An SMB Security Blanket — Expert Tips from HP - Page 2

By Lauren Simonds | Posted August 26, 2004
Continued From Page 1

Which is the bigger security threat — human error or faulty technology?

Humans are by far the biggest threat - but not necessarily human ERROR. It's often a lack of knowledge that causes people to expose their company to outside security risks, and that's why it's so important to educate employers and employees on security policies. Hackers, virus creators and social engineers are certainly not "accidentally" causing harm. Their efforts are very deliberate.

Technology is a human invention, and the technology that runs business today is only as safe as we make it. Computers and other IT systems are machines — similar to cars in that they need regular maintenance to keep them running properly.

Maintenance is even more crucial now that cyber criminals constantly hunt for an open door into your business. Business owners and IT managers have a responsibility to keep their technology updated with the latest software and virus patches to keep their business safe.

How do new compliance regulations such as Sarbanes-Oxley and HIPAA impact SMBs?

These new federal regulations such as Health Insurance Portability and Accountability Act of 1996, known as HIPAA, include important new - but limited health protection for employees. HIPAA's group market rules apply to every employer group health plan that has at least two participants who are current employees.

HIPAA is intended to prevent the unauthorized disclosure of a patient's "individually identifiable health information. To meet the HIPAA regulations, small businesses need to ensure computer security features are completely in place so that unauthorized users can not access private patient data.

The Sarbanes-Oxley Act (SOX) was passed by U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations. This law impacts all public and private businesses including SMBs.

For instance smaller companies must ensure the integrity of financial data by safeguarding infrastructure and processes against accounting errors and deceptive procedures.

Ensuring that your PCs are secure from unauthorized access and data interception with technology hardware and software security solutions can help small businesses meet these regulations.

What advice do you have for companies that don't have an IT staff?

It is important for small businesses without an IT staff to rely on experts to proactively protect their business from security threats. Look to local partners with the expertise to help with technology issues.

HP provides its partners with the assets and the capabilities they need to successfully support their SMB accounts. HP also provides SMB customers with solutions designed to integrate existing infrastructures. HP makes sure SMBs have the necessary building blocks to address increasing productivity, lower costs and ease of ownership. In addition, we provide our customers with white papers, Q&As and how-to articles to help them with security implementations.

Does the size of the company change the way it should look at security?

While the threats remain the same for all SMBs, it will obviously be much easier to manage security risks in the smaller businesses, as opposed to the larger, medium-sized businesses. Virus protection software, company security policies for end users and a data backup solution are a must for organizations of all sizes.

For businesses with less than 10 employees, the need for automated upgrade and patch management systems is less critical, due to the small number of systems to maintain. Physical security is also less of an issue, as it's also much easier to keep an eye on 10 employees than 50.

The main focus should be on virus protection, data protection and educating employees on best security practices A simple storage solution such as tape backup, and a network firewall are good fundamental ingredients. For employees that travel with their systems, don't forget to protect the data as discussed above

Any company with more than 10 employees — and without an IT staff — should consider outsourcing their network support to a trusted vendor. For companies with an IT staff, the larger the company, the greater the need for software that automates system management and automatically updates critical security patches and upgrades. A thorough security policy — including basic IT security training for all new employees and strict user access policies — is crucial.

There is also a greater need for user authentication. A network firewall is a must, and hardware-based user authentication is an even more important feature, as greater numbers of users will have access to the network. Depending on how mucharchival data that needs storage, companies should consider a storage array or network attached storage solution.

Are SMBs fully aware of the security risk introduced by Wi-Fi networks?

SMBs are very aware of the security risks they face. In fact, in a recent survey conducted by Penn, Scheon and Berland Associates, 49 percent of small and medium business respondents said the security of their company's computer system been threatened in the past year. Wireless security is not a separate network infrastructure that requires entirely different procedures and protocols, but there a few simple steps SMBs can take to make their wireless networks more secure.

First, change the default network SSID (network name) on your wireless router/access point. If it's possible to turn off broadcasting the name of the SSID, then do so. That way, only users that know your company SSID ahead of time can connect to your network. For smaller networks, you can also restrict access only to "known" network card addresses (low level MAC addresses). Many wireless access points and/or wireless routers let you lock out non-registered network cards from the network, preventing outsiders from accessing your network connection.

You should also turn on some form of encryption on the wireless traffic, such as Wireless Encryption Protocols (WEP). Activating rotating encryption keys for WEP encryption at regular intervals (say monthly), or implementing a "dead" wireless network can keep this type of encryption most secure.

A "dead" wireless network assigns network addresses to individual systems, but does not connect to the internal network infrastructure. Users must then use the company VPN to access the internal network, keeping each user connection into the internal network protected with unique and secure encryption keys.

Finally, develop a security policy that combines both wired and wireless security to leverage management and cost advantages. For example, integrate a single user ID and password requirement for your employees whether they access the network through your wired or wireless infrastructure. The addition of hardware-based security features, such as embedded security, compliments the 802.1x standard by providing extra data encryption and authentication protection.

Lauren Simonds is the managing editor of SmallBusinessComputing.com

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!


Page 2 of 2

Previous Page
1 2
 

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date