Many small-business owners get overwhelmed by the idea that there are “all these things” they must do to keep their data and PCs safe — especially when IT people get caught up in jargon and use terms like “defense in depth.” In this overwhelmed state, the owners either don’t do anything, or they implement poorly conceived notions of what they think defense in depth means.
What it’s really all about though is taking simple steps to protect small aspects of our computer systems, whether it’s our hardware, software or our sensitive data.
We want to protect ourselves in our e-mail and Web-browsing habits. This means using antivirus software and spyware and adware detection measures, along with pop-up blockers (Pop-ups aren’t just an inconvenience. They frequently carry payloads for Trojans and other types of malware.) We want to protect ourselves from losing data, whether it’s our personal information or sensitive data belonging to our company. Finally, we want to protect ourselves from network computer compromises.
We repeatedly tell anyone who will listen to keep virus signatures updated, and scan all incoming e-mail files. Never, ever, ever open attachments from strangers. Think before opening e-mail attachments from family or friends.
When in doubt, call and ask if they really sent you the Read-ME.doc.exe file. Filter your spam. Never click on links regardless of the originator. (Hand-type the link if you think there might be some slight possibility that the GOAR Bank of
West Virginia wants you to verify your non-existent account.)
Be aware of the types of information you send in e-mail — anyone with the right know-how can hack your e-mail unless you encrypt the body of the text — and that’s just e-mail. Looking again at the previous litany, we see these are all common-sense steps that require some thought and only a little effort.
When you send e-mail to a colleague, you need to think about the purpose of the message and the attachments. Think about the potential loss of information if that message is compromised while in transit.
Consider the need for using e-mail, and whether a short phone call or face-to-face conversation might prevent the loss of sensitive data. Recognize that once it’s gone, it’s out of your control. That data can be replicated, transferred or disseminated to any number of places without your knowledge. Anyone who has ever dashed off a rash message taunting the boss’ computational skills knows what I’m talking about.
Web Browsing Issues
Know the sites you visit. When completing financial transactions, make sure the site’s URL begins with HTTPs — indicating a secure transaction site. Be aware of the links you click on within sites. Piggybacked applets that hide in innocuous content can install Trojans. And in some cases, sites that promise one thing actually give something much different.
If you choose to download something from the Web and install it on your machine, please at least read the license agreement that gives away all your rights to privacy. Look closely at the agreement to sww whether the download will also add unwelcome Web-anonymizers, Web-accelerators and file sharing programs.
Proper password protocols go a long way to protecting your network access, documents, e-mail and secure Web sites, such as banking and human resources sites. Choose passwords that are appropriate to the level of need. Your network account password should be as complicated as possible. If you must write it down, use a secure place as long as you don’t keep your password and username together. Also don’t leave it anywhere near your system, even if you think it’s well hidden. This is insurance for that rare occasion when you can’t quite come up with the correct order of letters, numbers and special characters.
Also remember that you should be working on schemes that allow you to create passwords built on similar principles. Just remember your passwords should be as strong as the system allows.
Defense in depth includes taking precautions regarding the physical access to your computer. Sure, it’s a desktop and you can’t lock it in the cabinet, but do you lock your screen when you step away for coffee or lunch? Have you conveniently left your really-hard-to-remember password written down in an unlocked drawer for the janitor to find? Do you ever look to see if there are any strange wires sticking out of the back of your unit? Corporate espionage often begins at home with hardware keystroke loggers that later provide easy remote access.
Having a computer is similar to owning a car. Without thinking about it, we strap in, start the engine and go where we want to go. But with a little more thought, we realize that we also fill the gas, change the oil, check the brakes and keep the tires filled with air. Hopefully, we use fresh wiper blades, and keep the engine tuned for optimum performance. This is our defense in depth from problems happening on the road. Under-inflated tires and bad rubber can lead to blowouts. Poor engine performance can lead to the purchase of a new engine or even a new car.
Keeping our computers tuned by taking care of the simple details gives us that new car smell in the networked world.
I>Linda LeBlanc, who served as a Gunnery Sergeant in the U.S. Marine Corps., now is a network security analyst at MIT. She also does security consulting for Web-based businesses. LeBlanc’s columns reflect her own opinions, and not necessarily those of her employer.
Adapted from esecurityplanet.com.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|