Computer Security. Who cares? You didn’t build your business in order to spend all your time defending your network from bad guys, you want to concentrate on your core competencies. Besides who is interested in hacking my network anyway?
Lot’s of people. The barbarians are at the gates:
Spam Gangs
Spam gangs are groups of people who make money by sending out massive quantities of SPAM. Many of them operate out of Russia and Asia. Since the IP Address they send the spam from will eventually get blacklisted, they constantly need to switch to a new address. Your computer has one. Your computer also has bandwidth, in the form of your connection to the internet. It is very cost effective for the spam gangs to hack your computer, use it to send out mass amounts of spam email and let you deal with the aftermath, such as being blacklisted.
Russian Organized Crime
Hacking and identity theft has become big business in Russia. Your accounting data is a prime target. Your computer, IP address and your bandwidth are also valuable in launching attacks against other targets. The financial damage to you and your customers could sink most small organizations. Add in legal liability and damage to your reputation.
Worms, Virii and Spyware
Malicous programs programs, test your security every second of the day. If you have a weak link in your security, you will be compromised. If you use a computer, I’m sure you’ve encountered one of these pests. To call them a pest however is to underestimate them. The noisy ones, the ones that attract attention, pop up windows, slow down your PC, delete files and so forth, these are not the dangerous ones. The ones that give remote control to an attacker, the ones that search your computer for credit card or social security numbers, these are the truly damaging specimens. You won’t even notice they are there.
Alright. As the owner of a small business what do I do?
Start by recognizing that information security is a process. You need to treat it like your other ongoing business processes such as sales, accounting and marketing. Start by creating a policy. I’m going to give you a basic sample:
- All network access will be regulated by a firewall.
- All workstations will have antivirus, antispyware and firewall software installed and configured.
- All accounts and logins will have a decent password.
- Any wireless connections will be encrypted.
- All computers will be kept up to date, with patches and security fixes.
- Important data is backed up to a secure location.
Sure it’s incomplete, but if you enforce this simple policy then you are no longer a soft target. Remember that security is a process, so each policy item must be audited on a regular basis:
- The firewall rules should be tested for effectiveness, and should be monitored for signs of an active determined attack.
- The configuration and status of antivirus, antispyware and firewall software needs to be checked.
- Passwords should be run against a password cracker, to reveal weak passwords.
- Wireless connections should be audited.
- Patch status and workstation configuration should be audited. You can use the Microsoft Baseline Security Analyzer to make this task considerably easier.
- Test your backup!
Start with the policy, enforce it, audit on a regular basis. That’s the process. Rinse and repeat.
0 Response to “Minimal Security Standards for the Small Business”