Eight Steps to Improve Business Security in 2008

Keep the customer satisfied – it’s a familiar adage to anyone who runs a business. But in the Internet age, small business owners need to do more than keep customers satisfied, they need to keep them safe, too. That means protecting your critical business data — which includes your customers’ financial information — and your network from viruses, malware and myriad other Internet threats.

According to Kevin Prince, chief security officer at ePerimeter, 2008 won’t be as much about new types of attacks as it will be about more of the same. “This year won’t be about new kinds of digital threats. We’ll see the same problems that we’ve been seeing only to a far greater extent,” he said.

Prince noted that social networking sites are increasingly popular targets for computer criminals. Any site that’s visited by lots of people — Google, YouTube, Salesforce.com and MySpace, to name a few, are prime targets for botnets that are typically spread by superworms. “These attacks are so much more sophisticated than even two years ago,” said Prince. “You won’t even know your PC is infected.”

If you’re thinking, ‘If you can’t even tell you’re infected, how bad can it be,’ consider this: Without preventative measures, you risk compromising your customers’ financial information, your reputation and even your entire business. “Prevention is the best way to avoid being infected,” said Prince. “Anyone with sensitive- or mission-critical data, customer financial information or regulatory issues needs to take steps to protect themselves or risk financial loss.”

Here are eight ways to make your business more secure in 2008.

1. Comprehensive Patch Management

It’s critical to keep all of your hardware and software running with the most current versions and with all the current security updates. You need more than Microsoft patch management, said Prince, because Microsoft doesn’t cover Mac, Linux or Unix systems or applications such as Photoshop, Adobe Acrobat and so on.


“You need a patch management plan for all your systems and third-party applications. It’s important for the administrator to have a network-wide view to see which computers and software are up to date,” Prince said.



2. Security Awareness Training

Training your employees about Internet security and your company’s individual policies is key. “Internal people are the greatest threat to your network — intentional or not — because they have the greatest access,” said Prince.


He said it’s imperative to train your employees how to handle private data, how to create secure passwords and how to deal with social engineering — that is, when people pose as customers or authority figures and ask probing questions to gain secure information.



3. Host-based Intrusion Prevention Systems (HIPS)
   Instead of relying solely on network-based intrusion detection (i.e., monitoring your entire network for threats), Prince suggests combining it with host-based intrusion protection (HIPS) where you protect the system where the critical information resides. The HIPS monitors traffic to and from that particular system for unusual behavior attempts at launching applications or non-standard events.
   

   “A combination of both network-based and host-based intrusion protection works best,” said Prince.

   
   

4. Internal Vulnerability Assessment
   A vulnerability assessment scans your operating systems, networked servers, workstations and printers to reveal areas where you lack the proper protection. Prince recommends this type of system assessment along with testing at the application level. Performing this type of scan might show, for example, that while Windows XP is protected, Microsoft Word may be compromised.
   

5. Content Filtering
   Content filtering prevents people on your network from accessing sites that you determine to be unsafe or inappropriate. Prince said content filtering is more than just a productivity issue, however. “Computer criminals lure people to sites that may look legitimate but aren’t. These sites are designed to infect an unsuspecting visitor’s computer with malicious malware.”
   

6. Centralized Desktop Protection
   Most desktop computers come standard with some sort of anti-virus protection. Centralizing those networked desktops and being able to view them from one workstation makes it easier and more effective to install, manage and maintain consistent virus protection and thus limiting exposure.
   

7. Policy Management
   Establishing security polices — and then managing them — ensures that employees are complying with those polices. These include changing passwords regularly, limiting admin control/access on computers and making sure patches and updates get installed.
   

8. Adopt an Extrusion Management Solution
   Most companies, even small businesses, have sensitive information they want to keep in-house. An extrusion management solution prevents that data from leaving your network, which occurs primarily via e-mail. “It prevents, for example, an employee from e-mailing a client’s financial data outside the network,” said Prince. “It gives you control over how sensitive data passes from person to person,” he said.

Lauren Simonds is the managing editor of SmallBusinessComputing.com