Securing YourIT Infrastructure - NFIB · and more. As it becomes increasingly essential for businesses to be“wired,” almost everyone needs to understand ... lost a cellular phone,

WH

AT

’SIN

SID

E

NFIB GUIDE TONETWORK PROTECTION

CoveringYour Bases

Finding the SecretPassageways

Be the Person Withthe Plan

How Much Is Enough?

Conclusion

1.

2.

3.

4.

5.

$12.95

SecuringYour IT

InfrastructureDEVELOPED BY

Dear NFIB Member:

As a small business owner, you’ve long known the importance of securing your business from physical

risks like inventory theft and vandalism. Now, it’s a necessity that you secure your business both

physically and electronically.

Today, every business owner needs to be smart about network security. Just one data breach can cause

lasting damage to your business—Customers and clients who question the security of their information

with your business will go elsewhere. Equally important, when you consider your assets, it’s critical that

you think of the data your business uses every day—including lists, records, accounting, inventory data

and more.

As it becomes increasingly essential for businesses to be “wired,” almost everyone needs to understand

the basics of network security. It’s easy when you know where to start. This guide was written to help

you understand the risks and what you can do to tighten your security.

With the NFIB Guide to Network Protection, you’ll learn the four most important components of any

information security protection plan, how to find your business’ specific vulnerabilities and how to

chart a plan to secure your business.

In the process of securing your network, you might wonder, how much is enough? When do the costs

outweigh the benefits? This guide will help you determine the right answers for your business, and

provide you with simple steps to get you started lowering your risk level today.

You’re committed to keeping your business and data safe, but unfortunately, accidents and breaches

can happen. In the case of network security, it’s smart to take action to protect your business before

there’s a problem.

Helping your business stay secure in an ever-changing business environment…the NFIB Guide to

Network Protection—Securing Your IT Infrastructure is just another way we’re working to help you

own, operate and grow your business.

Sincerely,

Todd A. Stottlemyer

NFIB President and CEO

www.NFIB.com | NFIB GUIDE TO NETWORK PROTECTION 1

five

four

ABOUT NFIB GUIDE TO NETWORK PROTECTIONWelcome to another edition of NFIB’s Small Business Guide se-ries. TheNFIB Guide to Network Protection—Securing Your ITInfrastructureprovides practical solutions to the challenges youand other small business owners face every day.

Prepared by experts to help you develop a plan to secure yourbusiness, this guide provides you with steps to begin protect-ing your data and technology systems today.

ABOUT NFIBThe National Federation of Independent Business is the lead-ing small business association representing the consensus viewsof its members in Washington and all 50 states. NFIB’s missionis to promote and protect the right of our members to own,operate and grow their businesses. NFIB gives members accessto many discounted business products and services and pro-vides timely information designed to help small businessessucceed.

ABOUT DELLDell was founded in 1984 byMichaelDell on a sim-ple concept: By selling computers directly tocustomers, we could understand their needs andefficiently provide effective computing solutions

better than our competition. This is especially truenow. Dell has specially trained small business sales reps thatcan help you determine the best technology solution to meetyour businesses needs,whether it is how to manage your pointof sale data, to wireless security, to which software you need todesign your next big product, to how to set up your first serv-er network. Dell focuses on what you need so you get onlywhat you want.

In 2003,NFIB partneredwithDell to provide computers, print-ers, servers, monitors and point-of-sale solutions at a discountto NFIB members—that was just the beginning. Five years lat-er, Dell’s commitment to NFIB is stronger than ever, branchingout to support members in numerous ways.

Dell is excited to bring you a series of NFIB Small BusinessTechnology Guides, focusing on up-to-date information ad-dressing technology issues and solutions for small business.Whether you need to purchase a new computer, printer, orsoftware, or just need somehelpful technological information,look to NFIB and Dell to provide you with the perfect smallbusiness solution.

CONTENTS

one

two Finding the SecretPassageways....................................................6

three

CoveringYour Bases..............................3

Be the Person With the Plan ......7

How Much Is Enough? ..................9

Conclusion..................................................10

Introduction:Feeling Safe and Secure....................................2

2 NFIB GUIDE TO NETWORK PROTECTION | www.NFIB.com

WHEN YOU THINK ABOUT BUSINESS SECURITY, what’s the firstthing that comes to mind? Someone sneaking into your officein the dark of night making off with your servers? Or is it userand computer security—the need to lock down your electronicdata in away that youknowwill keep it safe fromexternal sources,such as hackers and opportunists, as well as internal ones—employees, partners, and customers who interact with yournetwork and storage solutions on a daily basis? In reality, busi-ness security is a combination of anticipating potentialproblems—both physical and electronic—and proactively pro-tecting your business against both.

GaryAnderson, the chief financial officer of Go Kahuna LLC,knows this firsthand. Anderson, who is one of the five staffersat the Baton Rouge, La.-based company that helps contractorsverify licensing and insurance of construction subcontractors,probably would have lost everything when Hurricane Katrinacame through in 2005. However, since the company—knowinghow important its data and software are—protected itself viaoff-site backup and smart security procedures, it had everythingback up and running the day after the hurricane hit.

“Your technology and data are your business,” he says. “Youlose either, and you’ve lost your business. Sure, youmight be ableto recover some of what you’ve lost, but it’s going to be a long,hard, painful and expensive process.”

Indeed, data breaches cost businesses an average of $197per customer record in 2007, a more than eight percent year-

over-year increase, according to a study from the PonemonInstitute. This leads to customer dissatisfaction as well as cus-tomer churn to the tune of $6.3 million. The scariest part: Inmore than 40 percent of cases, data breaches were perpetratedby third-party organizations such as outsourcers, contractors,consultants and business partners, according to respondents.In addition, according to an April 2007 study by research firmDatamonitor, more than 33 percent of all companies say that amajor security breach could put them out of business perma-nently. Of those respondents, more than 60 percent reportedsome type of data breach over the past year.

Physical property loss is another huge issue for business own-ers, according to a separate Ponemon Institute study, whichfound that 39 percent of all employees surveyed said they havelost a cellular phone, USB memory stick, zip drive, or laptopcomputer that contained confidential business information. Andaccording to the FBI, a laptop computer is stolen every 53 sec-onds. The majority—97 percent—of stolen laptops are neverrecovered. While the hardware may not be all that expensive toreplace, your data and customer information are invaluable.

So how can you protect yourself both in and out of theoffice? Here’s everything you need to know to make sure yourhardware, software, network and data are locked down and willstay that way no matter where you or your employees roam.

INTRODUCTION:

FEELING SAFE & SECUREAs a small business owner, you may not realize how important security is to thegrowth and success of your company. Need convincing? Read on.

TODAY, WHEN YOU DRIVE DOWN THE ROAD in your car, you’remuch safer than you would have been 30 years ago. Back then,you may have worn a simple lap seatbelt to help you stay alivein a crash. Now, there are multiple layers of protection thatkeep drivers safe, including lap and shoulder belts, front airbags,side curtain airbags, reinforced vehicle frames, and a plethora ofever-expanding electronic and computer systems to help youavoid a crash in the first place. This strategy—implementingmultiple layers of proactive and reactive protection—isn’t justgood for drivers. In fact, it’s a smart strategy for everyone look-ing to keep their business on the right track.

There are four key components to any information securityprotection plan: physical security, end-user security, systemsecurity and network security. Each is a building block.Combined, the four elements protect what is the very lifebloodof your livelihood.

“When small businesses think about their assets, they needto think aboutwhat’smost critical to them,andwhat theywouldbe lost without,” explains Lori C. Adamo, president of CodeRed Business Continuity Services. “There’s so much data outthere that you probably can’t live without—employee lists and

records, supplier information, vendor information, accountingand inventory data, prospect lists. You’ve got to put steps intoplace to protect all of the above and then some.”

The best way to go about doing this is to tackle all four com-ponents, making sure you’re doing everything in your power tosafeguard each.

COMPONENT 1: Physical SecurityWoodard Insurance LLP resides on the topfloor of a Fort Worth, Texas, six-storyoffice building. The company has 15 em-ployees. Two of the 15 have been victimsof theft.On two separate occasions, thieveswalked into theWoodard Insurance officesand picked up valuables.No one saw themdo it; the itemswere never recovered.Afterthe second time,BlackWoodard, a partnerin the company, installed security cam-

eras in the front lobby that can be viewed from any PC in theoffice as well as remotely from anywhere in the world.

The physical safety of your infrastructure—including laptops,desktop computers, PDAs, smart phones, portable storagedevices or other storage media—is important not just becauseof what a loss means in terms of replacement costs, but becausethe data that’s contained on those devices is practically invalu-able. A lost customer record could mean thousands of dollarsin future sales losses. A breached customer record—one thatfalls into the hands of the wrong person—could translate intoa lawsuit or regulatory fines, not to mention bad press thatoften accompanies such news reports.

This is why you need to implement a physical protectionplan for all of your company’s IT assets, whether they are locatedin your offices or are mobile. This may consist of products, likesecurity cameras, secure server rooms and cable locks; preven-tative processes, including maintaining up-to-date employeeregulations that educate about the possibilities of theft; andasset tagging.


one

COVERINGYOUR BASES

You wouldn’t hand the keys to your car to just anyone, but more often thannot, small business owners put the wrong people in the driver’s seat of theircompanies by giving too many people access to files and information.

Setting Up E-mail and InternetSecurity Practices and Policies1. Enforce a strong password policy that restricts employeesfrom using easily guessed passwords such as names, spouse'snames, a pet's name or passwords with less than five charac-ters or all the same letters. Also, ask employees to createpasswords that combine longer strings of mixed-case charac-ters with non-alphabetic characters.

2. Establish guidelines for employees on personal use. Arethey allowed to use e-mail or company Internet access for per-sonal reasons? Even better: Define what constitutesappropriate business communication.

3. Disclose whether or not you plan to monitor work e-mail, es-pecially if you’ve established a No Personal E-mail policy.

Protecting all your IT and digital assets can be easy—if you know where to start.

A physical protection plan can also include software thatencrypts all your data, so even if you do have a loss, you’re notat risk. Recovery services such as Computrace®Complete fromAbsolute Software that are designed to protect your PCs and thedata they contain from theft and unauthorized access are anoth-er smart option. Products like those offered by Computrace alsocan help you remotely track PC configurations and usage.

COMPONENT 2: User SecurityYou wouldn’t hand the keys to your car tojust anyone,butmoreoften thannot, smallbusiness owners put the wrong people inthe driver’s seat of their companies by giv-ing too many people access to files andinformation. Access to company data—especially sensitive information such ascustomer, financial and employeerecords—should be given on a need-to-knowbasisonly.Data should be encryptedand password-protected so only autho-

rized users can access such files. Another important step:setting limits as to which files can be copied and which shouldremain read-only. The best method to ensure all of the above isto implement user authentication, password, and encryptiontechnology.

You can do this by looking for systems that support BIOS-levelpasswords that require authentication before the operating sys-tem loads. BIOS is short for basic input/output system and isbuilt in computer software to control vital hardware functionsof a PC (such as disk drives, the keyboard,monitor, printer, andother communication ports). BIOS level passwords, as well asSmartCard technology, restrict and grant access to your systems.

Also remember to enable encryption software and educateemployees, partners and customers about why it should beused and what rights they have within your infrastructure. Forexample, allowing employees to copy sensitive files and e-mailthem to a home computer puts your company at risk. Likewise,accepting unencrypted contracts or documents from partnersor customers exposes their business information—and yours—to potential hacking.

COMPONENT 3: System SecurityIf youhave10employees,youalsohave 10 open windows into yourbusiness anddata—their individ-ual PCs, which are a commonentry point for viruses, malware,spyware,andworms.Andwhile itmight seem likewe’ve alwaysbeenat risk for these typesof infections,the risk today is even greater as

businesses encourage and enable remote access, opening up thenetwork and servers to those intruderswho take advantageof em-ployees usingwireless networks at home or on the go.This is whynow more than ever, installing security software and makingsure it’s updated automatically and frequently is imperative.

It’s alsowhyyou shouldmake sure that anyone accessing awire-less network—especially those in public spaces such as airportsor libraries—is using encryption and a virtual private networkwhen connecting to your office network. Employees who don’tuse a VPN are exposing their data, making it hackable and view-able by anyone else on that wireless network. And before youdismiss the threat, consider this: A recent Symantec Corp. reportstated that there are more than 1.1 million malware code threatsin the world today, with 499,811 of them discovered in thesecond-half of 2007 alone. Meanwhile, of the more than 54,000unique applications deployed on Windows-based PCs duringthe first half of 2008, 65 percent were malicious.


“When small businesses think abouttheir assets, they need to think aboutwhat’s most critical to them, andwhat they would be lost without.”

Basics of Encryption andAuthenticationEncryption and authentication work hand in hand. Encryptionhelps protect the data at rest (when the user is not logged on).Authentication ensures that only authorized users are able towork on a particular notebook or desktop.

TWO TYPES OF ENCRYPTIONBasic file/folder encryption—The user determines whohas access to the files/folders. Those without access will notbe able to open and/or read the file or folder.

Full Disk and intelligent file/folder encryption—Theencryption decision is taken entirely out of the user’s hands.Full Disk is more comprehensive and encrypts the entire disk,including operating systems and files. Intelligent file/folderallows the IT manager to pick up applications and/or exten-sions to encrypt.

THREE CATEGORIES OF AUTHENTICATIONSomething you have—i.e., a SmartCard or USB key

Something you know—i.e., a password

Something you are—i.e., a fingerprint scan

To learn more about how to protect your sensitive businessinformation, visit Dell Small Business 360 on dell.com.

one


one

COMPONENT 4: Network SecurityYou couldn’t function without your network, but the mere factthat you have one opens you up to security risks. Once someonebreaks into your network, they can see, download or erase anydata that touches it. There are precautions you can take to keepyournetwork safe and secure,however.Here are someof themostcommon, all of which you should consider installing.

• Firewalls: Think of a firewall as an impermeable shieldaround your company’s network that keeps intruders outby scanning network traffic going in and out, and blockinganything that’s not approved ahead of time. Firewalls, which

come in both software and hardwareversions, can also set up virtual privatenetworks between two locations to en-crypt traffic. Finally, some firewallscan function as unified threat man-agement (UTM) devices, whichprovide intrusion detection, contentfiltering and antivirus capabilities.

• VPNProtection:A virtual private network is a cost-effectivesolution to connect securely to and from a business networkfrom remote locations or to and from business-to-business

locations over the Internet. In fact,they are extremely useful when you’reusing a shared or public network suchas the Internet. Most VPNs today usetunneling protocols to create a privatenetwork using special encryption keysthat can only be decrypted by therecipient points.

• Encryption: If you’ve ever used a secret decoder ring, you’veused encryption. Today’s technology encryption workssimilarly, matching code with a key to unlock it. Networkencryption is often built into an operating system or hard-ware appliance. Your best bet: products that providehardware support for WPA2, a sophisticated encryptionprotocol, which is part of the 802.11 industry standard forwireless networks.

• Cisco Compatible Extensions Program:Because the vastmajority of wireless networks come in touch with CiscoSystems technologies, small businesses should consider usingwireless equipment manufactured by the Cisco CompatibleExtensions Program, which is designed to ensure that wire-less solutions deliver tested and certified compatibility withthe latest Cisco wireless infrastructure hardware and securitytechnology.

�SECURITY BASICSDo your employees follow a company e-mail and Internetsecurity policy?

Does your company use strong passwords?

Do you use anti-spam software to reduce the cost andinconvenience of unsolicited e-mail to your business?

�PROTECT YOUR HARDWAREDo you use cable locks to protect your company’s laptopcomputers against theft or loss?

Do you use chassis locks to prevent tampering or removal ofhard drives from desktop computers?

�PROTECT YOUR DATAIs McAfee® Virus Scan ® or Norton Antivirus™ or otheranti-virus software installed on ALL of your computers?

Is your anti-virus software updated regularly with the latestvirus definitions?

Do you have a reliable back-up system?

Are ALL of your company’s computers regularly updated withthe latest operating system and software security patches?

Does your company use smart cards to protect sensitive data?

�PROTECT YOUR NETWORKDoes your company run a client-server network rather than asimple peer-to-peer network?

Do you have a hardware firewall from your company’s network?

Does your company network use secure switches and routersrather than simple hubs?

Do the computers on your company network use high-quality,secure Network Interface Cards (NICs)?

Does your company provide external access to its network? If so,do you use a virtual private network (VPN) for maximum security?

Does your company operate a wireless network or use handheldcomputing devices? If so, do they use the latest generation ofsecurity features to protect your sensitive business data?

If you answered “no” to anyof these questions, visitwww.dell.com/securityfor recommendations on howto make your data more secure.

SECURITY CHECKLIST Walk around your business. Look and ask questions.Your security depends on the answers to the following questions.

FINDING THE SECRET

MAURICE LE BLANC, PRESIDENT OF YOGI BEAR’S JELLYSTONE PARK, a high-end camp-ground based in Robert, La., has a plan in place that includes backing up all of hisservers and data once daily. For business continuity reasons, backups are done remotelyto an off-site data center—the company wants to be able to get at its data in the event ofa natural disaster such as a fire or flood—but this also helps keep the campgroundoffices secure.

Simply put, data that’s backed up remotely isn’t hanging around the office on tape ordisk, which means there’s less of an opportunity for someone to steal or destroy it. Notevery business owner thinks this way, though. They don’t look at the big picture and seethe unfortunate reality: There are plenty of opportunities and vulnerabilities that mustbe mitigated. “Focusing on controlling the flow of data, where it resides, and who andwhat has access to endpoints and backups is absolutely crucial,” agrees Nick Selby, re-search director with Boston-based 451 Group’s Enterprise Security Practice.

For example, you already know that your servers and PCs are entryways to your data,but there areplentyof other endpoint devices youneed to think about.Handhelds,whichare easily left in a cab, on a plane, or at a restaurant, often hold customer informationand e-mails. Backup media such as tapes, discs, or removable drives, as Le Blanc notes,are also easy targets. Another often-forgotten data source is office equipment, includingprinters and copiers. Both often come standard with their own internal storage that em-ployeesoroffice visitors canaccess.Digital cameras, iPods,andUSBdrives fall intoanothercategory that’s overlooked when thinking about security.

On the network side, you’ve probably got at least one Web server and an e-mail server,both of which provide direct access in and out of your infrastructure. But even the tech-nology that protects both, along with your method of Internet connectivity—a softwareor hardware firewall—can make you vulnerable to attack if not set up correctly.

Anotherpointof entry includeswireless routers and thecorrespondingwireless adaptersinstalled to make it easier for employees to move around the office. Your wirelesssetup—WiredEquivalentPrivacy (WEP)or (evenbetter)Wi-Fi ProtectedAccess (WPA)security—is the same technology that makes it easier for employees to do their jobs andmakes it easier for people to hack in. And then there are your applications, both what isinstalledonyournetwork and servers, andwhat youandyour employees access remotelyin a software-as-a-service model. Smart hackers are always coming up with ways to ex-ploit bugs and issues inways that turn a software productivity tool into a direct entrywayto your business and data.

So how do you figure out what needs protecting, and what’s already protected? It’s aseasy as creating a diagram or list of your current IT resources and noting whether theyare secured. If you’re not comfortable going it alone, don’t be afraid to hire someone todo it for you, says 451 Group’s Selby.“Hire someone to prioritize your risk so you won’tlet fear and uncertainty be your purchasing guide,” he says.


two

You can’t prevent intrusion unless you know wherepeople can get in. Read more about how you canfind your company’s most common vulnerabilities.

PASSAGEWAYS

Wireless Alphabet SoupExperts say that wireless network usersshould make sure they are also using Wi-FiProtected Access (WPA) security technologyto protect their network. In fact, someexperts say WPA—as opposed to WiredEquivalent Privacy (WEP)—is the onlyway to go. So what does this mean to you?

Both security standards use encryptionand keys to protect data and network traffic.Your data is encrypted before it’s transmit-ted, and can’t be unencrypted without thecorrect “key.” (Sort of like the decoder ringsyou may have used as a child.)

However, one of the problems with WEPis that it uses the same encryption key forevery packet that’s transmitted over a wire-less network. This makes it easy forsomeone to capture or “sniff” your datapackage and figure out the correct key.

WPA, on the other hand, constantly changesthe keys as it encrypts data, making it muchmore difficult to crack the code that’sprotecting your traffic.

Help for HireComputer hardware and software hasevolved to the point that—with the helpof wizards and interactive tutorials—smallbusiness owners may be able to installalmost any product on their own. There areexceptions, however, especially when itcomes to security products and services.

One of the most important considerationsshould be the size of your current IT sup-port team. If you don’t have anyone on staffor have someone who’s already stretched tothe limit, it can be worth it to hire a value-added reseller (VAR), who can come in,assess your current IT infrastructure, andmake recommendations about what’s lack-ing. You can also hire them for 24/7support and feel confident that if some-thing happens at 5 p.m. on July 3, they’llbe out to fix your problem immediately.

Expertise is also an issue. Your current ITperson may be a whiz at handling ERPsoftware but know nothing about wirelessnetworking. Meanwhile, many VARs aretechnology specialists; they’ve receivedvendor-specific training and know everynuance about a particular product. In fact,this is the reason that your hardware or soft-ware vendor is a great place to start whenlooking for a VAR of your own. If someoneholds a certification, you know they havebeen vetted and trained. Still, experts cau-tion that you should interview any potentialVAR as well as ask for references.

“When you turn over your network andyour data to someone, you’re entrustingthem with your livelihood,” says Nick Selby,research director, Enterprise SecurityPractice, with Boston-based 451 Group.“You want to know you can trust themcompletely before you make yourselfvulnerable.”

When you buy a new car, your purchase is based—at least partially—on how you’re going to use it. If you go off-

road on weekends, you’ll probably look for a four-wheel drive vehicle. On the other hand, if you drive long

distances, comfort and gas mileage are probably the two factors that will influence your decision most.

As a small business owner, it makes sense to employ a similar strategy when buying and implementing any new

security products or initiatives. Your biggest consideration: What kind of company do you own and what are its

major characteristics? You can use the following four categories and descriptions to see what kind of security

consumer you are, and which products and services will serve you best—especially if you only have a limited bud-

get. And keep in mind: Your company, like others out there, may fall into more than one category, necessitating a

blended security strategy.

BE THEPERSONWITHTHE PLANYou know what lurks in the dark.Here’s how to develop a plan ofaction to secure your business.

THE HIGH-GROWTH BUSINESS:Maybe your employees don’t stickaround for too long, or maybe you’re constantly hiring new peo-ple because your company is growing so quickly. You could be acall center, retailer or healthcare services provider. In this case,you’ll want to concentrate on not only the basics—keeping upspyware, anti-spam and virus protection—but also on hardwareand software tools, such as access-control software or biometricdevices, that let you specify who can access what and quickly add

and terminate access as people moveon and off staff. From a physical secu-rity standpoint, you’ll want to useplenty of hardware locks and asset-re-covery products so products stay puteven if employees leave.

THE HEAVY FOOT TRAFFIC BUSINESS: Your office isn’t necessarilyan office; it might be a storefront or another location that’s opento the public. Its most prominent feature, your employees, prob-ably share IT resources—when they’re not working withcustomers, that is.

If this sounds like your business, your directive is clear. You’llneed tokeephardware lockeddownsowould-be thievesdisguisedas customers can’t carry it away with them. You’ll also want tomake sure youuse access-control software so employees can shareequipment but you have an electronic paper trail showing whoused what applications and hardware.Access control,which usesencrypted passwords and limits the use of specific resources—employees shouldn’t be surfing publicWeb sites, for example—isanother must-have security resource.


three

THEMOBILEBUSINESS:Your employeeswork from airports, home offices, andcoffee shops.They access yournetworkwith a laptop or ultra-mobile PC viawirelessnetworksor through their ownInternet access.TheyownPDAs,smart-phones and removable storage media.If your company fits this description—maybe you’re a reseller, consulting firmor a service provider such as a plumb-ingor contractingbusiness—thenyourmajor concerns should bemaking surethe connection between your employ-ees and your office is an impermeableone, as well as making sure your em-ployeeskeep theirmobiledevices secureat all times. This means investing in anappliance—usually a firewall—or soft-ware that enables a virtual privatenetwork. Many firewalls also integrateanti-spam,anti-spyware andanti-virussoftware, killing two birds with onestone. On the employee side, you canhelp keep your hardware safe by in-stalling wireless cards that use thehighest levels of security—today,WPA2-compatible cards, also calledadapters, which use high-level encryp-tion technology—should do the trick.(For more information on encryption,see p. 5.)

THE DATA-DRIVEN BUSINESS: Everycompanycreates andmanagesdata,butthere are some companies, such asfinancial services firms, retailers,med-ical-related firms andaccountants, thatuse and store the type of data that getshackers excited: Social Security num-bers, credit card information andothercritical, confidential data. If your com-pany falls into this category, you’recharged with putting a multi-layered

approach in place. You will need stringent intrusion-detectionsecurity inplace everywhere someone can enter fromtheoutside.This means software that protects your Web site, e-mail servers,file servers and network, as well as hardware and securitypolicies that restrict access to the data by those who work at yourcompany. You’ll want to have a firewall in place to protect yourWeb site, anti-spam and anti-virus software installed on thenetwork and on client machines, and intrusion protection soft-ware to thwart anyone who gets by your firewall.

Rules of the Road (Warrior)You can install every security measure available, andyou may still suffer a breach if your employees disregardyour rules or—even worse—uninstall or disengage yoursecurity technology. This is why, says Nick Selby,research director, Enterprise Security Practice withBoston-based research firm 451 Group, every securityplan needs to address the human component. Yourbest bet: a written security policy that explains what’sallowed, and how and where employees are protected.Here are some steps you can take to create a securitypolicy, disseminate it and make sure it’s doing its job.

IDENTIFY THE TARGETSYou’ve protected all your end points, hardware and yourentire network. Now you’re ready to address potentialmistakes and threats that your employees can introduceto the mix. For example:

WEB ACCESS: Are employees allowed to download andinstall applications? Can they use your Web connectionto read personal e-mails on sites such as Gmail, Yahoo!or Hotmail? Can they install widgets or other Web 2.0elements? Can they post to blogs and message boards?Can they view webinars or Web video?

E-MAIL: Can employees send and receive file attach-ments? Who can they e-mail? Can they send and receivepersonal messages? Are they allowed to sign up fore-newsletters using their business e-mail address?Are they allowed to interact with customers?

SERVERS: Can employees log into company file serversfrom home? Do they have write or simply read-onlyaccess to files? Are they using unique passwords to loginto your servers and network? Can they save data toremovable media such as DVDs, CDs and flash drives?

CREATE A COMMUNICATIONOnce you know what you want—and don’t want—employees doing with your data and network, you’ll needto tell them about your decision. Create a document thatspells out not only what they are allowed to do, but why.It’s important to explain the risks that such behaviorincurs so employees don’t feel like you’re being punitiveor treating them unfairly. This is also where you want todisclose any type of monitoring you’ll be doing, such ascapturing and tracking e-mail or Web use or logging orrecording voice-over-IP telephone calls. You can makesure employees understand your policies by asking themto read and sign off on them.

BECOME AN ENFORCERYou can make all the rules you want, but unless youactually follow through with them, they’re pretty useless.Put some teeth in your policies by providing tangibleand real consequences to those who ignore them. Thiscan range from loss of privileges and equipment to jobdismissal. However, be fair. Make sure employees under-stand what you’re asking of them, and why such policiesare required.

“Don’t just scare your employees,” agrees Selby.“Get them on your team.”


three


ANALYST FIRMS SAY THAT SMALL BUSINESS IT SPENDING ISslightly lower for 2008. A Gartner research report—User SurveyAnalysis: IT Spending Plans in the SMB Market, North America,2008—says that small businessownersplanonboosting IT spend-ing amere 3.25 percent as compared to 5.34 percent formidsizedbusinesses—and that includes hardware as well as software pur-chases. Meanwhile, according to a Deloitte Touche Tohmatsusurveyofmore than100organizations—TreadingWater:The2007Technology, Media & Telecommunications (TMT) SecuritySurvey—more than 46 percent of respondents had no formalinformation security strategy and 49 percent reported they areeither falling behind or still catching up to security threats.Unfortunately, both of these reports come at a time when ITneeds—especially the need for IT security—are on the rise.

System hacks are up, as are the number of Trojans, viruses,worms, infected Web pages, and phishing scams. In fact, accord-ing to a January 2008 report from the SANS Institute, the topdozen cyber security threats will come from previously innocu-ous sources, including Web attacks that originate on trustedsites—places you and your employees visit often—as well asvoice-over-IP systemattacks,and increasinglymalicious spyware.Social networking sites andWeb2.0 applications are also a threat.

Even knowing these facts, it can be hard to justify the cost ofincreased security initiatives since calculating the return-on-investment for security purchases and installations isn’t an easytask. There are so many variables: how extensive your IT infra-structure andorganizationare,whetherornot youhaveaWebsiteorwirelessnetwork,whetherornotyoumaintainyourowne-mailservers, or even if you have an on-site IT person. There are alsointangibles, such as how much you rely on your IT resources ona daily basis. The decision is often obvious: The more you rely ontechnology, the easier it is to justify an IT security expenditure.

As a business owner, you also need to think about what asecurity breach would do to your company, and there are manyaspects of this calculation. For example, if you have a total sys-tem crash and your employees rely on the IT infrastructure, itwill affect your overall productivitymore than if you are a stand-alone retail establishment.However, if your point-of-sale devices,such as cash registers and credit card-processing tools, are tiedto your back-end and inventory management, you may feel anoutage even more than a consulting firm or services organiza-tion that can make do by working offline.

Still, lost revenue is a huge part of ROI calculation. If you have

an online retail presence, ROI is easier to grasp. You can calcu-late how much your site is worth by looking at how muchrevenue it brings in daily.Once youhave that number, you knowhowmuch income you’ll lose if you have a security breach.Thenthere are the other costs: paying someone to fix and restore yoursite, the cost of potential customer data loss and the cost of los-ing new customers, not to mention the damage an outage orbreach can cause your company’s reputation. Again, none ofthese are easy numbers to ascertain, but when you think aboutit, it’s not difficult to recognize quickly how spending a littlemoney now could pay off big in the long term.

This brings us back to the question at hand: How do you fig-ure out how much “a little money” means for your company?How do you decide what you should spend, and which projectswill produce a long-term return on investment?

There is no simple answer; no formula you can plug yourexpenditures and income into so you can receive an answer.Yourbest bet may be to evaluate where your biggest vulnerabilitiesare, make a decision about which resources you absolutelycan’t live without, and go from there.

For example, you can look at the past to figure out what’s mostimportant—and how much it will cost you in the future. Thefirst thing you’ll want to explore is what you spent on remedial ITover thepast 12months.If youwerehit bya seriousvirus andyoursystem was down for two days, you know this is probably some-thing you’ll want to avoid in the future by investing in a new virusprotection program. You can do a direct comparison, too. Whatyou pay for virus software will probably dwarf whatever you paidto a consultant. Plus, that cost is probably only a fraction of yourdowntime cost in terms of lost employee hours and time thatwould have been better spent taking care of customers.

You can also prioritize based on overall hardware and soft-ware value. If you purchased a new server or installed a newapplication, you knowhowmuch it cost and howmuch it wouldcost to replace. And then there’s the idea of business continu-ity. If you live in an area that faces natural disasters such astornados or hurricanes often, you may want to invest in busi-ness continuity insurance,which will pay to bring your systemsback online should you face a natural disaster or completesystem loss froman intrusion or virus.Considering that two outof five companies that experience a disaster will go out of busi-ness (according to a recent Gartner research study), the higheryour risk, the more important such an investment becomes.

fourHOW MUCHIS ENOUGH?Security costs can bring your balance sheet into the redor black, depending on your risk and potential losses.Here’s how you can decide what’s best for your company.

“...the top dozen cyber security threats will come from previously innocuoussources, including Web attacks that originate on trusted sites...”


five

YOU’VE PROBABLY GOT A MARKETING BUDGET and a sales budget.And chances are, you also have a hardware and telecommunica-tions budget. That said, unless you take the steps to protect whatyou’ve got—and what you’re planning to buy—you may just bethrowing money out the window.

According to a September 2007 survey from the ComputerSecurity Institute (CSI), average annual losses reported by U.S.companies doubled, spiking to $350,424 from $168,000, with46 percent of all respondents reporting some type of comput-er security incident. Security breaches happen, and they happenoften, so those who do nothing are taking huge risks with theirvaluable data and equipment.

While every business owner would like to have afull-time IT person on staff or—at the veryleast—be able to hire a consulting firm, some-times neither is possible. Still, that doesn’tmean there aren’t things you can do rightnow to avoid some of the most commonissues.Here are seven strategies that youcan implement today without hiring anIT specialist.

1. KEEP IT LOCKED.Where do you keepyour servers and storage systems?If you said under your desk or on atable in your office, you’re not alone.A better option: keeping all ITassets—including new or unusedequipment—under lock andkey in ei-ther a well-ventilated closet or aseparate room. If youdon’t have spaceto spare, keep devices locked using aphysical device or computer-lockingcables that secure your server(s),printers, monitors and PCs.

2. LISTEN TO YOUR EMPLOYEES.According to a May 2008 reportfromCarnegieMellonUniversity’sSoftware Engineering Institute’sCERTprogram,34percent of all cy-ber and electronic crimes wereperpetrated by insiders—ITpeople,

mostly—with an ax to grind. The majority of these people hadgrudges against the company; 84 percent were motivated by re-venge. So how can you make sure your company doesn’t fallvictim to an inside attack? Keep the lines of communicationopen andmake sure you run background checks before you hiresomeone. Also, don’t put all your IT eggs in one basket. Morethan 75 percent of insiders detailed by theCERT report had cre-ated access paths into the server or infrastructure that wereunknown to anyone else in the company. Don’t entrust a singlepersonwith all your technology needs, if possible, and if you ab-solutely must, make sure your most sensitive data is stored offyour network so even if someone does get in, it can’t be breached.

3. MANAGE YOUR PASSWORDS. While 84 per-cent of companies surveyed in the 2007

E-Crime Watch Survey—co-sponsored byCarnegie Mellon University’s SoftwareEngineering Institute’s CERTProgram, theU.S. Secret Service andMicrosoft Corp.—reported they have account and passwordmanagement policies in place, the use ofpassword sniffers or crackers was up lastyear. You can help ensure safety within

your office by requiring all employeesto change their passwordsmonthly orquarterly, and request that all pass-words contain both letters andnumbers. Also, remember to changeadministrator passwords if someonewho had access to IT resources leavesor is fired.

4. MOVE BACKUPS OFF YOUR SITE.You should be backing up your dataconstantly—at minimum, everyevening. If you’re backing up to re-movablemedia,make sure you’re either

locking it up in a fireproof safe orremoving it from the office and

locking it up elsewhere.

CONCLUSIONJust because you can’t commit to a full security audit doesn’t mean there isn’tplenty you can do to mitigate risk today.


five

5. INSTALL AND RUN THE RIGHT SOFTWARE AND HARDWARE.Antivirus, spyware and content-filtering software products areinexpensive and fairly easy to administer. Make sure you’rescanning all incoming and outgoing mail, as well as anythingwritten to the server. Firewalls are also extremely useful, keep-ing intruders out, while at the same time enabling Internetconnectivity.

6. OWN YOUR INFRASTRUCTURE.Be extremely careful aboutwhohas access to important system and software resources and data.Consider all of the above private and only accessible on a need-to-know basis. Everyone on the network shouldn’t have accessto everything on the network.

7. INVENTORY YOUR INFRASTRUCTURE OFTEN. You can’tprotect what you don’t know you own. That said, keep a log ofall your IT resources that details when theywere purchased,whois currently using them,andwhere they are located.Write downserial numberswhenever possible in the case of theft or loss.Youcan also purchase secure asset tracking services, which can helpyou recover a computer should it become lost or stolen.

Sample Inventory Log

RESOURCENAME SERIAL # DATE/PLACE PURCHASED USERS LOCATION

Dell Laptop 005892 7/21/08 Joe’s Computers Stacy Mktg. #3

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

______________________ _____________ _________________________________ _____________ ________________________

Documents

Securing YourIT Infrastructure - NFIB · and more. As it becomes increasingly essential for businesses to be“wired,” almost everyone needs to understand ... lost a cellular phone,