Securing Your IT Infrastructure by wulinqing


									                                     NFIB GUIDE TO
                         NETWORK PROTECTION

                1. Covering Your Bases

                 2. Finding the Secret
                 3. Be the Person With
                the Plan
                4. How Much Is Enough?
                5. Conclusion

                                           Your IT
                                                      DEVELOPED BY
Dear NFIB Member:

As a small business owner, you’ve long known the importance of securing your business from physical
risks like inventory theft and vandalism. Now, it’s a necessity that you secure your business both
physically and electronically.

Today, every business owner needs to be smart about network security. Just one data breach can cause
lasting damage to your business—Customers and clients who question the security of their information
with your business will go elsewhere. Equally important, when you consider your assets, it’s critical that
you think of the data your business uses every day—including lists, records, accounting, inventory data
and more.

As it becomes increasingly essential for businesses to be “wired,” almost everyone needs to understand
the basics of network security. It’s easy when you know where to start. This guide was written to help
you understand the risks and what you can do to tighten your security.

With the NFIB Guide to Network Protection, you’ll learn the four most important components of any
information security protection plan, how to find your business’ specific vulnerabilities and how to
chart a plan to secure your business.

In the process of securing your network, you might wonder, how much is enough? When do the costs
outweigh the benefits? This guide will help you determine the right answers for your business, and
provide you with simple steps to get you started lowering your risk level today.

You’re committed to keeping your business and data safe, but unfortunately, accidents and breaches
can happen. In the case of network security, it’s smart to take action to protect your business before
there’s a problem.

Helping your business stay secure in an ever-changing business environment…the NFIB Guide to
Network Protection—Securing Your IT Infrastructure is just another way we’re working to help you
own, operate and grow your business.


Todd A. Stottlemyer
NFIB President and CEO
Welcome to another edition of NFIB’s Small Business Guide se-
ries. The NFIB Guide to Network Protection—Securing Your IT
Infrastructure provides practical solutions to the challenges you
and other small business owners face every day.

Prepared by experts to help you develop a plan to secure your
business, this guide provides you with steps to begin protect-
ing your data and technology systems today.

The National Federation of Independent Business is the lead-
ing small business association representing the consensus views
of its members in Washington and all 50 states. NFIB’s mission
is to promote and protect the right of our members to own,
operate and grow their businesses. NFIB gives members access
to many discounted business products and services and pro-
vides timely information designed to help small businesses

             Dell was founded in 1984 by Michael Dell on a sim-
               ple concept: By selling computers directly to        Feeling Safe and Secure....................................2
               customers, we could understand their needs and
               efficiently provide effective computing solutions
             better than our competition. This is especially true
                                                                        one Covering Your Bases..............................3
now. Dell has specially trained small business sales reps that
can help you determine the best technology solution to meet
your businesses needs, whether it is how to manage your point             two      Finding the Secret
of sale data, to wireless security, to which software you need to                  Passageways....................................................6
design your next big product, to how to set up your first serv-
er network. Dell focuses on what you need so you get only
what you want.                                                         three       Be the Person With the Plan ......7
In 2003, NFIB partnered with Dell to provide computers, print-
ers, servers, monitors and point-of-sale solutions at a discount         four      How Much Is Enough? ..................9
to NFIB members—that was just the beginning. Five years lat-
er, Dell’s commitment to NFIB is stronger than ever, branching
out to support members in numerous ways.                                  five     Conclusion ..................................................10
Dell is excited to bring you a series of NFIB Small Business
Technology Guides, focusing on up-to-date information ad-
dressing technology issues and solutions for small business.
Whether you need to purchase a new computer, printer, or
software, or just need some helpful technological information,
look to NFIB and Dell to provide you with the perfect small
business solution.
                                                                                     w w w. N F I B. c o m | N F I B G U I D E TO N E T W O R K P R OT E C T I O N   1

    As a small business owner, you may not realize how important security is to the
    growth and success of your company. Need convincing? Read on.

    WHEN YOU THINK ABOUT BUSINESS SECURITY, what’s the first                          over-year increase, according to a study from the Ponemon
    thing that comes to mind? Someone sneaking into your office                       Institute. This leads to customer dissatisfaction as well as cus-
    in the dark of night making off with your servers? Or is it user                  tomer churn to the tune of $6.3 million. The scariest part: In
    and computer security—the need to lock down your electronic                       more than 40 percent of cases, data breaches were perpetrated
    data in a way that you know will keep it safe from external sources,              by third-party organizations such as outsourcers, contractors,
    such as hackers and opportunists, as well as internal ones—                       consultants and business partners, according to respondents.
    employees, partners, and customers who interact with your                         In addition, according to an April 2007 study by research firm
    network and storage solutions on a daily basis? In reality, busi-                 Datamonitor, more than 33 percent of all companies say that a
    ness security is a combination of anticipating potential                          major security breach could put them out of business perma-
    problems—both physical and electronic—and proactively pro-                        nently. Of those respondents, more than 60 percent reported
    tecting your business against both.                                               some type of data breach over the past year.
       Gary Anderson, the chief financial officer of Go Kahuna LLC,                      Physical property loss is another huge issue for business own-
    knows this firsthand. Anderson, who is one of the five staffers                   ers, according to a separate Ponemon Institute study, which
    at the Baton Rouge, La.-based company that helps contractors                      found that 39 percent of all employees surveyed said they have
    verify licensing and insurance of construction subcontractors,                    lost a cellular phone, USB memory stick, zip drive, or laptop
    probably would have lost everything when Hurricane Katrina                        computer that contained confidential business information. And
    came through in 2005. However, since the company—knowing                          according to the FBI, a laptop computer is stolen every 53 sec-
    how important its data and software are—protected itself via                      onds. The majority—97 percent—of stolen laptops are never
    off-site backup and smart security procedures, it had everything                  recovered. While the hardware may not be all that expensive to
    back up and running the day after the hurricane hit.                              replace, your data and customer information are invaluable.
       “Your technology and data are your business,” he says. “You                       So how can you protect yourself both in and out of the
    lose either, and you’ve lost your business. Sure, you might be able               office? Here’s everything you need to know to make sure your
    to recover some of what you’ve lost, but it’s going to be a long,                 hardware, software, network and data are locked down and will
    hard, painful and expensive process.”                                             stay that way no matter where you or your employees roam.
       Indeed, data breaches cost businesses an average of $197
     per customer record in 2007, a more than eight percent year-

2   N F I B G U I D E TO N E T W O R K P R OT E C T I O N   | w w w. N F I B. c o m

                                               YOUR BASES
Protecting all your IT and digital assets can be easy—if you know where to start.

TODAY, WHEN YOU DRIVE DOWN THE ROAD in your car, you’re               records, supplier information, vendor information, accounting
much safer than you would have been 30 years ago. Back then,          and inventory data, prospect lists. You’ve got to put steps into
you may have worn a simple lap seatbelt to help you stay alive        place to protect all of the above and then some.”
in a crash. Now, there are multiple layers of protection that            The best way to go about doing this is to tackle all four com-
keep drivers safe, including lap and shoulder belts, front airbags,   ponents, making sure you’re doing everything in your power to
side curtain airbags, reinforced vehicle frames, and a plethora of    safeguard each.
ever-expanding electronic and computer systems to help you
avoid a crash in the first place. This strategy—implementing          COMPONENT 1: Physical Security
multiple layers of proactive and reactive protection—isn’t just                              Woodard Insurance LLP resides on the top
good for drivers. In fact, it’s a smart strategy for everyone look-                          floor of a Fort Worth, Texas, six-story
ing to keep their business on the right track.                                               office building. The company has 15 em-
   There are four key components to any information security                                 ployees. Two of the 15 have been victims
protection plan: physical security, end-user security, system                                of theft. On two separate occasions, thieves
security and network security. Each is a building block.                                     walked into the Woodard Insurance offices
Combined, the four elements protect what is the very lifeblood                               and picked up valuables. No one saw them
of your livelihood.                                                                          do it; the items were never recovered. After
   “When small businesses think about their assets, they need                                the second time, Black Woodard, a partner
to think about what’s most critical to them, and what they would                             in the company, installed security cam-
be lost without,” explains Lori C. Adamo, president of Code           eras in the front lobby that can be viewed from any PC in the
Red Business Continuity Services. “There’s so much data out           office as well as remotely from anywhere in the world.
there that you probably can’t live without—employee lists and            The physical safety of your infrastructure—including laptops,
                                                                      desktop computers, PDAs, smart phones, portable storage
                                                                      devices or other storage media—is important not just because
  Setting Up E-mail and Internet                                      of what a loss means in terms of replacement costs, but because
                                                                      the data that’s contained on those devices is practically invalu-
  Security Practices and Policies                                     able. A lost customer record could mean thousands of dollars
  1. Enforce a strong password policy that restricts employees        in future sales losses. A breached customer record—one that
  from using easily guessed passwords such as names, spouse's         falls into the hands of the wrong person—could translate into
  names, a pet's name or passwords with less than five charac-
  ters or all the same letters. Also, ask employees to create
                                                                      a lawsuit or regulatory fines, not to mention bad press that
  passwords that combine longer strings of mixed-case charac-         often accompanies such news reports.
  ters with non-alphabetic characters.                                   This is why you need to implement a physical protection
  2. Establish guidelines for employees on personal use. Are          plan for all of your company’s IT assets, whether they are located
  they allowed to use e-mail or company Internet access for per-      in your offices or are mobile. This may consist of products, like
  sonal reasons? Even better: Define what constitutes                 security cameras, secure server rooms and cable locks; preven-
  appropriate business communication.                                 tative processes, including maintaining up-to-date employee
  3. Disclose whether or not you plan to monitor work e-mail, es-     regulations that educate about the possibilities of theft; and
  pecially if you’ve established a No Personal E-mail policy.         asset tagging.

  You wouldn’t hand the keys to your car to just anyone, but more often than
  not, small business owners put the wrong people in the driver’s seat of their
  companies by giving too many people access to files and information.

                                                                                         w w w. N F I B. c o m | N F I B G U I D E TO N E T W O R K P R OT E C T I O N   3

         A physical protection plan can also include software that                         rized users can access such files. Another important step:
      encrypts all your data, so even if you do have a loss, you’re not                    setting limits as to which files can be copied and which should
      at risk. Recovery services such as Computrace®Complete from                          remain read-only. The best method to ensure all of the above is
      Absolute Software that are designed to protect your PCs and the                      to implement user authentication, password, and encryption
      data they contain from theft and unauthorized access are anoth-                      technology.
      er smart option. Products like those offered by Computrace also                         You can do this by looking for systems that support BIOS-level
      can help you remotely track PC configurations and usage.                             passwords that require authentication before the operating sys-
                                                                                           tem loads. BIOS is short for basic input/output system and is
                                                                                           built in computer software to control vital hardware functions
      COMPONENT 2: User Security                                                           of a PC (such as disk drives, the keyboard, monitor, printer, and
                                            You wouldn’t hand the keys to your car to      other communication ports). BIOS level passwords, as well as
                                            just anyone, but more often than not, small    Smart Card technology, restrict and grant access to your systems.
                                            business owners put the wrong people in           Also remember to enable encryption software and educate
                                            the driver’s seat of their companies by giv-   employees, partners and customers about why it should be
                                            ing too many people access to files and        used and what rights they have within your infrastructure. For
                                            information. Access to company data—           example, allowing employees to copy sensitive files and e-mail
                                            especially sensitive information such as       them to a home computer puts your company at risk. Likewise,
                                            customer, financial and employee               accepting unencrypted contracts or documents from partners
                                            records—should be given on a need-to-          or customers exposes their business information—and yours—
                                            know basis only. Data should be encrypted      to potential hacking.
                                            and password-protected so only autho-

                                                                                           COMPONENT 3: System Security
         Basics of Encryption and                                                                                           If you have 10 employees, you also
         Authentication                                                                                                     have 10 open windows into your
                                                                                                                            business and data—their individ-
         Encryption and authentication work hand in hand. Encryption                                                        ual PCs, which are a common
         helps protect the data at rest (when the user is not logged on).
         Authentication ensures that only authorized users are able to                                                      entry point for viruses, malware,
         work on a particular notebook or desktop.                                                                          spyware, and worms.And while it
                                                                                                                            might seem like we’ve always been
         TWO TYPES OF ENCRYPTION                                                                                            at risk for these types of infections,
         Basic file/folder encryption—The user determines who                                                               the risk today is even greater as
         has access to the files/folders. Those without access will not                    businesses encourage and enable remote access, opening up the
         be able to open and/or read the file or folder.                                   network and servers to those intruders who take advantage of em-
         Full Disk and intelligent file/folder encryption—The                              ployees using wireless networks at home or on the go. This is why
         encryption decision is taken entirely out of the user’s hands.                    now more than ever, installing security software and making
         Full Disk is more comprehensive and encrypts the entire disk,                     sure it’s updated automatically and frequently is imperative.
         including operating systems and files. Intelligent file/folder
         allows the IT manager to pick up applications and/or exten-
                                                                                              It’s also why you should make sure that anyone accessing a wire-
         sions to encrypt.                                                                 less network—especially those in public spaces such as airports
                                                                                           or libraries—is using encryption and a virtual private network
         THREE CATEGORIES OF AUTHENTICATION                                                when connecting to your office network. Employees who don’t
                   Something you have—i.e., a SmartCard or USB key                         use a VPN are exposing their data, making it hackable and view-
                                                                                           able by anyone else on that wireless network. And before you
                   Something you know—i.e., a password
                                                                                           dismiss the threat, consider this: A recent Symantec Corp. report
                   Something you are—i.e., a fingerprint scan                              stated that there are more than 1.1 million malware code threats
         To learn more about how to protect your sensitive business                        in the world today, with 499,811 of them discovered in the
         information, visit Dell Small Business 360 on                           second-half of 2007 alone. Meanwhile, of the more than 54,000
                                                                                           unique applications deployed on Windows-based PCs during
                                                                                           the first half of 2008, 65 percent were malicious.

                                                                                             “When small businesses think about
                                                                                             their assets, they need to think about
                                                                                             what’s most critical to them, and
                                                                                             what they would be lost without.”
  4   N F I B G U I D E TO N E T W O R K P R OT E C T I O N   | w w w. N F I B. c o m

  COMPONENT 4: Network Security                                          locations over the Internet. In fact,
                                                                         they are extremely useful when you’re
  You couldn’t function without your network, but the mere fact
                                                                         using a shared or public network such
  that you have one opens you up to security risks. Once someone
                                                                         as the Internet. Most VPNs today use
  breaks into your network, they can see, download or erase any
                                                                         tunneling protocols to create a private
  data that touches it. There are precautions you can take to keep
                                                                         network using special encryption keys
  your network safe and secure, however. Here are some of the most
                                                                         that can only be decrypted by the
  common, all of which you should consider installing.
                                                                         recipient points.
  • Firewalls: Think of a firewall as an impermeable shield            • Encryption: If you’ve ever used a secret decoder ring, you’ve
    around your company’s network that keeps intruders out               used encryption. Today’s technology encryption works
    by scanning network traffic going in and out, and blocking           similarly, matching code with a key to unlock it. Network
    anything that’s not approved ahead of time. Firewalls, which         encryption is often built into an operating system or hard-
                           come in both software and hardware            ware appliance. Your best bet: products that provide
                           versions, can also set up virtual private     hardware support for WPA2, a sophisticated encryption
                           networks between two locations to en-         protocol, which is part of the 802.11 industry standard for
                           crypt traffic. Finally, some firewalls        wireless networks.
                           can function as unified threat man-         • Cisco Compatible Extensions Program: Because the vast
                           agement (UTM) devices, which                  majority of wireless networks come in touch with Cisco
                           provide intrusion detection, content          Systems technologies, small businesses should consider using
                           filtering and antivirus capabilities.         wireless equipment manufactured by the Cisco Compatible
                                                                         Extensions Program, which is designed to ensure that wire-
  • VPN Protection: A virtual private network is a cost-effective        less solutions deliver tested and certified compatibility with
    solution to connect securely to and from a business network          the latest Cisco wireless infrastructure hardware and security
    from remote locations or to and from business-to-business            technology.

                                                 Walk around your business. Look and ask questions.
SECURITY CHECKLIST                               Your security depends on the answers to the following questions.

  SECURITY BASICS                                                      PROTECT YOUR NETWORK
  Do your employees follow a company e-mail and Internet                 Does your company run a client-server network rather than a
  security policy?                                                       simple peer-to-peer network?
  Does your company use strong passwords?                                Do you have a hardware firewall from your company’s network?
  Do you use anti-spam software to reduce the cost and                   Does your company network use secure switches and routers
  inconvenience of unsolicited e-mail to your business?                  rather than simple hubs?
                                                                         Do the computers on your company network use high-quality,
  PROTECT YOUR HARDWARE                                                 secure Network Interface Cards (NICs)?
  Do you use cable locks to protect your company’s laptop                Does your company provide external access to its network? If so,
  computers against theft or loss?                                       do you use a virtual private network (VPN) for maximum security?
  Do you use chassis locks to prevent tampering or removal of            Does your company operate a wireless network or use handheld
  hard drives from desktop computers?                                    computing devices? If so, do they use the latest generation of
                                                                         security features to protect your sensitive business data?
  Is McAfee® Virus Scan ® or Norton Antivirus™ or other                                        If you answered “no” to any
  anti-virus software installed on ALL of your computers?
                                                                                               of these questions, visit
  Is your anti-virus software updated regularly with the latest
  virus definitions?
  Do you have a reliable back-up system?
                                                                                               for recommendations on how
  Are ALL of your company’s computers regularly updated with
                                                                                               to make your data more secure.
  the latest operating system and software security patches?
  Does your company use smart cards to protect sensitive data?

                                                                                          w w w. N F I B. c o m | N F I B G U I D E TO N E T W O R K P R OT E C T I O N   5
two                                                                                                     Wireless Alphabet Soup
                                                                                                        Experts say that wireless network users
                                                                                                        should make sure they are also using Wi-Fi
                                                                                                        Protected Access (WPA) security technology
                                                                                                        to protect their network. In fact, some
                                                                                                        experts say WPA—as opposed to Wired
                                                                                                        Equivalent Privacy (WEP)—is the only
                                                                                                        way to go. So what does this mean to you?
                                                                                                        Both security standards use encryption
                                                                                                        and keys to protect data and network traffic.
                                                                                                        Your data is encrypted before it’s transmit-
                                                                                                        ted, and can’t be unencrypted without the

      FINDING THE SECRET                                                                                correct “key.” (Sort of like the decoder rings
                                                                                                        you may have used as a child.)
                                                                                                        However, one of the problems with WEP

      You can’t prevent intrusion unless you know where
                                                                                                        is that it uses the same encryption key for
                                                                                                        every packet that’s transmitted over a wire-
                                                                                                        less network. This makes it easy for
                                                                                                        someone to capture or “sniff” your data
                                                                                                        package and figure out the correct key.
      people can get in. Read more about how you can                                                    WPA, on the other hand, constantly changes
                                                                                                        the keys as it encrypts data, making it much
      find your company’s most common vulnerabilities.                                                  more difficult to crack the code that’s
      MAURICE LE BLANC, PRESIDENT OF YOGI BEAR’S JELLYSTONE PARK, a high-end camp-                      protecting your traffic.
      ground based in Robert, La., has a plan in place that includes backing up all of his
      servers and data once daily. For business continuity reasons, backups are done remotely           Help for Hire
      to an off-site data center—the company wants to be able to get at its data in the event of        Computer hardware and software has
      a natural disaster such as a fire or flood—but this also helps keep the campground                evolved to the point that—with the help
      offices secure.                                                                                   of wizards and interactive tutorials—small
                                                                                                        business owners may be able to install
         Simply put, data that’s backed up remotely isn’t hanging around the office on tape or
                                                                                                        almost any product on their own. There are
      disk, which means there’s less of an opportunity for someone to steal or destroy it. Not          exceptions, however, especially when it
      every business owner thinks this way, though. They don’t look at the big picture and see          comes to security products and services.
      the unfortunate reality: There are plenty of opportunities and vulnerabilities that must          One of the most important considerations
      be mitigated. “Focusing on controlling the flow of data, where it resides, and who and            should be the size of your current IT sup-
      what has access to endpoints and backups is absolutely crucial,” agrees Nick Selby, re-           port team. If you don’t have anyone on staff
      search director with Boston-based 451 Group’s Enterprise Security Practice.                       or have someone who’s already stretched to
                                                                                                        the limit, it can be worth it to hire a value-
         For example, you already know that your servers and PCs are entryways to your data,
                                                                                                        added reseller (VAR), who can come in,
      but there are plenty of other endpoint devices you need to think about. Handhelds, which          assess your current IT infrastructure, and
      are easily left in a cab, on a plane, or at a restaurant, often hold customer information         make recommendations about what’s lack-
      and e-mails. Backup media such as tapes, discs, or removable drives, as Le Blanc notes,           ing. You can also hire them for 24/7
      are also easy targets. Another often-forgotten data source is office equipment, including         support and feel confident that if some-
                                                                                                        thing happens at 5 p.m. on July 3, they’ll
      printers and copiers. Both often come standard with their own internal storage that em-
                                                                                                        be out to fix your problem immediately.
      ployees or office visitors can access. Digital cameras, iPods, and USB drives fall into another
                                                                                                        Expertise is also an issue. Your current IT
      category that’s overlooked when thinking about security.
                                                                                                        person may be a whiz at handling ERP
         On the network side, you’ve probably got at least one Web server and an e-mail server,         software but know nothing about wireless
      both of which provide direct access in and out of your infrastructure. But even the tech-         networking. Meanwhile, many VARs are
      nology that protects both, along with your method of Internet connectivity—a software             technology specialists; they’ve received
      or hardware firewall—can make you vulnerable to attack if not set up correctly.                   vendor-specific training and know every
                                                                                                        nuance about a particular product. In fact,
         Another point of entry includes wireless routers and the corresponding wireless adapters       this is the reason that your hardware or soft-
      installed to make it easier for employees to move around the office. Your wireless                ware vendor is a great place to start when
      setup—Wired Equivalent Privacy (WEP) or (even better) Wi-Fi Protected Access (WPA)                looking for a VAR of your own. If someone
      security—is the same technology that makes it easier for employees to do their jobs and           holds a certification, you know they have
      makes it easier for people to hack in. And then there are your applications, both what is         been vetted and trained. Still, experts cau-
                                                                                                        tion that you should interview any potential
      installed on your network and servers, and what you and your employees access remotely            VAR as well as ask for references.
      in a software-as-a-service model. Smart hackers are always coming up with ways to ex-
                                                                                                        “When you turn over your network and
      ploit bugs and issues in ways that turn a software productivity tool into a direct entryway       your data to someone, you’re entrusting
      to your business and data.                                                                        them with your livelihood,” says Nick Selby,
         So how do you figure out what needs protecting, and what’s already protected? It’s as          research director, Enterprise Security
      easy as creating a diagram or list of your current IT resources and noting whether they           Practice, with Boston-based 451 Group.
      are secured. If you’re not comfortable going it alone, don’t be afraid to hire someone to         “You want to know you can trust them
                                                                                                        completely before you make yourself
      do it for you, says 451 Group’s Selby. “Hire someone to prioritize your risk so you won’t         vulnerable.”
      let fear and uncertainty be your purchasing guide,” he says.
  6    N F I B G U I D E TO N E T W O R K P R OT E C T I O N | w w w. N F I B. c o m

You know what lurks in the dark.
Here’s how to develop a plan of
action to secure your business.

When you buy a new car, your purchase is based—at least partially—on how you’re going to use it. If you go off-
road on weekends, you’ll probably look for a four-wheel drive vehicle. On the other hand, if you drive long
distances, comfort and gas mileage are probably the two factors that will influence your decision most.
As a small business owner, it makes sense to employ a similar strategy when buying and implementing any new
security products or initiatives. Your biggest consideration: What kind of company do you own and what are its
major characteristics? You can use the following four categories and descriptions to see what kind of security
consumer you are, and which products and services will serve you best—especially if you only have a limited bud-
get. And keep in mind: Your company, like others out there, may fall into more than one category, necessitating a
blended security strategy.

THE HIGH-GROWTH BUSINESS: Maybe your employees don’t stick             THE HEAVY FOOT TRAFFIC BUSINESS: Your office isn’t necessarily
around for too long, or maybe you’re constantly hiring new peo-        an office; it might be a storefront or another location that’s open
ple because your company is growing so quickly. You could be a         to the public. Its most prominent feature, your employees, prob-
call center, retailer or healthcare services provider. In this case,   ably share IT resources—when they’re not working with
you’ll want to concentrate on not only the basics—keeping up           customers, that is.
spyware, anti-spam and virus protection—but also on hardware              If this sounds like your business, your directive is clear. You’ll
and software tools, such as access-control software or biometric       need to keep hardware locked down so would-be thieves disguised
devices, that let you specify who can access what and quickly add      as customers can’t carry it away with them. You’ll also want to
                            and terminate access as people move        make sure you use access-control software so employees can share
                            on and off staff. From a physical secu-    equipment but you have an electronic paper trail showing who
                            rity standpoint, you’ll want to use        used what applications and hardware. Access control, which uses
                            plenty of hardware locks and asset-re-     encrypted passwords and limits the use of specific resources—
                            covery products so products stay put       employees shouldn’t be surfing public Web sites, for example—is
                            even if employees leave.                   another must-have security resource.

                                                                                            w w w. N F I B. c o m | N F I B G U I D E TO N E T W O R K P R OT E C T I O N   7
                                                                                            Rules of the Road (Warrior)
                                                 THE MOBILE BUSINESS: Your employees        You can install every security measure available, and
                                                 work from airports, home offices, and      you may still suffer a breach if your employees disregard
                                                 coffee shops. They access your network     your rules or—even worse—uninstall or disengage your
                                                                                            security technology. This is why, says Nick Selby,
                                                 with a laptop or ultra-mobile PC via
                                                                                            research director, Enterprise Security Practice with
                                                 wireless networks or through their own     Boston-based research firm 451 Group, every security
                                                 Internet access. They own PDAs, smart-     plan needs to address the human component. Your
                                                 phones and removable storage media.        best bet: a written security policy that explains what’s
                                                 If your company fits this description—     allowed, and how and where employees are protected.
                                                                                            Here are some steps you can take to create a security
                                                 maybe you’re a reseller, consulting firm   policy, disseminate it and make sure it’s doing its job.
                                                 or a service provider such as a plumb-
                                                 ing or contracting business—then your
                                                                                            IDENTIFY THE TARGETS
                                                 major concerns should be making sure
                                                                                            You’ve protected all your end points, hardware and your
                                                 the connection between your employ-        entire network. Now you’re ready to address potential
                                                 ees and your office is an impermeable      mistakes and threats that your employees can introduce
                                                 one, as well as making sure your em-       to the mix. For example:
                                                 ployees keep their mobile devices secure   WEB ACCESS: Are employees allowed to download and
                                                 at all times. This means investing in an   install applications? Can they use your Web connection
                                                 appliance—usually a firewall—or soft-      to read personal e-mails on sites such as Gmail, Yahoo!
                                                                                            or Hotmail? Can they install widgets or other Web 2.0
                                                 ware that enables a virtual private
                                                                                            elements? Can they post to blogs and message boards?
                                                 network. Many firewalls also integrate     Can they view webinars or Web video?
                                                 anti-spam, anti-spyware and anti-virus
                                                                                            E-MAIL: Can employees send and receive file attach-
                                                 software, killing two birds with one       ments? Who can they e-mail? Can they send and receive
                                                 stone. On the employee side, you can       personal messages? Are they allowed to sign up for
                                                 help keep your hardware safe by in-        e-newsletters using their business e-mail address?
                                                 stalling wireless cards that use the       Are they allowed to interact with customers?
                                                 highest levels of security—today,          SERVERS: Can employees log into company file servers
                                                 WPA2-compatible cards, also called         from home? Do they have write or simply read-only
                                                                                            access to files? Are they using unique passwords to log
                                                 adapters, which use high-level encryp-
                                                                                            into your servers and network? Can they save data to
                                                 tion technology—should do the trick.       removable media such as DVDs, CDs and flash drives?
                                                 (For more information on encryption,
                                                 see p. 5.)                                 CREATE A COMMUNICATION
                                                                                            Once you know what you want—and don’t want—
                                                 THE DATA-DRIVEN BUSINESS: Every            employees doing with your data and network, you’ll need
                                   company creates and manages data, but                    to tell them about your decision. Create a document that
                                   there are some companies, such as                        spells out not only what they are allowed to do, but why.
                                                                                            It’s important to explain the risks that such behavior
                                   financial services firms, retailers, med-
                                                                                            incurs so employees don’t feel like you’re being punitive
                                   ical-related firms and accountants, that                 or treating them unfairly. This is also where you want to
                                   use and store the type of data that gets                 disclose any type of monitoring you’ll be doing, such as
                                   hackers excited: Social Security num-                    capturing and tracking e-mail or Web use or logging or
                                   bers, credit card information and other                  recording voice-over-IP telephone calls. You can make
                                                                                            sure employees understand your policies by asking them
                                   critical, confidential data. If your com-                to read and sign off on them.
                                   pany falls into this category, you’re
                                   charged with putting a multi-layered
                                                                                            BECOME AN ENFORCER
       approach in place. You will need stringent intrusion-detection
                                                                                            You can make all the rules you want, but unless you
       security in place everywhere someone can enter from the outside.                     actually follow through with them, they’re pretty useless.
       This means software that protects your Web site, e-mail servers,                     Put some teeth in your policies by providing tangible
       file servers and network, as well as hardware and security                           and real consequences to those who ignore them. This
       policies that restrict access to the data by those who work at your                  can range from loss of privileges and equipment to job
                                                                                            dismissal. However, be fair. Make sure employees under-
       company. You’ll want to have a firewall in place to protect your
                                                                                            stand what you’re asking of them, and why such policies
       Web site, anti-spam and anti-virus software installed on the                         are required.
       network and on client machines, and intrusion protection soft-
                                                                                            “Don’t just scare your employees,” agrees Selby.
       ware to thwart anyone who gets by your firewall.                                     “Get them on your team.”

   8   N F I B G U I D E TO N E T W O R K P R OT E C T I O N | w w w. N F I B. c o m
Security costs can bring your balance sheet into the red
or black, depending on your risk and potential losses.
Here’s how you can decide what’s best for your company.
ANALYST FIRMS SAY THAT SMALL BUSINESS IT SPENDING IS                    an online retail presence, ROI is easier to grasp. You can calcu-
slightly lower for 2008. A Gartner research report—User Survey          late how much your site is worth by looking at how much
Analysis: IT Spending Plans in the SMB Market, North America,           revenue it brings in daily. Once you have that number, you know
2008—says that small business owners plan on boosting IT spend-         how much income you’ll lose if you have a security breach. Then
ing a mere 3.25 percent as compared to 5.34 percent for midsized        there are the other costs: paying someone to fix and restore your
businesses—and that includes hardware as well as software pur-          site, the cost of potential customer data loss and the cost of los-
chases. Meanwhile, according to a Deloitte Touche Tohmatsu              ing new customers, not to mention the damage an outage or
survey of more than 100 organizations—Treading Water: The 2007          breach can cause your company’s reputation. Again, none of
Technology, Media & Telecommunications (TMT) Security                   these are easy numbers to ascertain, but when you think about
Survey—more than 46 percent of respondents had no formal                it, it’s not difficult to recognize quickly how spending a little
information security strategy and 49 percent reported they are          money now could pay off big in the long term.
either falling behind or still catching up to security threats.            This brings us back to the question at hand: How do you fig-
Unfortunately, both of these reports come at a time when IT             ure out how much “a little money” means for your company?
needs—especially the need for IT security—are on the rise.              How do you decide what you should spend, and which projects
   System hacks are up, as are the number of Trojans, viruses,          will produce a long-term return on investment?
worms, infected Web pages, and phishing scams. In fact, accord-            There is no simple answer; no formula you can plug your
ing to a January 2008 report from the SANS Institute, the top           expenditures and income into so you can receive an answer.Your
dozen cyber security threats will come from previously innocu-          best bet may be to evaluate where your biggest vulnerabilities
ous sources, including Web attacks that originate on trusted            are, make a decision about which resources you absolutely
sites—places you and your employees visit often—as well as              can’t live without, and go from there.
voice-over-IP system attacks, and increasingly malicious spyware.          For example, you can look at the past to figure out what’s most
Social networking sites and Web 2.0 applications are also a threat.     important—and how much it will cost you in the future. The
   Even knowing these facts, it can be hard to justify the cost of      first thing you’ll want to explore is what you spent on remedial IT
increased security initiatives since calculating the return-on-         over the past 12 months.If you were hit by a serious virus and your
investment for security purchases and installations isn’t an easy       system was down for two days, you know this is probably some-
task. There are so many variables: how extensive your IT infra-         thing you’ll want to avoid in the future by investing in a new virus
structure and organization are,whether or not you have a Web site       protection program. You can do a direct comparison, too. What
or wireless network,whether or not you maintain your own e-mail         you pay for virus software will probably dwarf whatever you paid
servers, or even if you have an on-site IT person. There are also       to a consultant. Plus, that cost is probably only a fraction of your
intangibles, such as how much you rely on your IT resources on          downtime cost in terms of lost employee hours and time that
a daily basis. The decision is often obvious: The more you rely on      would have been better spent taking care of customers.
technology, the easier it is to justify an IT security expenditure.        You can also prioritize based on overall hardware and soft-
   As a business owner, you also need to think about what a             ware value. If you purchased a new server or installed a new
security breach would do to your company, and there are many            application, you know how much it cost and how much it would
aspects of this calculation. For example, if you have a total sys-      cost to replace. And then there’s the idea of business continu-
tem crash and your employees rely on the IT infrastructure, it          ity. If you live in an area that faces natural disasters such as
will affect your overall productivity more than if you are a stand-     tornados or hurricanes often, you may want to invest in busi-
alone retail establishment. However, if your point-of-sale devices,     ness continuity insurance, which will pay to bring your systems
such as cash registers and credit card-processing tools, are tied       back online should you face a natural disaster or complete
to your back-end and inventory management, you may feel an              system loss from an intrusion or virus. Considering that two out
outage even more than a consulting firm or services organiza-           of five companies that experience a disaster will go out of busi-
tion that can make do by working offline.                               ness (according to a recent Gartner research study), the higher
   Still, lost revenue is a huge part of ROI calculation. If you have   your risk, the more important such an investment becomes.

  “...the top dozen cyber security threats will come from previously innocuous
  sources, including Web attacks that originate on trusted sites...”
                                                                                            w w w. N F I B. c o m | N F I B G U I D E TO N E T W O R K P R OT E C T I O N   9

       Just because you can’t commit to a full security audit doesn’t mean there isn’t
       plenty you can do to mitigate risk today.

       YOU’VE PROBABLY GOT A MARKETING BUDGET and a sales budget.                         mostly—with an ax to grind. The majority of these people had
       And chances are, you also have a hardware and telecommunica-                       grudges against the company; 84 percent were motivated by re-
       tions budget. That said, unless you take the steps to protect what                 venge. So how can you make sure your company doesn’t fall
       you’ve got—and what you’re planning to buy—you may just be                         victim to an inside attack? Keep the lines of communication
       throwing money out the window.                                                     open and make sure you run background checks before you hire
          According to a September 2007 survey from the Computer                          someone. Also, don’t put all your IT eggs in one basket. More
       Security Institute (CSI), average annual losses reported by U.S.                   than 75 percent of insiders detailed by the CERT report had cre-
       companies doubled, spiking to $350,424 from $168,000, with                         ated access paths into the server or infrastructure that were
       46 percent of all respondents reporting some type of comput-                       unknown to anyone else in the company. Don’t entrust a single
       er security incident. Security breaches happen, and they happen                    person with all your technology needs, if possible, and if you ab-
       often, so those who do nothing are taking huge risks with their                    solutely must, make sure your most sensitive data is stored off
       valuable data and equipment.                                                       your network so even if someone does get in, it can’t be breached.
          While every business owner would like to have a
       full-time IT person on staff or—at the very                                                       3.     MANAGE YOUR PASSWORDS. While 84 per-
       least—be able to hire a consulting firm, some-                                                         cent of companies surveyed in the 2007
       times neither is possible. Still, that doesn’t                                                           E-Crime Watch Survey—co-sponsored by
       mean there aren’t things you can do right                                                                 Carnegie Mellon University’s Software
       now to avoid some of the most common                                                                       Engineering Institute’s CERT Program, the
       issues. Here are seven strategies that you                                                                 U.S. Secret Service and Microsoft Corp.—
       can implement today without hiring an                                                                       reported they have account and password
       IT specialist.                                                                                              management policies in place, the use of
                                                                                                                   password sniffers or crackers was up last
       1. KEEP IT LOCKED. Where do you keep                                                                        year. You can help ensure safety within
       your servers and storage systems?                                                                              your office by requiring all employees
       If you said under your desk or on a                                                                            to change their passwords monthly or
       table in your office, you’re not alone.                                                                        quarterly, and request that all pass-
       A better option: keeping all IT                                                                                words contain both letters and
       assets—including new or unused                                                                                 numbers. Also, remember to change
       equipment—under lock and key in ei-                                                                            administrator passwords if someone
       ther a well-ventilated closet or a                                                                             who had access to IT resources leaves
       separate room. If you don’t have space                                                                         or is fired.
       to spare, keep devices locked using a
       physical device or computer-locking                                                                           4. MOVE BACKUPS OFF YOUR SITE.
       cables that secure your server(s),                                                                            You should be backing up your data
       printers, monitors and PCs.                                                                                   constantly—at minimum, every
                                                                                                                     evening. If you’re backing up to re-
       2. LISTEN TO YOUR EMPLOYEES.                                                                                  movable media, make sure you’re either
       According to a May 2008 report                                                                                   locking it up in a fireproof safe or
       from Carnegie Mellon University’s                                                                                    removing it from the office and
       Software Engineering Institute’s                                                                                        locking it up elsewhere.
       CERT program, 34 percent of all cy-
       ber and electronic crimes were
       perpetrated by insiders—IT people,

  10    N F I B G U I D E TO N E T W O R K P R OT E C T I O N   | w w w. N F I B. c o m

Antivirus, spyware and content-filtering software products are       protect what you don’t know you own. That said, keep a log of
inexpensive and fairly easy to administer. Make sure you’re          all your IT resources that details when they were purchased, who
scanning all incoming and outgoing mail, as well as anything         is currently using them, and where they are located. Write down
written to the server. Firewalls are also extremely useful, keep-    serial numbers whenever possible in the case of theft or loss.You
ing intruders out, while at the same time enabling Internet          can also purchase secure asset tracking services, which can help
connectivity.                                                        you recover a computer should it become lost or stolen.

6. OWN YOUR INFRASTRUCTURE. Be extremely careful about who
has access to important system and software resources and data.
Consider all of the above private and only accessible on a need-
to-know basis. Everyone on the network shouldn’t have access
to everything on the network.

                                                Sample Inventory Log
  RESOURCE NAME              SERIAL #          DATE/PLACE PURCHASED                     USERS                        LOCATION

  Dell Laptop                005892            7/21/08 Joe’s Computers                  Stacy                        Mktg. #3

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

  ______________________ _____________ _________________________________ _____________ ________________________

                                                                                       w w w. N F I B. c o m | N F I B G U I D E TO N E T W O R K P R OT E C T I O N   11

To top