There seems to be a shared sense of confidence by small and mid-sized businesses that their organization won't ever face a critical security breach. If I had a dime for every SMB owner or decision maker who dismissed potential security threats, I'd be able to buy a yacht. The truth is there's no safe haven when it comes to security, and no organization is safe; not the largest retailers, the smallest mom and pop distributors, or any size organization in between.
Verizon Business performed a study in 2010 of the amount and severity of data breaches and found alarming statistics. The Data Breach Report showed that there were 760 intrusions in 2010, compared to just 141 in 2009 (Baker, et al., 2010). Ironically, the amount of data affected or otherwise compromised was lower than in previous years, but at the end of the day, what impact would just one security incident have on your business? It could be something relatively minor such as some hooligan desecrating your website, or it could be a serious incursion into your sales records, customer payment information, and/or intellectual property. What would that type of breach cost your business? Only you know the answer to that.
In general, network security can be categorized as either physical or virtual. One of the best security documents I have ever seen was written by Richard Kissel for the National Institute of Standards and Technology, a division of the US Department of Commerce. In it, Kissel described essential considerations for every small and mid-sized business regardless of industry or specialization. According to Kissel, the main areas to note are “‘absolutely necessary' steps to take, highly recommended practices to avoid problems before they happen, and other optional planning contingencies in case of an issue.” (Kissel, 2009) Most of these three sections are further divided into the two distinctions previously mentioned, physical and virtual.
Physical security is fairly straightforward to address. Essentially, it encompasses the mitigation of any direct attempt to access facilities and/or assets by a person or group. Measures to consider include the obvious locked doors, security cameras, security guards, etc., but potential areas of compromise also include some that are not so obvious. Not making sure that non-employee personnel are on the up-and-up can be a huge oversight. Maybe someone on the cleaning crew has light fingers, or enough technical know-how to penetrate your network. This is the perfect application for an IP camera. There are some all-purpose units like the APC NetBotz product line that combines environmental and intrusion monitoring with IP cameras to collect data for a defined period of time. Email alerts are available for staff or other designees who can then act on the information provided.
There are instances where physical and virtual elements of network security merge, and a great example of this is a token-based solution. The user has either a key “fob” or other physical device that generates a random passcode as needed for entrance to an inner network as a sign on. If lost, the device cannot be accessed without proper credentials, and an IT staffer can wipe it remotely of all information. Some of these solutions, including offerings from RSA, that place a software widget on employee endpoints to perform the same function. These token-based solutions can be very expensive, which is often a stopping point for most SMB organizations. However, for those who are extraordinarily sensitive to the potential of a breach, it could be money well spent.
You've locked your doors, trained your personnel, and added purpose-built IP “eyes” to keep watch. So now you can address outside threats, but where do you start? Most networks in the modern world are protected by a firewall. The term “firewall” originates from the firefighting community, and in that world, a firewall is a barrier established to prevent the spread of fire. In a way, this is the basic function of a network firewall as the goal is to keep out anything that can damage your infrastructure. SearchSecurity.com's broad definition of a firewall is “a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks.” (SearchSecurity.com, 2000) Did you notice that this definition didn't specify hardware or software? That's because it doesn't have to! Typically an SMB network might include an appliance such as those built by Cisco, SonicWALL, or Barracuda. However, there's no reason a network firewall can't be software, as mentioned in the definition above, which can be located on the network router or the main server. A good example of this are the firewall services built into the operating system of the Cisco router line.
Other applications that function within the firewall sphere include anti-virus/anti-malware, content filtering, and intrusion prevention. The first is a way to mitigate the infiltration of viruses, spyware, and the like through email or other “friendly” traffic. Content filtering prevents employees and other users from surfing websites that are not business-related, that can pose potential risks, or are inappropriate in subject matter. Intrusion prevention is designed to fend off attacks from hackers and automated groups of networks or PCs looking to exploit any network flaw or unprotected opening.
While the firewall is the most common application for security-conscious organizations, it shouldn't be the only measure taken to keep the infrastructure safe. It's important to secure other entry points like wireless networks, user PCs, and laptops. Wireless networks should have an enhanced security protocol for access such as WPA (Wi-Fi Protected Access) or WEP (Wired-Equivalency Protocol). In many cases, if the attacker has to work to break-in they will likely move on to an easier target. Individual users with laptops can inadvertently bring bad things inside your firewall. Maybe some casual home surfing deposits malware that's not seen because it's outside the network borders. It's imperative that when the machine is reconnected, potential threats are scanned and quarantined before they can propagate through the network.
Some security risks are borne out of user behavior which suggests the need for best-practice policies to be in place regardless of investments in hardware and software. These include, but are not limited to:
• Requiring users to change passwords every 30 to 60 days
• Requiring passwords to contain uppercase letters, lowercase letters, at least one number, and at least one special character
• Limiting access to various areas of the network dependent on user types and job function
Since training is imperative, users should be required to sign off on receipt of these guidelines as well as an agreement to abide by them.
Having physical and virtual security isn't enough. Routine maintenance on these devices and software is critical to keeping it safe. The first step is to make sure all patches and firmware are up-to-date on network endpoints and core devices. Secondly, your maintenance program should include verified, usable backups of all critical data, and there are a variety of different methods, from old tape drives, to newer external hard drives, to seamless remote electronic backup solutions.
The choice of backup solution has everything to do with budget and tolerance for downtime. For most, having data automatically encrypted and routed offsite to a secure location gives the best peace of mind and a valid disaster recovery platform to mitigate the loss should a situation occur.
There have been documented instances of information loss due to poor practices in disposing of documents and old hardware. I think back to a scene in the movie Animal House when several members of Delta fraternity were rooting through a dumpster to find a copy of their midterm test. Don't fool yourself into thinking that there aren't individuals or organizations that would take such steps. Law enforcement has cracked open near-dead cases based on evidence obtained from trash receptacles and landfills. Once it's out for collection, trash becomes public property and anyone has access to it. Fully shredding organizational documents, not just financial documents, is vital. This rule doesn't just pertain to paper; it includes hard drives, data collection, or any network device that stores data. Remember, properly destroyed data should always be accompanied by a certificate of destruction. If your organization is required to maintain governmental compliance, such as HIPAA or Sarbanes-Oxley, taking these precautions may not be an option but a requirement.
One other thing, which is somewhat related to training, is the awareness of the impact of “social engineering.” SearchSecurity.com defines this concept as “a personal or electronic attempt to obtain unauthorized information or access to systems/facilities or sensitive areas by manipulating people.” We've all seen phishing scams claiming we've won the lottery in a foreign country, or that our cousin is stranded somewhere and needs money wired immediately. The same kinds of scams can be targeted at a business using a sympathetic ear on the phone to gain access, or a tear-jerking email to get an unsuspecting employee to click a link to help stray animals. Once again, education and training will eliminate such breaches.
The bottom line is there's a world of bad things out there that are looking for a chance to make an impact. Not heeding the warnings could be costly, as nearly 50% of small businesses fail within two years of a total or catastrophic data loss or event. So security should be priority one in making sure your organization is on the right track. Don't let your guard down and stay vigilant, and the resulting peace of mind is irreplaceable.