By Monte Robertson
 |
Security now comes in two primary flavors—physical security and digital security. The common link between them is people. Security issues range from loose lips to inadvertent clicks, whether either is intentional or not. That’s why it’s imperative to develop a security policy covering all aspects of security. Employees need training to be proactive in these areas to help protect the business.
We all run up against personal physical security every time we travel somewhere by plane. Business physical security affects us when we use a key to enter work or have to shred a sensitive document. Digital security kicks in the minute we turn on our computers—from the logon password to the user’s behavior, to the anti-malware software to protect your systems online and finally the backup systems.
While homeland security issues are out of our control, we can help control many areas of physical and digital of our business security. Give your business a fighting chance and create and implement a security policy. The tips listed below outline how important policy is when securing your business, some of the new threats you need to be aware of and steps to take right away.
1. Physical Security—Lock the Doors and Be Insured
If you don’t know who has the master keys to your business and where those keys are at all times, the door might as well be wide open. Physical security starts with good insurance. It’s important that the insurance policies you choose to protect your business are the right ones. Help your insurance agent understand your business and what is most valuable to you. Most insurance policies offer discounts on a sliding scale, depending on the types of actions you as a business person take to protect the business, which brings us to the other major aspect of physical security—your computers.
Physical security is essential for critical servers and other computers. A motivated person with physical access can get into any Windows machine without knowing the user name or password—something you need to remember when putting a basic security policy together.
2. Computer Security—A Digital Alarm System
Passwords go some way towards protecting laptops left in taxicabs, but a better way to go would be to make it a policy to encrypt laptop hard drives. Encryption software is easy to use, it’s widely available, it’s not expensive, and it will pretty much guarantee that a thief can’t access the data stored on the machine. It’s also about the easiest way there is to ensure that your business is in compliance with any government regulations regarding data protection and data privacy.
You probably already have the basics in place for computer security—anti-virus, anti-spyware, anti-spam, and firewall. But what’s going on now on the Web in the world of Web 2.0 brings a whole new range of security risks, threats, and vulnerabilities. The game has changed dramatically—and so have the risks.
So what’s the deal with Web 2.0?
The first generation of the Web was largely a one-way medium—businesses had storefronts but users were not invited to contribute to the business. The user came to a Web-based storefront and requested to view a particular item of information; the storefront retrieved that information and presented it to the user. That was pretty much as far as user-business interaction went.
As users began to demand more interactivity and participation in Web-based communications, alternative technologies began to appear. E-mail branched out into chat, and chat evolved into Web conferencing and voice over IP. Websites sprouted blogs, which in turn sprouted video blogs (vlogs). A few years ago, social networks began to appear that enabled users to exchange information using all of these collaborative technologies. And thus was born Web 2.0.
Today, the online landscape is rife with applications supporting this new approach; more than 200 social networking sites, all of which are easily accessible to anyone with a browser. Social networks are essentially online communities of people who share interests and activities or who are interested in exploring the interests and activities of others. The main types of social networking services are those which contain directories of some categories (such as former classmates), means to connect with friends (usually with self-description pages), and recommender systems linked to trust. Almost a quarter (22 percent) of all North American computer users acknowledge using social networking on a regular basis, so it’s not surprising that five of the top 10 visited sites on the Web are social networking sites.
As the line between technology-for-work and technology-for-fun blurs, so does the line between the company network and the social network. As that line blurs, so does the line between secure and not-sure-if-secure. Today’s young generation of workers grew up with instant messaging and are used to the immediacy of communication offered by social networks; they see no reason not to interact with social networks from inside the corporate network.
IT people, however, see that interaction very differently. They see software as artifact—something they can corral and control—morphing into software as a service—delivered on-demand directly from developer to user. They see RSS feeds streaming who-knows-what into users’ browsers. In November 2007 alone, over 148 million people in North America viewed some form of social network application or “widget”.
The dark side of Web 2.0
Organized crime has taken to the Web in a big way. The criminals—and their digital weapons—can be completely invisible. One pixel on the screen can hold a poison dart that can exploit a common software application like Internet Explorer and steal information without anyone noticing. Microsoft’s much-vaunted “Patch Tuesday”, when the company issues security fixes for vulnerabilities found in its operating systems and applications, is now unfortunately routinely followed by “Exploit Wednesday”.
Your employees are also busy introducing a whole new set of computer-based activities onto your network that make it even easier for security breaches to take place. Today experienced computers users (aka employees), are creating “Mashups” which are a combination of different programs that are combined (mashed), to create a new, more “flexible” program. “Flexible” rarely equates to secure so proceed with caution when you hear these words. Social networking, instant messaging, Skype—all sorts of communications channels are tunneling into and out of your business. If you thought keeping control of spam and stopping users from opening email attachments was tough, welcome to the brave new world of Web 2.0.
To understand more about these new types of threat, and just how insidious they can be, check out a series of short (3 minute) videos made by AVG Technologies’ Chief Research Officer Roger Thompson. (http://www.explabs.com/about/resCenter/video_library.asp).
Web 2.0 is all about sharing and collaboration, but sharing data and keeping that data secure is like mixing oil and water. You can either share or secure data, but not both. And while it would be nice to simply lock everything down and block all these consumer-driven applications, it’s simply not realistic to expect your users to live with that level of inflexibility or they’ll be spending half their time trying to get around it.
Computer security is an ever-changing landscape. At minimum you need anti-virus, anti-spyware, anti-exploit, anti-spam, firewall, encryption, and backup—and you need to keep everything up to date at all times. Plus, security measures need to be as transparent to your users as possible. If security gets in the way of working, they’ll start trying to find a way around it—and probably succeed.
If you’re like most small businesses, you simply don’t have the bandwidth, the manpower, or the expertise to deal with all of this. So, you need a reseller or consultancy with security expertise to help guide you through this security maze.
3. The Human Factor
As we noted at the top of this article, the common thread running through all of these security issues is people. People security starts with the hiring process. It’s so easy these days to check out people’s history online that there’s no reason not to do it—and plenty of reasons why you should. There are firms that will do this for you as well, but be sure when you search under the term “background checks” that the site you want to click on is not dishing out malicious code!
Make security part of the new-hire orientation process. When employees understand how their behavior on and offline can open the business up to physical or digital theft (including the employees’ own identities) and to consequent financial damages and reputation loss, they are more likely to change those risky behaviors.
The big roadblock for businesses putting training and awareness programs in place is time. Security training is crucial to every business. It really isn’t optional when you think of what you could lose if an employee handed over your customer list to a competitor, or if all your employees’ social security numbers were stolen by a hacker who got into your network through a phishing scam. Web 2.0 threats are incredibly sophisticated and your users need to be kept up to speed.
Then find a way to make ongoing security training relevant and fun. Make it worth the employees’ while to understand why security is important as the lifeblood of the business.
4. Policies—Pulling Them Together
Security awareness really needs to be embedded in the fabric of your business, which means policies must be in place for all aspects of security—they’re the glue that holds every aspect of security together and in place. Make security part of everyone’s routine by creating a policy in writing and making sure it is implemented correctly. Repetition, consequences and follow-through will pay off big here.
The section in the policy on physical security needs to cover at a minimum essentials like who has keys to what, the process for issuing new or replacement keys, changing smoke alarm batteries, alarm-setting rand maintenance responsibilities, and the factors that determine which documents should be shredded and when. Have backup resources identified in the plan here as well in case the primary responsible party(s) is not able to fill their function.
The section on digital security should cover at a minimum password management and acceptable-use policy (the types of applications and Web sites that may and may not be used on company computers). Every employee should be provided with a standard set of applications to minimize the number of configurations that need to be managed and maintained; any employee wanting additional applications should be required to make a business justification for that application and must not install that application themselves.
In some ways, digital security policy is easier to manage than physical security, because much of it can be enforced from the server. Windows Active Directory lets you apply different usage policies to different users so that, for example, financial records are only accessible to the accounting department and senior management, whereas documents like the employee handbook are accessible to everyone.
5. Help is on the Way
If all of this seems more than a little intimidating, fear not. There’s plenty of help out there. We’ve listed some resources at the end of this article, and don’t forget that your local computer reseller probably has more security expertise in one person than you have in your entire organization—so make sure you use it. Good luck, and stay safe out there.
Resources
General business security information:
Small Business Administration (www.sba.gov)
Allbusiness.com is a ‘portal’ for everything related to managing a business effectively,
Your local Chamber of Commerce can often be a great resource, and if there’s a local technology group as well, join it.
Training and security information:
Tips for businesses to protect personal information:
http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf
NCSA resource; Stay Safe Online:
http://www.staysafeonline.info/
Security Awareness Training Course;
http://irtsectraining.nih.gov/public.aspx
Home network Security:
http://www.cert.org/tech_tips/home_networks.html
Identity Theft Resources
http://www.ftc.gov/bcp/edu/microsites/idtheft/
Policies, Standards and Guidelines:
https://www2.sans.org/resources/policies/
This is probably the best place on the Web to start when creating a security policy. There are free examples here but make sure you consider all aspects of securing your business.
About the author
Monte Robertson is founder and CEO of Software Security Solutions, a Colorado-based technology company that provides information security advice and assistance specifically tailored for small to medium-sized businesses (SMBs) and consumers. For more than 16 years, Monte has worked as an IT security expert, project manager, engineer and entrepreneur, and has presented to numerous associations on computer security-related topics. He is a former Registered Communications Distribution Designer (RCDD), and holds a certificate in Project Based Management from the University of Denver.
(disclaimer)
This article is intended to provide a basis to start the process of creating a company security policy and awareness program. It is not intended to cover every topic that might be applicable and important to your business. Get help and get protected.