In the current network security climate, you should be concerned about the ability of your business to fend off and recover from an attempted hack or security breach.
Most business owners don’t know what steps are necessary to provide even a basic foundation for information security. Fortunately, whether you are a financial institution that is required to be PCI compliant or a small business just that wants to feel that critical data is more secure, there are some simple principles you can follow to minimize your risk and protect your critical data.
Using the requirements for PCI compliance, there are 12 areas to protect, several in particular which apply to every business. Taking the following precautions will assist in building a strong frontline defense against attacks and data loss. However, these recommendations are not exhaustive, and you should consult with a certified security expert to assess our overall vulnerability.
A “firewall” separates your internal private network from the outside or public internet. It’s job is to keep the bad guys out. Use a firewall device that offers realtime intrusion detection and prevention to identify threats, actively block them, and notify your IT support that the attack occurred. Most “off the shelf” routers or firewalls are not sophisticated enough to offer this service, but there are a number of devices that are inexpensive and can provide excellent protection.
Most people don’t think of the threats that can exist inside your network. When a virus or other infection takes hold, it can open up a connection to the outside world from your computer, creating a tunnel for malicious hackers to come in. Your firewall device will prevent this from happening. Part of this protection principal is to always have antivirus software installed that provides a software firewall on your computer as an added layer of defense from both inbound and outbound attacks. This antivirus should be updated at least daily and, ideally, should not allow removal without entering a password.
Set up a schedule to scan for wireless access points at least twice per year, looking for access points that bear your name but don’t belong to you. This is a common hacker attempt to trick your users into giving away passwords by trying to login into a fake access point.
Keep areas where network equipment is stored behind lock and key.
In our experience, the password is always the weakest link in the security chain. No matter how good your security is, if you use a weak password for your network resources, you will get hacked.
Hackers aren’t the only threat to small businesses. Viruses that destroy data are on the rise, and catastrophic data loss can put businesses under faster than any other business disaster.
To protect against data loss, have at least 3 levels of redundancy for your data.
Level 1 – Critical data should be on a RAID array. This is an array of storage disks that act as one volume, so if a drive goes out, the data stays safe and the bad drive can be replaced.
Level 2 – Local physical backups to an external drive or backup server. Have at least 2 drives and rotate them on a schedule so 1 drive is always away from your location while the other is used for backups.
Level 3 – Cloud based backups for your most critical data.
If your data is important, you should protect it from theft. What would happen if the computer or drive on which your most sensitive information is stored was physically stolen and used to target your customers?
Encryption prevents that by making sure that even if the storage drive is remoed and placed in anotehr computer, the data cannot be read. A password or encryption key would be required for access to the data.
Most operating systems include methods for encrypting critical data, so encryption is usually free and can be done easily.
Follow these principles and you will be well on your way to protecting your business from threats and data loss.