Technology Management

Play It Safe

SBOCTeam — Tue, 30 Sep 2008 17:19:00 GMT

How to Protect Your Customers' Confidential Info

By Christopher Freeburn

Customer data may well be your business's most critical asset. Unfortunately, there are plenty of thieves who would like to gain access to it. Identity and credit card theft are burgeoning problems. Customers' names, addresses, and credit information are valuable commodities that thieves not only steal, but actually trade among themselves. Today's profusion of computer technology and online connectivity has proven not only a boon for business, but for thieves as well. Protecting your company's information is as vital as locking your office doors.

The World Wide Web of Hackers
There's almost no way to isolate your business from the Internet these days. Even the smallest businesses usually have web sites and email is now virtually a business requirement. That usually means that the computers you use for business are likely connected, either directly or through your company network, to the Internet. While there is no question that the Internet has been a huge boost to small business, it comes with serious security risks.

The Internet connection that brings the world to your business's front door can also let unscrupulous thieves dive right into your company hard drives and gain access to vital customer and business data. "The best way to prevent that is to make sure that your company network and computers have a robust firewall and use the latest Internet security software available," says Cambridge, Massachusetts-based computer security expert Dan Smith. "This applies even if you outsource your company's online services to a web hosting company." If you don't know how to enable your firewall and security software properly, hire a network or computer expert to do it for you. "Your firewall is the first and best line of defense in keeping unwanted people out of your system," Smith explains. "If you don't pay enough attention to it you can find your network crippled and your data stolen."

A wide variety of Internet Security software packages are available for small businesses. Additionally, personal computers and network servers come with some form of internal firewalls that will work in concert with third-party Internet security software. Most of these programs feature an automatic update feature that allows the software to contact its manufacturer online and check for software updates. Since the battle between hackers and security software is never-ending, keeping the update feature active is crucial to receiving updates meant to combat the latest threats.

Isolate Data
Your company data can be threatened not only from the outside, but also from within your business as well. Last January, news organizations reported the story of a Florida architectural firm whose office manager, erroneously believing she was about to be fired, deleted seven years worth of company records, including millions of dollars worth of blueprints and drawings from the firm's computer. The company was able to recover much of the data, but only at great expense. In order to prevent accidental or deliberate loss or theft of data, it is a good idea to restrict access to the company network-or at least to the most sensitive data-to a few trusted, high-level employees. Most network software packages offer a variety of different password-based levels of access to the network and its assets.

Make sure that employees guard their individual passwords and that the passwords of employees who depart the business are deleted immediately.

Shredding to Security
Keeping your company's critical data secure often means more than simply keeping your computers free from hackers and the office doors securely locked. Too many companies forget that documents tossed out with the trash become instantly vulnerable to thieves or competitors.

There is no privacy in garbage, according to a 1998 Supreme Court ruling, which means anyone can grab a garbage bag from your firm left at the curb and legally sift through it. That means your competitors can legally acquire sensitive information about your business if you aren't careful enough to properly dispose of it. It also means that identify thieves might glean enough personal information regarding your customers to open credit cards accounts in their names, causing them substantial financial harm.

In order to protect your company and your customers, you should consider creating a formal company policy regarding document disposal. And then make certain that all employees understand and follow through with its implementation.

Any paper that contains customer names, account numbers, or billing information should be shredded. The same is true of company documents that provide employee names, social security numbers, payroll, medical insurance, home addresses, or salary information. But you should also be shredding any documents containing information valuable to your competitors. Sales numbers, financial analysis, marketing plans or reports, web site usage figures - all of these could be of potential interest to competing companies. Legal documents as well. In practice it's a good idea to shred any document that sheds light on your company's internal practices or arrangements.

Document shredder machines are available in a wide range of sizes and prices, with small units running under $60, making it easy for a small business to have several such machines where needed. Traditional shredders rend documents into narrow vertical strips. Newer cross-cut shredders slice the documents two ways, rendering them into confetti that is almost impossible to reconstruct.

Wireless Vulnerability
Once upon a time, connecting the computers in a small office meant running wires all over the place. Today, setting up a wireless network for a small or home-based business can take little more than a few hours work. But for all their convenience, wireless networks face a serious downside: security. Your wireless router broadcasts your network's data indiscriminately over a certain area (anywhere from a 100 to 300-feet radius from the router). Any computer equipped with a wireless network card within that area can receive the signals and access your network.

"The number of businesses that forget to install some level of encryption in their wireless networks is astonishing," says Dan Smith. "People who are scrupulous about installing Internet anti-virus programs just blank on wireless access security." But the consequences can be serious. "There are people who set up their laptops outside office buildings and shopping malls looking for vulnerable wireless networks," Smith explains. "Once they find one they can penetrate they'll poke around until they find some useful information." That can include customer data like credit card numbers and billing addresses or employee data like social security numbers. "Once they have anything like that, it can be used for theft or identity fraud, or sold to others for that purpose."

In order to prevent unwanted intrusions, wireless equipment manufacturers have developed a variety of encryption programs. Most wireless network equipment comes with two basic encryption systems: Wired Equivalence Protection (WEP) and (Wired Protected Access) WPA. These encrypt your wireless signal, requiring any wireless-capable computer to have the right encryption key to decode the signal. WPA is the more robust encryption protocol. Keeping firewalls enabled on all networked computers and changing network passwords is also recommended.

Digital Security Spotlight

SBOCTeam — Thu, 06 Dec 2007 16:27:00 GMT

Don't ignore the issue of digital security, a network breach or a loss of data could threaten the survival of your business
By Nate Hardcastle

The digital revolution has given small businesses capabilities that were once the exclusive domain of their big competitors from fast, high quality publishing to instant global communication. But those technologies have also brought new dangers, including hackers, viruses, spyware, adware, and the loss of valuable data to insufficient backup. Luckily, there are numerous lines of defense available to guard your office against these new age threats.

Safeguard Your Network
A recent study by the Small Business Technology Institute (SBTI) in San Jose, California found that most small businesses networks are inadequately protected and the problem is getting worse. "Small businesses are using increasingly sophisticated technology," says Patrick Cook, an analyst with SBTI. "But their digital security systems aren't keeping up, so they are increasingly vulnerable."

The study found that more than half of small businesses had experienced an information security incident in the previous 12 months, and one in ten small businesses had suffered five or more. Security is especially critical for small companies. Small firms have fewer resources than their larger competitors, so they tend to suffer disproportionately when security problems occur: For example, a negligible computer virus at a big corporation might cripple a small business. Many small businesses are strapped for time and cash, however, so they often fail to take sufficient precautions to protect themselves. That's a big mistake. Security investments not only keep your company safe they pay for themselves many times over.

Major security breaches like computer hackers or viruses can result in catastrophic data loss or theft, but the majority of these occurrences have less obvious repercussions. "The biggest problem was lost productivity," says Cook. "Viruses, adware, spyware and other intrusions lead to downtime for networks and employees, and that costs businesses a lot of money."

Mike Faiola, president of Boston area printing company Arlington Lithograph, learned that lesson seven years ago. The 25 employee business upgraded to an entirely digital printing process in 1995 and experienced its first virus in 1998. "Four of our six workstations were disabled," says Faoila. "Everything ground to a halt." Faiola discovered that the company's anti-virus software was six months out of date. A quick upgrade took care of the problem and the experience made Faiola a true believer in the importance of data security. "That was probably the best thing that could have happened to us," he says. "Everything we do depends on our computers. Security takes a small investment of time and money and it pays for itself even if it just prevents one workstation from going down for one day."

The following steps will help you spend your money wisely and keep your data safe.

Put up firewalls. Firewalls prevent hackers from peering inside your network. They come as both hardware and software products your firm should have both. Make sure firewalls are installed both on your computer network and on each computer, including those connecting remotely.

Patch holes automatically. Make sure your operating systems have all the latest security patches. This is a snap: Simply go to the OS maker's Web site and sign up for automatic security updates. The site will upload any new patches to your computers as soon as they become available. Microsoft OneCare, a subscription based security program for Windows Vista and XP, performs these updates automatically.

Use free security tools. For example, Windows Vista contains a high quality built in software firewall and an anti-phishing filter that warns you when you visit a nonsecure site. Symantec, Microsoft and other software companies offer free spyware scans on their Web sites.

Hide your wireless network. Wireless networks are relatively easy for malefactors to exploit. Use Wi-Fi Protected Access (WPA), which encrypts wireless data and prevents intruders. Avoid older systems such as Wired Equivalent Privacy, which have less protection. If possible, restrict your wireless use to portable devices like PDAs and Blackberries, as cellular wireless service which relies on code division multiple access (CDMA) technology, is more secure than traditional WiFi. "A person can't operate cellular wireless service unless they have a license to employ the technology," explains Mark Boggs, manager, data sales for Verizon Wireless. An unlicensed spectrum like WiFi, on the other hand, is not so hard to crack.

Inoculate against viruses. Install up to date antivirus software on every networked computer. Microsoft's OneCare package includes anti-virus software that updates automatically, saving you and your employees the hassle. "We liberate small business owners from having to think about whether their security coverage is good," says Microsoft corporate marketing manager Larry Brennan.

A word about Microsoft OneCare: The package, which contains anti-virus, anti-spyware, anti-phishing, and firewall programs, acts as a network watchdog-detecting security breaches, alerting you of their presence, and correcting them with the click of a button. However the subscription service is only available for three computers at a time. Larger networks will require multiple subscriptions.

Secure Data Storage
While the paperless office never really arrived, any small business owner will tell you that the amount of critical information email correspondence, credit card numbers, business plans, sales and marketing data stored on a company's computers has increased exponentially. Vastly increased, too, would be the cost of losing any or all of that precious data. Many small businesses still rely on traditional backups like external hard drives and basic CD/DVD-burners to secure their company's records. Such methods may be sufficient for storing relatively small amounts of data, but they are labor intensive and capacity is limited. By contrast, Quantum Corp's GoVault Removable Disk Drive Solution, a storage and backup system designed expressly for small businesses, offers up to 20 times the storage space. Its deduplication technology backs up data as users perform updates, eliminating the need to resave an entire file every time you or one of your employees makes a change. The system, which uses a simple, Windows like drag and drop interface, runs on an internal or tabletop dock and includes removable hard disk cartridges for on or offsite data storage.

But GoVault is still built on the traditional hard disk model of storage and backup. The removable disk cartridges, like DVDs and CDs, are easily lost or, worse stolen, resulting not only in the loss of company records, but possibly in a security risk.

There is nothing traditional about Microsoft's Complete PC Backup. Currently available in Vista's Business, Ultimate, and Enterprise editions, the program takes a digital photo of your existing hard drive and saves it to a disk. In the unfortunate event that your hard drive crashes (and wasn't backed up by a server), the disk that houses this image, when inserted into a PC with a blank hard drive, will restore and configure all of your lost data, settings, and preferences on the new drive. And it's user friendly. "The whole process takes thirty to sixty seconds," says Austin Wilson, Product Manager for Windows Vista. A picture worth a thousand gigabytes.

Offsite Data Storage
Once upon a time, only big companies with huge IT budgets could afford the luxury of transmitting their data for backup and storage in secure, remote locations. But the Internet has made this an option for even very small businesses. Online data storage is an exploding field with both established names and newcomers all vying to store your company's data.

There are a number of benefits of storing and backing up your data offsite. Physical security is the most notable. If your offices are damaged or destroyed, your critical business information will still be secure miles away, whereas, any on site data storage device may not survive. Online storage also permits easier access to data, especially for companies with traveling representatives or multiple offices, without clogging up email systems or company servers with large files. Better still, online storage is far more easily expandable. No need to buy new equipment for the office and endure the disruption of installation as more storage capacity is required simply purchase more storage space from the provider. Online storage also eliminates the need to maintain the storage devices or deal with technical issues on your own. Many online storage providers also offer software that automatically backs up all your company's data at set intervals, eliminating the chance of data loss due to forgetfulness.

Iomega (iomega.com), the maker of various hard disk storage media, offers iStorage, which allows small business owners to store data on Iomega's secured servers using highly encrypted data access and transmission. Data stored on iStorage can be shared by any number of authorized users, eliminating the need to send large files by email and freeing up space on users' hard drives. Data in iStorage is protected from viruses and system crashes and can be downloaded to users' laptops or PDA's from any location. One gigabyte of storage space on iStorage's servers will cost $249 per year; larger data capacities are available.

A number of other companies offer online data storage with similar services, including HyperOffice (hyperoffice.com), eVault (evault.com), C I Host (cihost.com), and Spare Backup (sparebackup.com). These companies offer a variety of data access, storage and backup features at widely varying pricing structures. All offer secure, encrypted data storage and transmission and technical support.
Guarding your business against digital intrusion and data loss is essential and can make the difference between the success and failure of your enterprise. The process may not be easy, and certainly will require an investment of time and cash. But those investments will reap generous returns. Protecting your firm from the various threats it faces may increase productivity, decrease losses to theft, and keep you afloat after a calamitous event, but its greatest benefit may be the vast improvement in your peace of mind.

Digital Security Checklist
Everyday practices that will help keep your data safe.

1.) Use powerful passwords. For passwords to do their job, they should contain at least eight characters and some combination of upper and lower case letters, digits and symbols. Make sure everyone at your company changes passwords every few months.
2.) Surf with care. Enable your Web browser's security settings (you usually can find these in the "preferences" menu), and never click on pop up ads. Microsoft's OneCare and Windows Vista can warn you when you're approaching an unsafe site and protect you from malware.
3.) Email intelligently. Never open attachments from unknown senders, or attachments with extensions you don't recognize. Make sure you have antivirus software running when opening attachments.
4.) Audit your security systems. Hire an IT consultant to perform an annual security audit that includes an examination of every machine at the company.

Protect Your Business

SBOCTeam — Sun, 21 Oct 2007 22:49:00 GMT

You and your colleagues have invested untold amounts of time, energy and capital into your business. You want to protect it from potential threats - ranging from burglars to computer viruses to fire.
By Reed Richardson

Security is especially critical for small companies. Small firms have fewer resources than their larger competitors, so they tend to suffer disproportionately when security problems occur: For example, a negligible theft or computer virus at a big corporation might cripple a small business. Many small businesses are strapped for time and cash, however, so they often fail to take sufficient precautions to protect themselves. That's a big mistake. Security investments not only keep your company safe - they pay for themselves many times over. The following sections outline the most important steps you can take to protect your firm's information, assets and employees.

Digital Security

The digital revolution has given small businesses capabilities that were once the exclusive domain of their big competitors - from fast, high-quality publishing to instant global communication. But those technologies also have brought new dangers, including hackers, viruses, worms, Trojan horses, spyware, adware and other digital beasties.

A recent study by the Small Business Technology Institute (SBTI) in San Jose, California, found that most small businesses are inadequately protected - and the problem is getting worse. "Small businesses are using increasingly sophisticated technology," says Patrick Cook, an analyst with SBTI. "But their digital security systems aren't keeping up, so they are increasingly vulnerable."

The study found that more than half of small businesses had experienced an information security incident in the previous 12 months, and one in ten small businesses had suffered five or more. Some of those incidents resulted in catastrophic data loss or theft, but the majority had less obvious repercussions. "The biggest problem was lost productivity," says Cook. "Viruses, adware, spyware and other intrusions lead to downtime for networks and employees, and that costs businesses a lot of money."

Mike Faoila, president of Boston-area printing company Arlington Lithograph, learned that lesson seven years ago. The 25- employee business upgraded to an entirely digital printing process in 1995 - and experienced its first virus in 1998. "Four of our six workstations were disabled," says Faoila. "Everything ground to a halt."

Faoila discovered that the company's antivirus software was six months out of date. A quick upgrade took care of the problem - and the experience made Faoila a true believer in the importance of data security. "That was probably the best thing that could have happened to us," he says. "Everything we do depends on our computers. Security takes a small investment of time and money - and it pays for itself even if it just prevents one workstation from going down for one day."

The moral: Investments in network security can boost your bottom line. Cook recommends increasing your business's digital security expenditures in line with your investments in computers, servers, and networking equipment.

The following steps will help you spend that money wisely:

Put up firewalls.
Firewalls prevent hackers from peering inside your network. They come as both hardware and software products - your firm should have both. Make sure firewalls are installed both on your computer network and on each computer, including those connecting remotely.

Use powerful passwords.
For passwords to do their job, they should contain at least eight characters and some combination of upper-and lower-case letters, digits, and symbols. Make sure everyone at your company changes passwords every few months.

Patch holes automatically.
Make sure your operating systems have all the latest security patches. This is a snap: Simply go to the OS maker's Web site and sign up for automatic security updates. The site will upload any new patches to your computers as soon as they become available.

Use free security tools.
For example, Windows XP contains a high-quality built-in software firewall, and Symantec, Microsoft and other software companies offer free spyware scans on their Web sites.

Inoculate against viruses.
Install up-to-date anti-virus software on every networked computer. Make sure it's set to download updates automatically.

Surf with care.
Enable your Web browser's security settings (you usually can find these in the "preferences" menu), and never click on pop-up ads.

Email intelligently.
Never open attachments from unknown senders, or attachments with extensions you don't recognize.

Back up data files.
Assign one employee daily back-up duty, and test the system regularly to see if information can be restored from the backup copies.

Hide your wireless network.
Wireless networks are relatively easy for malefactors to exploit. Use Wi-Fi Protected Access (WPA), which encrypts wireless data and prevents intruders. Avoid older systems such as Wired Equivalent Privacy, which have less protection.

Audit your security systems.
Hire an IT consultant to perform an annual security audit that includes an examination of every machine at the company.

Vital Records Protection
Chances are, your business would be in big trouble if a fire or natural disaster destroyed documents such as customer lists, contracts, invoices, and insurance documents. In fact, Steve Aronson of the records protection firm Fire King International reports that only half of all businesses that experience total records loss survive the following year.

The good news: It's relatively simple to protect such documents. Store them in file cabinets that are rated by Underwriter Laboratories to withstand one hour of fire as well as heavy impacts. Impact protection is critical, since large fires typically cause roofs or floors to cave in. Such cabinets typically cost two to three times the amount of an ordinary steel filing cabinet - a small investment to protect your firm's most valuable records.

Digital records stored on CDs, hard drives, and other digital media are more sensitive, so they need greater protection. Be sure to keep those records in a data safe rated by Underwriter Laboratories to keep contents below 125 degrees and 80% humidity for at least an hour during a fire.

Physical Location Security

Many small businesses will be well served by hiring a security vendor to monitor their premises and deter robbery, vandalism and other physical threats. Security vendors can tailor a system that keeps a lookout using digital video cameras and a variety of sensors, and then relays important information to key business members and law enforcement. (The cost will vary widely depending on your security needs.) Select a reputable vendor recommended by your chamber of commerce or other small businesspeople and certified by the National Burglar and Fire Alarm Association (NBFAA).

Meanwhile, take the following security precautions:

Make frequent deposits to reduce the amount of cash on hand.

Maintain adequate lighting, both inside and outside your facility.

Eliminate hiding places around the premises by keeping grounds clean and spacing out trees and bushes.

Change locks regularly, particularly if you have high employee turnover.

Use safes that carry Underwriter Laboratories ratings of five or higher.

Contact local police about performing a security audit

Fraud

Fraud is more common - and more costly - than you might think. The Association of Certified Fraud Examiners (ACFE) estimates that the typical business loses 6% of its annual revenue to fraud. Losses are even worse for small businesses: Small businesses that suffered from fraud lost a median of $98,000 - more than all but the very largest organizations. Create a positive work environment. "Employee resentment creates an environment ripe for fraud," says Larry Cook, a fraud examiner in Kansas City. Some essential elements of a positive environment include:

Integrity at the top. If the owner takes cash from the till without recording it, he sends the message that doing so is okay.

Written job descriptions. Job descriptions create clear responsibilities, so employees don't feel put-upon.

Open lines of communication and clear lines of authority. Workers need to know that complaints will be dealt with fairly and expediently.

Separate financial responsibilities. It's best if the people who handle the money are not the same people who record transactions. Limit access to valuable assets and information. Such items include cash, tools, and other pricey equipment, intellectual property, and accounting and human resources records. Create strong fraud policies. Fraud and ethics policies should be written and distributed to all employees - including senior management. The ACFE found that the higher a fraudulent employee's rank, the more expensive the fraud. Conduct thorough background checks. Examine an applicant's criminal record, driving record, and history of civil lawsuits, and verify the information on the resume or application. Look for warning signs such as arrests for violent offenses or lawsuits for fraudulent conduct or collection of funds. Important: The applicant must sign a release allowing you to look into these matters, or you risk running afoul of privacy laws. Build an anonymous reporting system. The majority of fraud that's discovered is reported by whistle-blowing employees.

As a result, companies with confidential reporting mechanisms lose only half as much to fraud as those without them, according to the ACFE. Make sure employees, customers, and vendors know about the system. You can outsource your reporting system to a vendor, or simply maintain a phone line that goes straight to voice mail. Perform regular and irregular audits. You can hire a security firm to gauge your fraud-prevention controls. That's likely to be expensive - typically more than $10,000. Alternatively, fraudinvestigation firm CVA Solutions offers a well-regarded vulnerability assessment at ifvat.com. Use video cameras - but only where necessary. Closed circuit cameras are one of the best ways to deter employee theft, and advances in digital technology have made them far more affordable and easier to use. Employees generally don't mind surveillance cameras, as long as they are clearly used to prevent fraud - not to catch loafing. Investigate incidents promptly. Doing so will discourage future fraud, and encourage whistle blowers.

Guarding your business against digital intrusion, records loss, robbery, and fraud is essential and can make the difference between the success or failure of your enterprise. The process may not be easy, and certainly will require an investment of time and cash - two things in short supply at many small businesses. But those investments will reap generous returns. Protecting your firm from the various threats it faces may increase productivity, decrease losses to theft, and keep you afloat after a calamitous event - and it also will dramatically improve your peace of mind.

Reed Richardson is an associate writer/editor for Business 24/7 magazine.