Owning and running a company is hard work, and one of the most difficult aspects of running a business is staying secure without impeding the efficiency and productivity of your company.
Unfortunately, many businesses do not have effective security processes in place. Day to day tasks get in the way of researching and procuring effective security solutions. Therefore, protective measures get pushed to the back burner, putting your company at risk.
Types of security
When deciding on how to best protect your hard-earned assets – you can not have a short-sighted one-track approach. There are two types of security to consider – physical and digital. Most companies focus heavily on the physical aspect and far less on the digital. Both are equally important and a good security plan outlines them both in detail.
Instituting physical protection is fairly easy, but don’t stop with high-end locks and a security company for preventing a break in. Physical security must also take place inside during working hours.
Isolating certain areas of your business like your accounting office may be a no-brainer, but there are so many other areas that should also be on lockdown. Like software rooms, networking closets, telecom rooms, and data storage vaults.
Some less obvious items that should be protected are old computers that have been taken offline and may have security credentials stored on them. These units could allow sensitive network access if they are reconnected to the office network. Old hard drives that are easy to take out of the office in small bags are a significant security hole that is often overlooked. These drives can contain passwords, employee information, and even company secrets.
Now onto the scary part, digital security. Or so most business owners think. Too many managers are scared of digital security and so they order cheap antivirus software, a firewall, and a backup system. These quick fixes give the false assumption that they are safe.
Eventually, the day arrives where data has been lost due to a ransomware attack or a poorly configured backup system. Everyone points the finger and says “I thought we were protected”. The act of buying software does not mean you are safe.
The key to good digital security is layering and understanding what you are protecting.
So let’s break it down into some key areas.
All too often I go into a company and find that employees are using weak passwords, or just as bad, no passwords at all. Every system should have a password. Not every password needs to be extremely strong but having at least a decent password will protect a system and more importantly a company network from unauthorized access. It also provides a mechanism for tracking activity.
Virus and Malware
Keeping your systems clean from viruses and malware starts with training. Teaching employees how they can accidentally cause company-wide infections is key. Learning how to recognize fake emails and fake URL’s is extremely valuable for system-wide protection.
Here is a quick bullet list of items to greatly reduce your exposure to a virus outbreak.
- Choose a top-notch email provider like Gmail for business or Office 365
- Fine tune your spam controls
- Deploy good virus endpoint software and keep it up to date
- Install a high-end firewall like a Sonicwall with IPS protection
- Keep good backups of all critical and irreplaceable data
It’s amazing how many companies have inadequate backups or no backups at all. When designing a backup process you should have two or more. At the point, you go to use your backup system you don’t want it to be your “last chance”. If the primary backup has failed — your data is gone.
By having an A set and a B set onsite as well as an offsite backup means that at the point you realize you need your backup you can feel confident that you have three more chances to retrieve your data.
Also, by setting up an offsite backup you protect from a complete loss in the event of theft or fire.
Not all firewalls are the same. What an understatement. When you order internet service from a company like Comcast or Verizon FIOS they usually provide a modem/router that contains a software firewall. This is by no means a sufficient firewall. It provides extremely basic protection at best. Getting a Firewall like a Sonicwall or Fortigate provides protection services that go so far beyond – there is no comparison at all.
These higher-end firewalls are updated on a regular basis and connect to live databases that protect you in near real-time from the latest threats.
Using wireless units throughout your business is in the same realm as the previous firewalls. The comparison between residential grade WiFi and more mid-level or high-end WiFi units is huge.
Installing a plug-n-play WiFi unit is a HUGE mistake for any business. In order to break into your company files an intruder does not even need to come on your property.
Things to remember when securing WiFi
- Change WiFi password regularly
- Change WiFi password when employees leave (if they know it)
- Make different wifi SSID’s for different access levels
- Set the SSID to be hidden
- Use WPA encryption and not the less secure WEP version
- Don’t use guest access for SSID’s
- Set time limits when the WiFi should not be used at all
- Use access logs and check them regularly
- Don’t use weak passwords
Remote Access Security
Finally, working from home is more popular than ever these days and that means employees have access to companies systems 24/7. This can be an enormous security hole due to the fact that the company is now trusting that the employee is following good security policies in a remote location.
Remote access and VPN access should be very carefully implemented and the list of users who have access should be using the highest level of password security and checked on a regular basis. Locking down Remote access tools to a single IP address or range can greatly reduce exposure to internet snoopers looking to gain access to remote systems.
Putting it all together
This article is not everything that you should consider in your security approach but it’s a great start.
There are so many more items to consider like website security, PCI compliance, physical document security, and more. The key is to regularly visit your security practices to continually improve them.