By Mark MacGregor
1. Find the right kind of supplier for your type of business – Whatever the IT service or solution you are purchasing, you need suppliers who understand SMEs and can provide not just the right product or service but the after sales support. Similarly, getting the right Internet connection will vary from company to company but business grade ADSL (broadband) will generally suffice. Always use service providers who operate on a fixed price budget so you can transfer the risk to them.
2. Get a good anti-virus software – invest in a proper network solution such as Symantec, Sophos Security Suite SBE 2.0, McAfee, and other leading vendors. These offer complete protection for servers and user machines (could be mac or PC) against viruses, spam and, in most cases, spyware. They offer centralised updates and management to keep everything properly protected with little or no intervention required.
3. Ditch your back up tapes. However secure your own network may be, your data and files are only as safe as your weakest link. For most companies, back up tapes are that weak link either because of the way they are stored or the difficulty in recovering vital files if your network goes down. Switching to an online back service is now more secure and removes human involvement in the process. If you do move to an online provider, check how easily you can recover data if your own server is unavailable.
4. Check whether your ISP offers anti-virus, anti-spam and spyware protection at source – especially where hosted services are involved. Such services are often available free or at minimal cost, with none of the management overheads of installing and running software yourself. It’s also far better to filter content at this level, before it gets onto your network.
5. Ensure you have rigorous security policies in place — and enforce them – The security policy is the formal statement of rules on how security will be implemented in your company or organisation. This should define the level of security and the roles and responsibilities of users, administrators and managers. However having the policy is fairly useless unless you have a system in place to enforce the policies ensure that it is enforced. One obvious starting point should be ensuring that you use complex passwords that are changed regularly. Weak passwords could compromise your security, if you don’t change them regularly, an ex-employee might be able to log in with someone else’s password which they knew when they still worked there.
6. Your internet connection: back to basics – Make sure your router has some kind of built-in firewall, which will provide basic protection. It’s important to make sure it’s turned on and set up correctly. You may also find that you need to activate protection against Denial of Service (DoS) and other common attacks separately from enabling the main firewall. Also, it’s worth turning on logging and, where available, setting up email alerts to let you know when something untoward is detected by the router.
On a small network this approach may be just about adequate. However, where larger numbers of users are involved, you’ll need to look at a more rigorous solution. At the very least you should consider restricting access to specific protocols such as FTP, for example, which can be used to copy data in and out of your network, and peer-to-peer (P2P) data sharing and instant messaging (IM) protocols.
7. Use Unified Threat Management (UTM). Most UTM appliances and service providers enable you to filter out offensive or abusive material from emails, website and instant messenging, as well as check for both viruses and spam. This allows you to block suspect content at the point of entry to the network, rather than waiting until they arrive at user PCs. Some also offer protection against ‘phishing’, where users are prompted to reveal sensitive information, such as account names or numbers and passwords. Some even offer intrusion detection and protection, actively looking for and blocking suspicious activity before any harm is done. Compared to implementing these tools independently, lower-cost, simpler deployment and centralised management are the most obvious benefits of this kind of all-in-one approach.
8. Ensure all of your operating systems and applications are patched with the latest service packs and hotfixes – Keeping your systems patched will close vulnerabilities that can be exploited by hackers. Be careful downloading any new games, free software etc. Microsoft provide a free server component called WSUS that will centrally download and force the install to all your equipment, which reduces the bandwidth and administration burden for companies with lots of PCs.
9. Perform your own network security testing – Find the holes before the attackers do! Consider contracting an external company to perform PEN testing (penetration testing), they will also be able to provide advice on internal security
10. Don’t forget your staff. The biggest threat to your data security is through your own staff, either maliciously or accidently. With nearly everybody owning a USB memory device, such as cameras and MP3 players, it is simple to connect them to a PC and walk out with a copy of the company database. Ensure that your staff only have the permissions they need and implement policies to prevent the use of USB storage.
Mark MacGregor is Chief Executive at Connect www.connect.co.uk, the IT support company for small and mid sized companies.