Oct 092013
 

I have written in the past about the importance of a Business Continuity Plan as part of your overall data security plan, and in this article I am going to dig a little deeper into two areas – email and phones.  Obviously these are your two main contact points to your customers, suppliers, employees, etc., so it is important that these two areas are always up and running – even whenever everything else is down.

Business Continuity Plan

Email

Many businesses today still host their own email server in-house, but even if you have cloud hosted email setup, email continuity is still a consideration.  There are many ways to go about ensuring your email will always be up and running .  From deploying redundant servers in offsite locations to running expensive battery backups (although this still limits your uptime), but the cheapest way to go about it is to tie it in with a third party spam service.

Many third party spam services also offer an email continuity product for a small additional monthly cost per employee.  Since you would already be running your email through their servers for spam/virus protection, it makes sense from a cost standpoint to include email continuity.  The product can be as simple as allowing you to login to send and receive email to duplicating your complete email folder structure allowing you to access all your emails in the event your email server goes down.  You need to evaluate the level of email access you need in the event of an email outage, but generally a send/receive ability is all that is needed.  And remember security is also a major consideration so as long as you do not have security limitations preventing you from using a third party service, make sure you audit the vendor on their security measures as well.

Phone

Many businesses are now using VoIP phone servers hosted in-house or remotely, and these setups offer you a very simple way to ensure phone continuity in the event of an outage.  Every employee should have access to an admin management console for their account so it should be as simple as logging in and forwarding your phone to an alternate number like a cell phone.  Where companies usually fall down in this case is the failure to provide employees with the instructions on how to do it.  Generally your VoIP provider should provide you with an instruction manual, but either way make sure the forwarding setup instructions are distributed to all your employees.

Many businesses have suffered through 0 or limited contact when they have experienced an outage.  With these simple and cost-effective methods, you can easily prevent this from happening to your business.  As always if you have questions or comments, please feel free to list them below it the comments section.

About the author

 Posted by at 9:06 am
Jun 202011
 

In my 5 Step Data Security Plan for Small Businesses, I provided you with several tips to strengthen your password protection.  In today’s blog post, I am going to provide you with additional tips for password protection. 

First let’s review.

  • You should require all employees to use password authentication to access their computers, the corporate network, email, remote network connections, etc.
  • You should force employees to change passwords at least every 90 days at a minimum.
  • Use strong passwords – Minimum of 10 characters, combination of at least 3 of the following 4 (letters, numbers, special characters, capitalized or lower-cased characters), do not use common words.

Here are some additional tips for password protection.

  • Employees should be encouraged to not use the same passwords for work as they do for their personal accounts.  For example if an employee’s personal email or social website account was hacked, you would not want the hacker to gain access to your work network because the employee was using the same password. 
  • Prohibit the re-use of passwords.
  • Setup automatic account disabling that disables the network login after a certain number of failed attempts such as three.  Apply the same if you allow customers to login to a database such as an e-commerce shopping cart.
  • If you allow customers to login into a database to access proprietary information (ie. e-commerce, financial records, etc), consider using two-factor authentication.  First the user would login via their normal user/password, and then they would go to a second page requiring them to fill out a passcode, select and image, or some other type of second authentication. 
  • Do not make your network accessible via the internet, unless your network administrator has followed the correct guidelines for authenticated external access.  Even then I would still recommend against it.

Follow these additional password tips to protect your company and client data.  In future blog posts, I will cover additional password and access security tips such as database access.

Jun 062011
 

I am linking to two cloud computing articles released today.  Both articles discuss security related issues involved with using cloud data storage services.  I have several blog posts linking to cloud storage articles since many small businesses are either already using the cloud service or considering using a cloud storage or computing service.  There are many pros to using a cloud service such as reduced costs, but security continues to be a huge con.  My advice stays the same.  If you are using a cloud storage service, and you are storing sensitive data, make sure you encrypt the files and folders before uploading them.   Two free encryption alternatives are DiskCryptor and TrueCrypt.

Article 1 – Security Manager’s Journal: Giving cloud storage the ax: No SaaS storage vendors have implemented adequate safeguards that will keep corporate data safe.

Article 2 – Cloud Insecurities: 43 Percent of Enterprises Surveyed Have had Security Issues With Their Cloud Service Providers

May 042011
 

I am linking to an article referencing a survey showing the disparity between cloud vendors and cloud users and how each one thinks the other should be responsible for security.  My advice and recommendation stays the same if you plan to use cloud computing for your small business.  Do not store sensitive data on cloud servers, and if you feel you have no choice, then make sure you encrypt the data before uploading it.

Article snippet and full article link below.

“It looks like cloud computing users and vendors are not on the same page when it comes to data security.

Cloud computing vendors and users each say the other group has the primary responsibility for taking charge of data security in the cloud, according to a recent Ponemon survey of 127 cloud computing providers in the United States and Europe.

For example, 69% of cloud providers think that cloud users are most responsible for security, and only 16% think it’s a shared responsibility. But according to a Ponemon study conducted last year, 33% of users see cloud security as a shared responsibility, and 32% think that the provider alone is most responsible. Only 35% of cloud users, meanwhile, think that users should be most responsible for cloud security.

Cloud providers’ failure to take responsibility for…”

via Cloud Vendors Punt Security To Users — InformationWeek.

Apr 202011
 

The topic of data backup comes up very frequently when I am working with small businesses. In a previous blog post, I covered some methods for backing up your small business data in addition to setting up a data backup schedule. In this post I am going to discuss some guidelines for putting a retention policy in place for your backed up data.

The first thing you must determine is what to backup. It is easy to say you should backup your important data, but you should specifically determine the types of data to backup and where this data resides. Some examples to consider are as follows:

  • Data such as financial/accounting records, customer information (contact, financial, sales records, etc), HR information, email accounts/mailboxes, marketing materials, NDAs, security records, website/blog, etc.
  • Where does the data reside? Is it all backed up to your network server? Or do you keep accounting and HR records off the network for privacy reasons? What about email accounts (hosted in-house on a server, remotely with your web host, or another method)? Do you have any remote employees?

Once you have determined the types of data to backup and where it resides, you need to determine a retention policy for keeping this data and a process for destroying it once it expires.

  • First you need to consider any state or federal rules/laws mandating how long records should be kept for your business sector. This would include client/customer information as well as your own business information such as accounting records.
  • Obviously you will have retention requirements for your accounting records, but if you do not have to adhere to any state or federal guidelines, then you can determine your own retention period. Essentially you do not want to keep data forever. Emails for example – You may decide to delete all emails, outside of those marked as important, every 6 months.
  • Schedule for information types and data destruction periods – You will have different retention periods depending on the data type so setup a simple schedule tracking the data type and the applicable retention period.
  • Data destruction – When your data expires you need to determine the method of destuction (hard drives – wiped, backup tapes – degaussed, paper – shredded, etc), and in some cases you may want to have the media such as a hard drive or tape physically destroyed.

Follow these simple guidelines, and you will ensure your important small business data is backed up and for the correct time period.

Apr 192011
 

Well the good news is that data security breaches overall have declined.  The bad news is that data security breaches are increasing for small businesses.  The article touches on a possible reason which is that smaller companies do not have the resources to protect themselves.  But as I have discussed many times, it is not that difficult to protect your small business.  Thieves look for easy targets so if you have even simple barriers in place, they will move on to easier targets.  If you have not already, please take a look at my 5 Step Data Security Plan for Small Businesses, and learn how you can protect your small business.

Article snippet and the full article link is below.

“The report showed a higher proportion of breaches affecting hotels, restaurants and retailers, with the highest number at enterprises employing 100 workers or fewer. A reason may be that many smaller companies don’t have the resources to defend themselves and can often be hit by non-selective, broad attacks, Baker said.”

via Data Theft From Computer Security Breaches Declines, Report Says – Bloomberg.

Apr 182011
 

Here is a good article discussing the top 12 IT mistakes most small businesses make.  I have discussed many of these same data security and backup issues in blog posts and articles.

I will also add the following: As I always recommend, if you are using a cloud service or offsite data storage service for your backups, and you are storing sensitive information, make sure you add further protections such as encryption (discussed in my link above). Also do not discount freeware. I discuss two excellent free software options in my data security article linked above – free encryption software and free network scanning software.

Article snippet, and the full article link is below.

“Small business expert Steve Strauss recently posted his Top 12 IT Mistakes Most Small Companies Make on Symantec’s web site.

Once upon a time, small business people did not have to worry about being computer experts or IT savvy – it was just about business. Today, that scenario is merely fairytale. Anyone who owns, runs or works in small business must be as smart about IT as they are about business, says Symantec.

The following tips will help small businesses avoid common IT security and data protection missteps that can put the lifeblood…”

via Top 12 IT Mistakes Most Small Companies Make. Are You Making These?

Apr 052011
 

Below is a link to a security report just released by Symantec detailing the huge rise in internet security threats. There were over 286 million new security threats introduced in 2010 targeting everything from websites, social networks, mobile applications, credit cards, etc. The report lists several threats that small businesses should be aware of, and if you have not already, take a minute to read my 5 Step Data Security Plan for Small Businesses which offers several tips to help you avoid these ever-increasing security threats.

Article snippet, and the main article link is below.

“Social network platforms continue to grow in popularity and this popularity has not surprisingly attracted a large volume of malware. One of the primary attack techniques used on social networking sites involved the use of shortened URLs. Under typical, legitimate, circumstances, these abbreviated URLs are used to efficiently share a link in an email or on a web page to an otherwise complicated web address. Last year, attackers posted millions of these shortened links on social networking sites to trick victims into both phishing and malware attacks, dramatically increasing the rate of successful infection.

The report found that attackers overwhelmingly leveraged the…”

via Symantec Report Finds Cyber Threats Skyrocket in Volume and Sophistication.

Apr 012011
 

The link to the article below discusses recent lost or stolen laptops that were not encrypted.  I have written about the need for encryption many times and not just laptops.  As easy as it is to lose a laptop, it is also not hard for thieves to break into your office and steal desktops, servers, etc containing sensitive information.  In fact this type of theft is becoming more prevalent because there is very little in the way of protection for these devices, and it is an easy way to access client personal data such as bank account info.  

Encryption is one of the cheapest and best ways to protect your small business.  Take a look at my 5 Step Data Security Plan for Small Businesses for tips on encryption as well as other steps you can take to protect your small business

Article snippet and full article link below. 

“The continuing failure by most enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP’s disclosure this week of a data compromise involving a lost laptop.

The computer contained unencrypted personal data such as names, Social Security numbers and dates of birth belonging to about 13,000 individuals who had submitted claims with the company over last year’s disastrous oil spill.

According to BP, an employee lost the laptop while on routine business travel.

The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks, and other mobile devices account for a substantial…”

via Failure to encrypt portable devices inexcusable, say analysts – Computerworld.

Mar 302011
 

Here is an article discussing how small businesses should consider encryption options if you are using a cloud storage service. I have posted about the need for encryption if you plan to use a cloud service for storing senstitive data.

Article snippet and full article link below.

“Recent Microsoft research shows that almost two-fifths of companies will start paying for cloud services within three years. Cloud-using firms need to revisit their encryption needs.

According to Phil Lieberman, President and CEO of Lieberman Software, whilst the economic imperative of migrating data to a cloud resource is clear to see, organizations also need to revisit their data encryption resources before making the leap.

“Microsoft’s research notes that 39 per cent of SMBs expect to be paying …”

via The need for data encryption in the cloud – Help Net Security.