Your small-business network may be protected by firewalls, intrusion detection and other state-of-the-art security technologies. And yet, all it takes is one person's carelessness, and suddenly it's as if you have no network security at all.
Let me give you an example. In March 2006, a major financial services firm with extensive network security disclosed that one of its portable computers was stolen. The laptop contained the Social Security numbers of nearly 200,000 people. How did it happen? An employee of the firm, dining in a restaurant with colleagues, had locked the laptop in the trunk of a SUV. During dinner, one of the employee's colleagues retrieved an item from the vehicle and forgot to re-lock it. As fate would have it, there was a rash of car thefts occurring in that particular area at that particular time, and the rest is history.
The moral of that story is clear: No matter how secure your network may be, it's only as secure as its weakest link. And people--meaning you and your employees--are often the weakest link. It's important to note that poor security puts your business, as well as your partners, at risk. As a result, many enterprises and organizations, such as credit-card companies, now specify and require minimum levels of security you must have in order to do business with them.
So what can you do? Here are nine ways to minimize the risks that people can pose to the security of your company's data:
- Password-protect your computers and mobile devices--particularly laptops. One basic step toward defending data is to require a password to launch Windows on a PC. It's not bullet-proof, but it's a start, and it's a particularly important first defense for portable computers.
Ideally, create a password that contains a mixture of characters and numbers and can't be easily identified with the primary user of a computer. For instance, the password 'Sam' on a computer belonging to an employee named Sam would be easily guessed. Instead, it's better to create a complex password mixing numerals and lower-case and capitalized letters, something that means something to you so you can remember it. Example: '2LgPepPz' would be a better password for Sam, particularly if he loves large pepperoni pizzas.
For the best protection, passwords should be changed every three months. Users shouldn't share the passwords they create with anyone (administrators can still log onto a password-protected PC to perform diagnostics, system administration and other tasks).
Another option is to use two-factor authentication. With a two-factor authentication system, you gain access to a computer using a password or PIN as well as an authenticator, a device (such as a smart card or USB device) that automatically changes your password every 60 seconds or so. Banks and other companies are increasingly moving toward two-factor authentication to prevent ID theft and other security risks.
- Don't store passwords in unprotected areas. The more complex a password is, the easier it is to forget and you may want to record it somewhere. But don't store your passwords in, say, a basic Word or Excel file or on a sticky note on your monitor. Instead, there are inexpensive software programs available that let you manage and secure multiple passwords.
- Consider laptops with biometric security. If you're in the market for a new laptop, consider one that comes equipped with a biometric fingerprint scanner. The scanner reads fingerprints and only allows access to files on the computer to a user with an authorized fingerprint.
- Encrypt confidential files. Another way to protect sensitive data is to encrypt the files containing that data. Encryption scrambles data so that only an authorized user can access it. You can encrypt files using built-in tools in Windows XP Professional (but not XP Home), though some third-party applications offer more--and sometimes stronger--encryption tools.
- Whenever possible, don't carry confidential data on a portable device or removable media. For maximum security, keep sensitive data off laptops, PDAs, BlackBerrys and other portable devices. As illustrated by the financial services firm example, if the device is lost or stolen, so is the sensitive data the device contains. If you must physically transport sensitive data, consider storing it only on an encypted flash-memory USB drive. Store the drive in your pocket and not in the laptop bag, so that you'll still have it if the laptop is stolen or lost.
- Lock your laptop when traveling. Like bicycle locks, laptop security cables (costing $20 and up) allow you to physically secure your portable computer to a post or other stationary object. Most current laptops have a standardized security slot, into which you insert a locking device, which in turn is attached to the cable. For example, if you're leaving a laptop in a hotel room that doesn't have a safe, you could insert the locking device into the portable PC's security slot, then wrap the cable around the narrow base of the bathroom sink. Portable laptop alarms are also available that emit a loud sound when your laptop is moved, which is helpful when waiting for the plane or other crowded area.
- Stay up to date. Keeping apprised of new tools and technologies can help you continue to bolster the security of your business's data. For instance, new software utilities allow you to remotely erase all data on a lost or stolen smartphone just by sending a text message to the phone. And in recent months, new laptop hard drives have become available that automatically encrypt all data.
- Be vigilant. Above all, you and your employees must stay on guard to protect sensitive data. To help keep everyone on their toes, post signs above shared printers and fax machines, reminding users not to leave sensitive documents lying around. Place paper shredders near recycling bins or other common areas and encourage employees to use them.
- Create and enforce a security plan. Last, but not least: Your business should have a detailed, written security plan for employees that includes specific policies and procedures--including many (if not all) of the steps listed above. If security procedures aren't in writing, it's far too easy for employees to use the "I didn't know" defense. And a security plan only works if it's enforced and kept up-to-date.
To devise a security plan, you may want to consult your trusted IT advisor. Also, your network vendor may provide online tools that can help you create a security plan. For example, Cisco Systems offers the Cisco Security Policy Builder, an online tool that can help you create a security policy tailored to your business's specific requirements. Based on your answers to questions posed online, the tool will create a customized security policy template as a Microsoft Word file and e-mail it to you.
The Alternatives? Lost Business, Lawsuits and More
Does all this sounds like a lot of trouble? Of course it does. But imagine what would happen to your business if all your customers' credit-card information was stolen--simply because an employee left a laptop containing that data in an unlocked car? At a minimum, you risk angering and losing customers.
Also, many small businesses, particularly those in financial and health-care services, must comply with regulations that mandate information security. One stolen laptop, and your business could be faced with heavy penalties due to non-compliance.
In short, better safe than sorry. So get on the phone with your trusted IT advisor and start creating your detailed security plan today. You'll sleep better tonight.
Peter Alexander is vice president of worldwide commercial marketing at Cisco Systems Inc., the leading supplier of networking equipment and network management for the internet.