GRAND RAPIDS – All businesses have some sort of security in place for their facilities, even if it?s just locked doors. But many small businesses leaping onto the Internet?s World Wide Web to expand their sales don?t have the proper ? in some cases any ? security in place to keep out hackers, viruses, worms, and other malicious software code.
What can businesses do to keep their computer networks safe? What steps can a business take on a daily, weekly, monthly and even yearly basis to keep its network up-to-date and secure. And, if the worst happens, how can a business recover from a disaster, whether its an act of God, or a hacker attack?
?The No. 1 thing any person can do is make sure their systems are patched,?? said Adam Schrock, CISSP, Chief Security Officer for Secure Crossing in Ferndale. ?Patching is the easiest and fastest way to make sure you?re secure.?
That?s particularly true for any business that uses Microsoft?s Internet Explorer to browse the Web. Internet Explorer uses a scripting language that makes it easy to write attacks IE using a software called Active X. The dreaded spyware ? which can capture all the keystrokes you make and keep track of every web site you visit ? capitalizes on this vulnerability.
Microsoft, the world?s largest software developer, is also the world largest hacker target. A competing browser, called Mozilla Foxfire, doesn?t have the Active X flaw, Schrock said. Mozilla uses IEEE standards instead. The down side is some Microsoft sites won?t work on Mozilla. So you still may have to keep Internet Explorer on your desktop for emergency situations. Just make sure you stay up to speed on patches, which tend to come weekly from Microsoft.
The next step is you want to have a firewall in place. A firewall does just like it sounds ? it keeps those high intensity hacker attacks from getting into your computer system. There are a lot of options here as well.
?If someone is running Microsoft XP (the latest generation operating system for Microsoft PCs), make sure the personal firewall in XP is turned on at the desktop. Schrock also recommends buying another firewall product ? supplied by security software companies like Symantec, Checkpoint, and Cisco ? are protecting your gateway to the Internet ? your Internet connection.
?What I recommend is layered security,?? Schrock said.
Establishing a strong perimeter is what Raj Patel, Manger of the Technology Consultants and Solutions Practice at Plante & Moran in Southfield also recommends.
?You need to have a strong firewall in place to keep the bad out and the good in,?? Patel said. ?Once you build a strong perimeter, the second step is monitoring for unusual activity who is accessing your systems. The monitoring also could include the availability and performance of your computer systems. Another section is monitoring the new viruses and updates and staying on top of those.?
The third step in Patel?s security check list is educating your users on security awareness. That includes strong password policies, not the least of which is to tell your employees not to ever reveal their passwords to other employees.
Patel also recommends that once a year an independent agent perform a penetration audit to see if they can break into your computer system, just like hackers attempt to do.
One of those agents is Pioneer Technology Services in Howell, which uses Super Computers to perform penetration audits, throwing some 10,000 known hacker attack combinations at your firewall to see where the holes are.
Another aspect of your security plan should be a contract with the outsource contractor or security consultant that?s implementing your security strategy.
?A good legal binding confidentiality agreement should lay down your expectations on security, Patel said. ?The contractor has to build a secure network and can?t just walk away from the project when it?s done. When they sign the contract, they should have a paragraph on security that says the consultant will not misuse the company?s information assets and only access the company?s network when requested to do so by the company. They also should turn their access off when not working on your system. The easiest way a company can block access is to change the consultants? password or disable the user idea.?
But good security measures also include training your staff so they understand your security controls and processes, said Nan Polious, Director of Walsh College?s Information Assurance Center, a federally sanctioned security training program.
?Your employees need to know what?s allowed and not allowed on your network,?? Polious said. ?You wouldn?t allow downloading of unapproved software. You wouldn?t let them download unapproved utilities. You wouldn?t let them download an unapproved instant messaging software, AOL or MSN. Also be careful when they?re working from home what they?re downloading to their home computers. It can infect your office systems.?
A simple security measure any business can take is teaching employees to use strong passwords. Those should be six to eight characters. They should include a mix of numbers, letters and special characters, like an ampersand. Administrative passwords should be even more robust, she said.
?If too many people know your administration password, and someone does a naughty on your system, you can?t tie that user ID to one person,?? Polious said. ?This is particularly important in a family business, where everyone is trusting of everyone else. If everything is open, you have no protection. You want defense in depth. You want to put up as many hurdles as possible to keep those on the outside away from your critical assets.?
