BUSINESS COMPUTER SECURITY. aaa BUSINESS SECURITY SECURITY FOR LIFE

Transcription

1 aaa BUSINESS SECURITY SECURITY FOR LIFE

2 CHAPTER 1: WHY COMPUTER SECURITY IS IMPORTANT FOR YOUR BUSINESS No matter how big or small your business is, it s highly likely that you have some information stored on computers that you wouldn t want anyone else to see. From account records to business plans, if you don t want others to see your company information then you need to ensure it s protected. While having someone snooping through your business data is serious enough, if you re holding information about customers then having this data compromised could have very serious consequences for your business both in terms of possible legal repercussions and damage to your reputation which could do irreparable harm. The way in which modern businesses work, with tablets and smartphones accessing company data and a range of services being run through the internet, means that the lengths businesses are having to go to in order to keep data secure are growing all the time and there s no excuse for being left behind. This guide looks at passwords, virus protection and company policies that will help you keep your computer network and its contents secure. 2

3 CHAPTER 2: PASSWORD POLICIES If you want to secure your business computer network, a strong password policy is important. Your passwords control individual access to your network and your company data, so anyone accessing this network should have their own unique username and password. Not only do unique user IDs prevent unauthorised access to your network, they help you identify who is accessing what should you have data compromised, the first thing you will do is check who from within your company has accessed it. If you have a domain or Microsoft small business server, then the group policy here is the best place to define your password policy. However, if you don t have one of these, you ll need to define your own IT policy. Let s look at how that can be achieved. 3

4 Centralise Your Passwords There are two schools of thought regarding passwords: have your IT department set the passwords and do not allow individuals to change them, or allow employees to set their own. Most believe the former is the safer, as employees will just choose or password. However, make a complicated password such as 3hg6ZwK, and your employees will be more inclined to break security protocol and write it down to remember it. Some choose a middle ground, allowing employees to choose their own passwords but setting strict parameters: e.g. they must be a certain length, contain upper and lower-case letters and at least one non alpha-numeric character. Whatever method you choose, you need to make sure you have a centralised record of what all the passwords are, and ensure that an individual s password is required to access anything on the company network. By setting up a unique user ID, you can also set controls on the types of changes users can make to their computers, including preventing amendments to the operating system or the downloading of particular file types. This will help you keep control on the security of your network. Unfortunately, there really is no consensus on which method is the most appropriate yet it is agreed that complex passwords using these kinds of parameters are the safest, so any employee-choice password policy should not involve a completely free selection. 4

5 Change Culture Whatever passwords are set, it s important to put in place a system of regular change to all your account passwords. Experts recommend changing passwords at least every 60 days. Two-factor Authentication Two-factor authentication (2FA) is a form of security whereby any user is required to input two different types of secure information in order to gain access to a network. The username-password combination is augmented by an extra layer of security concerning something that only the individual would have - often taking the form of a physical token. Modern banking groups utilise 2FA when they issue users with hardware that generates a personal identification number for online banking access, and other companies introduce card readers and key fobs to their network access protocols for that extra layer of security, meaning access is only permitted when the user has something in their possession and remembers a piece of information. With the increasing prevalence and capability of smartphones, use of them as physical tokens of 2FA is also likely to increase. 5

6 CHAPTER 3: CLOUD INFRASTRUCTURE Cloud computing services are increasingly being integrated into business IT policies, because there are a number of potential benefits especially for small to medium-sized businesses. Space The first benefit is a practical one: space. If you re storing your own data, you ll need ample hardware to do it, and this all takes up room when you re growing your business, office floorspace could be at a premium. Time and Money The hardware required to store your own data is costly to buy, increases your electricity bills and requires regular maintenance, which also costs both money and time. Cloud computing removes all these costs and replaces it with a standard fee that is likely to be much lower. In addition, smaller businesses will find a regular smaller fee easier to plan for than the unexpected, large one-off costs that are faced when suddenly having to replace broken-down hardware. 6

7 Security The threats posed to your data are always changing, and the introduction of new mobile technologies to the workplace increases the number of access points for potential threats. This makes keeping on top of your network security an ongoing challenge; cloud computing services will provide security as part of the package, and you can be confident that their security measures will be more robust than yours their reputations depend on keeping the data they hold completely secure. Ease of Access Storing your data with a remote cloud service makes it easier to safely access your information from any web connection. Given the developing trend for allowing workers to work remotely, this is another benefit for the business user. Disaster Recovery Should disaster strike, such as a fire or break-in at your office, it can put your working activities out of action for days or weeks even if you ve backed up all your data properly you ll need to wait for your office space to be made available again and replace your hardware. If you are storing in the cloud, however, you can work remotely in the same way as before, significantly reducing downtime. Things to Consider Choosing to use cloud services doesn t have to mean transferring all your data storage to the cloud. You can still host data on your own services while using cloud services as your backup this means you get the benefit of those disaster-recovery services. Deciding how much of the cloud to use may depend on your current infrastructure, your day-to-day needs and how the cost of these services works within your resources. However, even if is not something that is suitable immediately, it s advisable to revisit the possibility of using cloud services in your regular IT performance reviews. 7

8 CHAPTER 4: VIRUS PROTECTION Viruses can have a devastating impact on your business. At best they will slow down your computers and your networks, but they could crash your entire system leading to huge amounts of downtime, or even be maliciously working away and stealing your company and customer data. Virus protection for businesses is about remaining vigilant at all times, because the threat situation is an ever-changing one. Every device that connects to your network should have robust virus protection software installed. If that s only a few computers, the best option financially may be to buy virus protection for each computer individually and install it manually on each one. However, if you ve got a greater number of computers accessing your network, then it s sensible to look into business-specific virus protection. With upwards of ten computers to cover, you may find the price per computer is actually lower. 8

9 Business-specific virus protection has other benefits than simple cost, too. They typically come with a firewall which will be tougher than the one already installed on your computers, and enhanced browsing protection. In addition, you ll be managing your security settings from one central location, which is then applied to any computer accessing the network. This prevents employees from bypassing certain elements of the antivirus software that they find annoying, while also allowing for updates to the security software to take immediate effect, rather than having to update every machine manually while a threat is posed. Staff Education While you can put in place strong virus protection on your company network, it s also important to educate staff about how to minimise the company s exposure to viruses, worms and malware. Restrictions should be placed on downloading certain file types known to be used for viruses, and on downloading programs that are not on an approved list. Advising staff on what these restrictions are and why they are in place, along with other safe-browsing tips, will help to reduce your exposure to risk. 9

10 CHAPTER 5: PROTECTING SENSITIVE DATA Portable Devices Portable storage devices, such as external hard-drives and USB memory sticks, have made working when you are out of the office and on the move easier than ever, but the use of these devices presents a serious risk to your information security as they can easily be lost or stolen. Any information stored on a device which leaves your secure office should be encrypted, meaning that the data will be worthless to anyone who does not have the chosen password or passphrase (the latter is recommended as extra complexity means extra security). As an extra line of defence, access to the device itself should be protected with a separate password/passphrase. Since it s impractical to have to check if every piece of data on a portable storage device is encrypted before it leaves the office, it s worth making data encryption on such devices a clear requirement as part of your staff policy, so that all employees are aware they have a personal responsibility towards encrypting. Shield Your Data It s likely that there will be vast amounts of information stored on your company network, and most of your staff will have no need to see or use it to perform their roles. With password-protected unique user IDs, you can set permissions so that only selected individuals can access particular folders, and encrypt particularly sensitive documents so that only a select few can view their contents. Encrypting sensitive documents which are stored on your network also means that should viruses or malware extract that document and send it to a third party, it will be much more difficult for that information to be compromised. 10