SmallBizResource Blog -- Security

10 Security Best Practices To Make Your Business Safer In A Recession

Posted by Benjamin Tomkins Wednesday, Apr 15, 2009, 08:06 AM ET

With the recession, it's tempting to cut corners anywhere you can, but security isn't the place to do it -- you may save some short term cash, but recovering from a breach will cost you much more. Fortunately, keeping your business secure isn't just about spending more.

David Kelleher, communications and research analyst for GFI Software, cites a Forrester Research study that found SMBs spent almost 10% less on security in 2008 than in 2007, yet asserts that despite the recession, security spending will increase. According to Kelleher, small and midsize businesses struggle to balance spending with security and the human error that ranks foremost as a vulnerability for SMBs. To help business owners and IT managers manage business security, Kelleher recommends the following best practices:

1. Determine Vulnerability -- Conduct an extensive audit of all security measures in place -- all hardware, software and other devices - and the privileges and file permissions given to all employees in the organization. Actively test the security of the storage environment and check the logs of the network and storage- security controls such as firewalls, IDSs and access logs to see if anything was discovered and highlighted as a possible security event. Event logs are an important, but often neglected, source of security information.
2. Monitor Activity -- Monitor user's activity 24 x 7 x 365. For a single administrator, monitoring event logs and carrying out regular audits is a massive undertaking. However, it might be realistic to monitor the logs within the storage environment rather than the entire network. Logs have proven to be a source of great value if a security breach occurs and an investigation ensues. Logs analysis transcends all of this as it is not only a post event type of tool but it also allows you to better understand the way your resources are being used and allows for improved management of it.
3. Control Access -- Access to data should be given only to those who need it, even if that person happens to be your cousin or the boss's son.
4. Safeguard Information -- Safeguard all business information. The use of uncontrolled portable storage devices, such as flash drives and DVDs, puts considerable volumes of data at risk. These devices are easy to lose and they can be stolen quite easily if left lying around. In many cases, the data that is on portable storage devices is often not protected using encryption.
5. "Need-To-Know And Need-To-Use" -- Enact technological barriers that permit device use according to a clear and defined policy. Recent studies show that data leakage by employees increases when people lose their job. Portable devices such as USB stick or PDAs can hold large volumes of data. Monitoring and controlling their use on the network is key to reducing the risk of data leakage or malicious activity by disgruntled employees. Use of devices should be restricted to those who really need to be mobile.



bMighty bSecure: SMB Security on a Budget

bMighty bSecure is a virtual event designed to help your company stay secure in the most cost-effective way possible. bMighty and InformationWeek editors will bring together SMB security consultants, analysts, and other experts, along with real IT execs and users from small and midsize companies to share the secrets of keeping your company secure without breaking the bank. REGISTER NOW!

6. Data Handling Policies -- Implement stringent security policies with regard to how data is accessed, handled and transferred. Technology alone will not protect a company's data. Strong and enforceable security policies as well as employee and management's awareness of security issues will go a long way towards improving the level of storage security within an organization.
7. Simple Employee Communication -- Explain the meaning of each policy in clear and simple language how each one is implemented throughout the organization.
8. Employee Education -- Employees need to be reminded that they should not leave their passwords written on a sticky note on their monitor. They need to understand that sharing passwords is equivalent to sharing the key to their home. They need to be told not to divulge any information to third-parties without authenticating the request. They need to have a basic understanding of security and the most common threats, e.g., e-mail phishing and social engineering. Additionally, they should be reminded that their actions are being monitored and that they are accountable to the company.
9. Backup Everything -- Backup all communications and data to, from and within the business. Check your backups regularly to ensure that if the company's network is down, you can get everything online in a short time-frame. You don't want to be in a position where your backups are corrupt.
10. People Management -- Storage security is more than protecting the data using technology or placing it under lock and key, it is also an exercise in people management. The people using and creating the data are the greatest threat and weakest security link.

Don't Miss: Keith Ferrell's Security Blog

Security