Crafting a Technology Security Plan
Most small-business owners understand that complete, end-to-end network security is something they should have--but it's something they probably don't. And how can they? With security threats coming from a multitude of sources and no end in sight to the new attacks that are frequently launched on both networks and PCs, keeping up with all these threats and figuring out just what to do about them is challenging enough for big companies with dedicated IT staffs. For small businesses, it can be completely overwhelming.
The risks of not adequately securing your business network and PCs are huge, however. Remember: It's not just your data that's at risk from attacks from viruses, spyware, hackers and others. Any customer data stored on your computers--including Social Security numbers, bank account information and confidential data, such as key sales and marketing data--is at risk as well.
Here are the facts, according to consumer product research organization Consumer Reports:
- During a recent 24-hour monitoring period, computer security software firm Symantec recorded 59 million attempts by hackers to gain unauthorized entry into business and home computers.
- One out of four computer users said they had experienced a major, costly problem due to a computer virus, according to a fall 2006 survey. The average cost per incident was $109. In addition, one out of every 115 people was the victim of a scam e-mail attack, which cost victims an average of $850 apiece.
- To combat viruses and spyware, American consumers spent at least $7.8 billion for computer repairs, parts, and replacement over the past two years.
Since security threats continue to evolve, business owners must not only continue to protect themselves from existing threats such as viruses, spyware and scam e-mails, but must also keep abreast of new threats and understand how hackers will be targeting computers in the future. So what will the newest threats be in 2007? Here are some trends to watch:
More narrowly defined threats, or "targeted threats," are becoming common. These attacks tend to focus on sensitive information from a single company or individual rather than indiscriminately letting a worm loose to find victims randomly wherever they can. The "malware" capable of these attacks is being delivered to users in increasingly sophisticated ways such as in e-mail attachments, embedded in video files or hyperlinks, and even through social engineering tactics that lure, fool or trick the user to make what seems like a benign action that automatically installs the malware without user help.
Malicious bots--short for robots, or software applications that run automated tasks over the internet --are expected to increase. Bots are sometimes used to create automated attacks on networks, such as DoS attacks.
Rootkits are increasingly becoming a concern. Rootkits are a set of software tools whose purpose is to conceal processes, files or system data from a computer's operating system. Rootkits can enable hackers to maintain access to a computer system. Because they can burrow deeply, are capable of modifying parts of an operating system, and can go undetected, rootkits can be particularly challenging to remove.
Zero-day attacks are also on the rise. A zero-day (also called zero hour) attack takes advantage of computer security holes for which no solution is yet available. They're called "zero day" because they attack between the time a security hole becomes known and the time when a patch to plug the hole is available. As a result, zero-day attacks can spread at an alarming rate.
Identity theft will continue to be a growing concern. The FTC estimates that 10 million Americans are victims of identity fraud each year. Hackers who gain unauthorized access to computers are often in search of personal identity data they can exploit or sell.
Now that you've got some idea what you're up against, is there anything you can really do to protect your business? Absolutely. First, you need to develop a plan that addresses both education and technology. It's critical that you educate your users on what they can do to make sure they're not potentially compromising security (safe user habits for reading and acting upon e-mails can prevent many virus attacks). And make sure unauthorized users (for instance, family or friends) don't use your business's computers.
Next, develop a comprehensive technology plan to address all aspects of security. Talk to your trusted IT adviser. Make a complete list of the security you already have in place, with an eye toward sniffing out vulnerabilities. Develop a plan for complete, end-to-end network protection, and make sure there are steps in place to regularly update your security. Then revisit your plan several times a year to ensure it continues to meet your needs and addresses new security threats that continue to evolve.
Your plan should include the following security essentials:
- Antivirus protection. Every PC on your network should have antivirus protection. There are plenty of inexpensive, effective antivirus programs on the market for small and home offices.
- Antispyware protection. Spyware has become increasingly malicious, difficult to detect and difficult to remove. An antispyware program that frequently downloads updated definitions and monitors activity in the background is important, given the insidious nature of spyware.
- Firewall. A firewall is designed to block unauthorized access to computers and networks. Firewalls are available in hardware (as standalone network security devices or integrated into network routers) or as software. A software firewall is particularly important for laptop users who travel. Firewall software is usually included in internet security suites, which also offer antivirus, antispyware, and other tools. Some software firewalls are even available in free, basic versions.
- Virtual private network (VPN). A VPN creates a secure "tunnel" between a computer and an unsecured, public network, such as the internet. VPN technology offers an important layer of protection for your business's weakest security link--mobile users. VPN security can be integrated into some network devices, such as intelligent routers, and turned on or off as needed.
- Wireless security. If your business uses a wireless network, at a minimum, you should use password, WEP key or some other method to block unauthorized users from gaining access.
- Secure network hardware. Ideally, your company's network should be protected by routers with comprehensive, built-in security, including integrated firewall, VPN and an intrusion prevention system.
- Data protection. Implementing regular backup procedures is a simple way to safeguard critical business and customer data. Setting permissions and encryption will also help.
As I mentioned earlier, maintaining proper security throughout your network is a big job. If it feels overwhelming, consider hiring an IT person to handle the job. Or outsource network security to an independent contractor or managed service provider.
The bottom line is, would you like to be in charge of your computers, your network and your data--or would you rather leave that up to a hacker?