“The trouble with doing something right the first time is that nobody appreciates how difficult it was” Walt West
Welcome to the second post on Information Security for Small and Medium Sized Businesses (SMBs). In my previous post , I wrote about the importance of security for smaller businesses, who often are the main target of online attacks. In this post, I will describe fundamentals of computer security and how you can quickly and cost-effectively increase your business information security by following a few basic guidelines.
Have you ever heard the saying that things happen in 3’s? This also applies to this computer security topic, where I’ll explore 3 groups of 3 security concepts and strategies. The first one is known as the CIA triangle: Confidentiality, Integrity and Availability.
TRIAD ONE: The CIA Triangle
The CIA Triangle is a security model developed to help people think about the core aspects of IT security
Security requires that your sensitive data abide by the following:
Think about how sensitive any given piece of information is, and who should be allowed to access that data. If information is received or intercepted by a non-authorized person, there will be trouble ahead.
Data integrity is about protecting information from being modified or deleted through unauthorized means. When information is modified in transit, accidentally or maliciously, it cannot fulfill its original purpose. Here’s a simple example: your spouse calls home and leaves a voice message with flight details for the next day. If that message gets destroyed, overlooked or modified in any way before reaching your ears, there will be trouble ahead.
Your information must be available to all authorized parties at all times. If an employee loses data or is unable to access any information when required, there will be trouble ahead.
TRIAD TWO: Balancing Security, Functionality and Ease of Use
A second triangle related to security deals with the relationship between security, functionality and ease of use. If you take a look at the figure below, you will see a dot in the middle of the triangle. In order to tailor your business security needs, the dot must maintain balance (near the middle) between the three corners.
If the dot appears completely in the security corner, then we have 100% data security, which means that zero information is accessible. To access information, some security must be sacrificed.
This corner is simply about what people are allowed to do. In many offices, employees from each department have access to applications specific to their tasks. In turn, these applications are allowed to execute certain functions on the network. Another example is even simpler: when on a corporate network, employees shouldn’t be able to access certain websites. Restricting functionality reduces access but also reduces the possibility of unwanted external attacks.
Ease of use
This corner highights the ease with which an authorized person can access information. Is it practical for a company to expect employees swipe an ID card, enter a password or submit to facial recognition each time they open a simple file? While more secure, this is inconvenient and burdensome for employees.
TRIAD THREE: Cover attack vectors – People, Systems, Networks
The third and most important triad describes the three main attack areas pertaining to corporate security breaches. I suggest you focus your security efforts on the three areas (see below), while keeping in mind the first two triangles above. Do this, and you will achieve a higher level of security before adding additional equipment or services to your infrastructure.
Employees comprise the largest security compromise for any company. The importance of training employees to follow security standards at work in order to minimize disclosure of sensitive information to unauthorized parties cannot be underestimated.
Take into account all forms of communication: spam and phishing e-mails, illegitimate requests for information and false prompts for action either in person, over the phone or on a computer. Today, learning about a company happens with the click of a mouse and an Internet connection. Don’t let your employees make an attacker’s job easy, or there will be trouble ahead.
Nowadays, computer systems come in many forms: desktops, laptops, smartphones, tablets and virtual systems. Any computer system that can connect to your network can potentially gain access to information, which can be used maliciously. If any trusted computer system becomes compromised due to vulnerabilities, lack of security updates, outdated software, infections, and so forth, your information is at risk. There will be trouble ahead.
Here are some basic guidelines for protecting computer systems:
- Use strong passwords and change them regularly.
- Upgrade your systems and software as often as possible (most upgrades are free).
- Keep the system clean of temporary files (CCleaner is a great free program for that!)
- Restrict physical access to sensitive systems at the office.
- Restrict the functionality of systems, especially mobile systems, where applicable.
The links between your computer systems, including those coming from and going to the Internet, carry your business data. The network should be protected. This task is more involved and often requires assistance from a computer professional. However, it is useful to be aware of your computer network and add layers of security over time.
Some network security guidelines include:
- Use strong encryption on wireless networks and choose strong passkeys.
- Encrypt confidential files and messages.
- Limit the information displayed on e-mails (usually unencrypted and completely readable if intercepted).
There are free software programs available that can encrypt data and ensure data integrity. Affordable services are available that encrypt all traffic from a computer to the Internet.
Please stay tuned for the final article of the series. I plan to cover service and equipment options for Small and Medium Sized Businesses.