when a network or Internet logon occurs.
All executable files should be examined, as well as image files and video and audio files. If the functionality is available, executable attachments should be automatically stripped. The solution you use for anti-virus purposes should be able to scan both inbound and outbound mail. Scanning of compressed file types which are sometimes used to hide viruses should be supported: among these are LZH, ZIP, ARJ, LHA and Microsoft Compressed Format. Your AV solution should be provisioned to reject double-extension attachments (for example: .txt.cds), as they are prime carriers of malicious software.
Follow security procedures when disposing of old technology
To ensure that any confidential data kept on old computers, servers, or mobile devices is disposed of properly, make sure that destruction of the hard disk takes place rather than simply throwing a device away. This will keep any outsider from gaining possession of the data on the device being discarded.
Use robust password security procedures, especially when allowing remote access to your data
To some degree, your enterprise security is only as good as your password security. Even the most robust of firewalls won’t help if outsiders are able to gain access to your network via compromised passwords. Any remote access you provide should only be enabled via complex, difficult to decipher passwords.
The following password procedures can assist this approach:• Requiring both alphabetical and numerical characters
• Requiring special characters such as # or & in the password
• Using lengthier passwords
• Requiring capitalization
• Passwords should not mimic usernames
• Avoid dictionary words
• Require regular password changes
5
Password locker software, which locks a user out if too many unsuccessful attempts to log in are performed can help to enhance password security. Company provided laptops should have personal firewalls such as those provided by ZoneLabs or Symantec. If remote access to the company’s network is allowed via personal laptops the use of thin client technology should be considered.
Verify your website uses the latest intrusion detection solutions
Publicly available websites are by nature exposed to a variety of threats, including DNS (denial of service) attacks and unwanted intrusions. Every company website should at the least comply with vendor-provided security provisions to deter intrusion. Your company policy should ensure that security patches are updated as soon as they are released – and no later than one week after they have been issued, if at all possible. If your website is used for e-commerce the capacity to detect intrusion is a must.
Restrict access as appropriate and monitor employee behavior for potential security risks
Your IT security policy should specify which employees have access to sensitive parts of your network as many data breaches, upon further investigation, are determined to have originated from employees who had access to the network. One way to reduce this risk is to restrict your most vital data only to those insiders you have vetted for security risks.
In addition, modern security software can monitor employee behavior to identify any potential security risks. Such software can provide information such as log-in location, data accessed, data downloaded and so on . For instance, if an employee’s credentials are used to log-in from a foreign country and the employee in question is not in that country either on business or vacation, it could indicate that their password has been compromised by a malicious outsider.
Use encryption for laptops/tablets
The use of laptops/tablets presents inherent security risks, requiring a robust security policy to reduce the likelihood of a security breach. One way of accomplishing this is to require employees using such devices for company business to use encryption. Doing so makes it extremely difficult, if not impossible, for outsiders to make use of any data they may acquire via transmission over wireless networks.
6
Enable remote wipe facilities for mobile phones
If mobile phones or tablets fall into the possession of outsiders, remote wipe facilities are essential to prevent the data on those devices from becoming compromised. Software solutions that enable this will typically allow for a device to be wiped while still retaining any data from that device that has been uploaded to a cloud server for storage.
Establish help desk and anti-phishing security policies
Another source of security breaches comes from “social engineering,” which refers to attempts by attackers to get company personnel to provide valuable data such as password information by pretending to be a customer or employee. Establish identity verification procedures to make it as difficult as possible for this to occur.
Another frequent source of security breaches are phishing emails, where attackers send emails which look legitimate to gain access to sensitive company data. Such emails can be quite sophisticated, and are also used to bilk companies out of funds. This is done by impersonating company officials in an email that requests money be sent to an account connected to the scammers. Your security policies should include measures to prevent such email phishing schemes from compromising vital information or costing your firm money.
Conclusion
SMEs can significantly improve their IT security profile by consulting the rules listed above as they design their security policies. The prevalence of costly data breaches and other security incidents in recent years provides clear examples of the danger companies face in this regard. Taking a rigorous approach to security allows your company to make optimum use of today’s powerful computing systems while reducing the risk that a security breach will compromise your firm’s valuable data. The pace of technological change can be rapid, so make sure to review your security plan at least yearly to verify that it has kept pace with any advances in technology that have occurred since the last review.
Contact your Bright representive today for more information:
333 Latimer Rd, London W10 6RA | 020 3031 9500