Technology Management

Play It Safe

SBOCTeam — Tue, 30 Sep 2008 17:19:00 GMT

How to Protect Your Customers' Confidential Info

By Christopher Freeburn

Customer data may well be your business's most critical asset. Unfortunately, there are plenty of thieves who would like to gain access to it. Identity and credit card theft are burgeoning problems. Customers' names, addresses, and credit information are valuable commodities that thieves not only steal, but actually trade among themselves. Today's profusion of computer technology and online connectivity has proven not only a boon for business, but for thieves as well. Protecting your company's information is as vital as locking your office doors.

The World Wide Web of Hackers
There's almost no way to isolate your business from the Internet these days. Even the smallest businesses usually have web sites and email is now virtually a business requirement. That usually means that the computers you use for business are likely connected, either directly or through your company network, to the Internet. While there is no question that the Internet has been a huge boost to small business, it comes with serious security risks.

The Internet connection that brings the world to your business's front door can also let unscrupulous thieves dive right into your company hard drives and gain access to vital customer and business data. "The best way to prevent that is to make sure that your company network and computers have a robust firewall and use the latest Internet security software available," says Cambridge, Massachusetts-based computer security expert Dan Smith. "This applies even if you outsource your company's online services to a web hosting company." If you don't know how to enable your firewall and security software properly, hire a network or computer expert to do it for you. "Your firewall is the first and best line of defense in keeping unwanted people out of your system," Smith explains. "If you don't pay enough attention to it you can find your network crippled and your data stolen."

A wide variety of Internet Security software packages are available for small businesses. Additionally, personal computers and network servers come with some form of internal firewalls that will work in concert with third-party Internet security software. Most of these programs feature an automatic update feature that allows the software to contact its manufacturer online and check for software updates. Since the battle between hackers and security software is never-ending, keeping the update feature active is crucial to receiving updates meant to combat the latest threats.

Isolate Data
Your company data can be threatened not only from the outside, but also from within your business as well. Last January, news organizations reported the story of a Florida architectural firm whose office manager, erroneously believing she was about to be fired, deleted seven years worth of company records, including millions of dollars worth of blueprints and drawings from the firm's computer. The company was able to recover much of the data, but only at great expense. In order to prevent accidental or deliberate loss or theft of data, it is a good idea to restrict access to the company network-or at least to the most sensitive data-to a few trusted, high-level employees. Most network software packages offer a variety of different password-based levels of access to the network and its assets.

Make sure that employees guard their individual passwords and that the passwords of employees who depart the business are deleted immediately.

Shredding to Security
Keeping your company's critical data secure often means more than simply keeping your computers free from hackers and the office doors securely locked. Too many companies forget that documents tossed out with the trash become instantly vulnerable to thieves or competitors.

There is no privacy in garbage, according to a 1998 Supreme Court ruling, which means anyone can grab a garbage bag from your firm left at the curb and legally sift through it. That means your competitors can legally acquire sensitive information about your business if you aren't careful enough to properly dispose of it. It also means that identify thieves might glean enough personal information regarding your customers to open credit cards accounts in their names, causing them substantial financial harm.

In order to protect your company and your customers, you should consider creating a formal company policy regarding document disposal. And then make certain that all employees understand and follow through with its implementation.

Any paper that contains customer names, account numbers, or billing information should be shredded. The same is true of company documents that provide employee names, social security numbers, payroll, medical insurance, home addresses, or salary information. But you should also be shredding any documents containing information valuable to your competitors. Sales numbers, financial analysis, marketing plans or reports, web site usage figures - all of these could be of potential interest to competing companies. Legal documents as well. In practice it's a good idea to shred any document that sheds light on your company's internal practices or arrangements.

Document shredder machines are available in a wide range of sizes and prices, with small units running under $60, making it easy for a small business to have several such machines where needed. Traditional shredders rend documents into narrow vertical strips. Newer cross-cut shredders slice the documents two ways, rendering them into confetti that is almost impossible to reconstruct.

Wireless Vulnerability
Once upon a time, connecting the computers in a small office meant running wires all over the place. Today, setting up a wireless network for a small or home-based business can take little more than a few hours work. But for all their convenience, wireless networks face a serious downside: security. Your wireless router broadcasts your network's data indiscriminately over a certain area (anywhere from a 100 to 300-feet radius from the router). Any computer equipped with a wireless network card within that area can receive the signals and access your network.

"The number of businesses that forget to install some level of encryption in their wireless networks is astonishing," says Dan Smith. "People who are scrupulous about installing Internet anti-virus programs just blank on wireless access security." But the consequences can be serious. "There are people who set up their laptops outside office buildings and shopping malls looking for vulnerable wireless networks," Smith explains. "Once they find one they can penetrate they'll poke around until they find some useful information." That can include customer data like credit card numbers and billing addresses or employee data like social security numbers. "Once they have anything like that, it can be used for theft or identity fraud, or sold to others for that purpose."

In order to prevent unwanted intrusions, wireless equipment manufacturers have developed a variety of encryption programs. Most wireless network equipment comes with two basic encryption systems: Wired Equivalence Protection (WEP) and (Wired Protected Access) WPA. These encrypt your wireless signal, requiring any wireless-capable computer to have the right encryption key to decode the signal. WPA is the more robust encryption protocol. Keeping firewalls enabled on all networked computers and changing network passwords is also recommended.

Protect Your Business

SBOCTeam — Sun, 21 Oct 2007 22:49:00 GMT

You and your colleagues have invested untold amounts of time, energy and capital into your business. You want to protect it from potential threats - ranging from burglars to computer viruses to fire.
By Reed Richardson

Security is especially critical for small companies. Small firms have fewer resources than their larger competitors, so they tend to suffer disproportionately when security problems occur: For example, a negligible theft or computer virus at a big corporation might cripple a small business. Many small businesses are strapped for time and cash, however, so they often fail to take sufficient precautions to protect themselves. That's a big mistake. Security investments not only keep your company safe - they pay for themselves many times over. The following sections outline the most important steps you can take to protect your firm's information, assets and employees.

Digital Security

The digital revolution has given small businesses capabilities that were once the exclusive domain of their big competitors - from fast, high-quality publishing to instant global communication. But those technologies also have brought new dangers, including hackers, viruses, worms, Trojan horses, spyware, adware and other digital beasties.

A recent study by the Small Business Technology Institute (SBTI) in San Jose, California, found that most small businesses are inadequately protected - and the problem is getting worse. "Small businesses are using increasingly sophisticated technology," says Patrick Cook, an analyst with SBTI. "But their digital security systems aren't keeping up, so they are increasingly vulnerable."

The study found that more than half of small businesses had experienced an information security incident in the previous 12 months, and one in ten small businesses had suffered five or more. Some of those incidents resulted in catastrophic data loss or theft, but the majority had less obvious repercussions. "The biggest problem was lost productivity," says Cook. "Viruses, adware, spyware and other intrusions lead to downtime for networks and employees, and that costs businesses a lot of money."

Mike Faoila, president of Boston-area printing company Arlington Lithograph, learned that lesson seven years ago. The 25- employee business upgraded to an entirely digital printing process in 1995 - and experienced its first virus in 1998. "Four of our six workstations were disabled," says Faoila. "Everything ground to a halt."

Faoila discovered that the company's antivirus software was six months out of date. A quick upgrade took care of the problem - and the experience made Faoila a true believer in the importance of data security. "That was probably the best thing that could have happened to us," he says. "Everything we do depends on our computers. Security takes a small investment of time and money - and it pays for itself even if it just prevents one workstation from going down for one day."

The moral: Investments in network security can boost your bottom line. Cook recommends increasing your business's digital security expenditures in line with your investments in computers, servers, and networking equipment.

The following steps will help you spend that money wisely:

Put up firewalls.
Firewalls prevent hackers from peering inside your network. They come as both hardware and software products - your firm should have both. Make sure firewalls are installed both on your computer network and on each computer, including those connecting remotely.

Use powerful passwords.
For passwords to do their job, they should contain at least eight characters and some combination of upper-and lower-case letters, digits, and symbols. Make sure everyone at your company changes passwords every few months.

Patch holes automatically.
Make sure your operating systems have all the latest security patches. This is a snap: Simply go to the OS maker's Web site and sign up for automatic security updates. The site will upload any new patches to your computers as soon as they become available.

Use free security tools.
For example, Windows XP contains a high-quality built-in software firewall, and Symantec, Microsoft and other software companies offer free spyware scans on their Web sites.

Inoculate against viruses.
Install up-to-date anti-virus software on every networked computer. Make sure it's set to download updates automatically.

Surf with care.
Enable your Web browser's security settings (you usually can find these in the "preferences" menu), and never click on pop-up ads.

Email intelligently.
Never open attachments from unknown senders, or attachments with extensions you don't recognize.

Back up data files.
Assign one employee daily back-up duty, and test the system regularly to see if information can be restored from the backup copies.

Hide your wireless network.
Wireless networks are relatively easy for malefactors to exploit. Use Wi-Fi Protected Access (WPA), which encrypts wireless data and prevents intruders. Avoid older systems such as Wired Equivalent Privacy, which have less protection.

Audit your security systems.
Hire an IT consultant to perform an annual security audit that includes an examination of every machine at the company.

Vital Records Protection
Chances are, your business would be in big trouble if a fire or natural disaster destroyed documents such as customer lists, contracts, invoices, and insurance documents. In fact, Steve Aronson of the records protection firm Fire King International reports that only half of all businesses that experience total records loss survive the following year.

The good news: It's relatively simple to protect such documents. Store them in file cabinets that are rated by Underwriter Laboratories to withstand one hour of fire as well as heavy impacts. Impact protection is critical, since large fires typically cause roofs or floors to cave in. Such cabinets typically cost two to three times the amount of an ordinary steel filing cabinet - a small investment to protect your firm's most valuable records.

Digital records stored on CDs, hard drives, and other digital media are more sensitive, so they need greater protection. Be sure to keep those records in a data safe rated by Underwriter Laboratories to keep contents below 125 degrees and 80% humidity for at least an hour during a fire.

Physical Location Security

Many small businesses will be well served by hiring a security vendor to monitor their premises and deter robbery, vandalism and other physical threats. Security vendors can tailor a system that keeps a lookout using digital video cameras and a variety of sensors, and then relays important information to key business members and law enforcement. (The cost will vary widely depending on your security needs.) Select a reputable vendor recommended by your chamber of commerce or other small businesspeople and certified by the National Burglar and Fire Alarm Association (NBFAA).

Meanwhile, take the following security precautions:

Make frequent deposits to reduce the amount of cash on hand.

Maintain adequate lighting, both inside and outside your facility.

Eliminate hiding places around the premises by keeping grounds clean and spacing out trees and bushes.

Change locks regularly, particularly if you have high employee turnover.

Use safes that carry Underwriter Laboratories ratings of five or higher.

Contact local police about performing a security audit

Fraud

Fraud is more common - and more costly - than you might think. The Association of Certified Fraud Examiners (ACFE) estimates that the typical business loses 6% of its annual revenue to fraud. Losses are even worse for small businesses: Small businesses that suffered from fraud lost a median of $98,000 - more than all but the very largest organizations. Create a positive work environment. "Employee resentment creates an environment ripe for fraud," says Larry Cook, a fraud examiner in Kansas City. Some essential elements of a positive environment include:

Integrity at the top. If the owner takes cash from the till without recording it, he sends the message that doing so is okay.

Written job descriptions. Job descriptions create clear responsibilities, so employees don't feel put-upon.

Open lines of communication and clear lines of authority. Workers need to know that complaints will be dealt with fairly and expediently.

Separate financial responsibilities. It's best if the people who handle the money are not the same people who record transactions. Limit access to valuable assets and information. Such items include cash, tools, and other pricey equipment, intellectual property, and accounting and human resources records. Create strong fraud policies. Fraud and ethics policies should be written and distributed to all employees - including senior management. The ACFE found that the higher a fraudulent employee's rank, the more expensive the fraud. Conduct thorough background checks. Examine an applicant's criminal record, driving record, and history of civil lawsuits, and verify the information on the resume or application. Look for warning signs such as arrests for violent offenses or lawsuits for fraudulent conduct or collection of funds. Important: The applicant must sign a release allowing you to look into these matters, or you risk running afoul of privacy laws. Build an anonymous reporting system. The majority of fraud that's discovered is reported by whistle-blowing employees.

As a result, companies with confidential reporting mechanisms lose only half as much to fraud as those without them, according to the ACFE. Make sure employees, customers, and vendors know about the system. You can outsource your reporting system to a vendor, or simply maintain a phone line that goes straight to voice mail. Perform regular and irregular audits. You can hire a security firm to gauge your fraud-prevention controls. That's likely to be expensive - typically more than $10,000. Alternatively, fraudinvestigation firm CVA Solutions offers a well-regarded vulnerability assessment at ifvat.com. Use video cameras - but only where necessary. Closed circuit cameras are one of the best ways to deter employee theft, and advances in digital technology have made them far more affordable and easier to use. Employees generally don't mind surveillance cameras, as long as they are clearly used to prevent fraud - not to catch loafing. Investigate incidents promptly. Doing so will discourage future fraud, and encourage whistle blowers.

Guarding your business against digital intrusion, records loss, robbery, and fraud is essential and can make the difference between the success or failure of your enterprise. The process may not be easy, and certainly will require an investment of time and cash - two things in short supply at many small businesses. But those investments will reap generous returns. Protecting your firm from the various threats it faces may increase productivity, decrease losses to theft, and keep you afloat after a calamitous event - and it also will dramatically improve your peace of mind.

Reed Richardson is an associate writer/editor for Business 24/7 magazine.