Gauge your vulnerability: Use software or a third-party service to spot the holes in your defences. For instance, Microsoft’s Security Assessment Tool at securityguidance.com can measure your risk level and recommend solutions, while Hewlett-Packard’s Security Vulnerability Assessment Service will play hacker and probe for your weaknesses.
Take the basics to the next level: Add anti-virus protection to your servers, not just individual computers. If you’re on Windows, sign up for Microsoft automatic security updates. Patch your software within 48 hours or outsource the chore. (HP’s Smart Desktop Management Service, for instance, includes automatic patching.) If you use a Web application, get a firewall customized to protect it. And back up your data daily and store it offsite.
Post two sets of guards: Software vendors now offer SME-friendly, all-in-one security services. Howard Schmidt, chief information security officer of eBay Inc., advises using two in tandem. The first is a security gateway device to guard your external connection. Firewall, anti-virus and anti-spyware software, content filtering and so on are automatically updated several times a day for about US$10 per month per user. The second is an Internet security suite to defend individual computers for US$29 to US$49 per year per user. Schmidt says you need the latter because gateway devices don’t protect against infections brought in behind them, such as on a CD, laptop, thumb drive or floppy disk, although future bidirectional devices are expected to do so.
Remove the remote access threat: You’re asking for trouble if remote workers require only the traditional / password credentials to tap into your network. Consider switching to two-factor authentication, which permits a connection only by users who provide both their assigned password and a time-limited, single-use password generated by a security “token.” Tokens can be “hard,” say, a matchbook-sized device whose only job is to display a new password every 30 seconds, or “soft,” such as a cellphone signed up for the MobiSecure service of Diversinet Corp., a Toronto-based provider of wireless-network security software and services. As well, you should safeguard your wireless data traffic with encryption tools such as the ones included with Microsoft’s Small Business Server platform.
Keep one eye on the inside: Be strict in awarding system-administrator privileges, and insist your HR and IT departments work together to terminate an employee’s network access the instant they quit or are fired.
Tell your staff why this matters: A cybercriminal’s best friend is an employee oblivious to the risk. Don’t just announce security policies; explain the consequences to the company if they’re ignored.
Prepare for the worst: Plan how you’ll respond if you do take a hit. One crucial element is what to tell your customers. To restore confidence, you’ll need to spell out in detail how you’re fixing the problem and what you’ll do to prevent a recurrence.