What does information security mean? To many people it means "making sure confidential information stays confidential", but in IT we often include "ensure your systems are secure against something that may disrupt the business". So a fault that allows someone (either by accident or by malice) to stop your systems from working but doesn't reveal confidential information may still be considered a security issue.
Some of the ideas here may require a small business to seek outside help. None of them, however, should be particularly expensive to follow.
1. Prioritise the issues you face
While it's natural to worry about viruses and outside hacks (and you should certainly be running anti-virus software), that may not be the biggest issue you face. What about the person who you had to sack last month for misconduct? What about the person you know was upset about their pay rise this year? What about the temp who's absolutely great at what s/he does but has a tendency to accidentally delete the wrong file? All these people can cause your business issues, and all of them have a far greater opportunity to do so.
The best thing you can do here is to look at how your systems are set up and put together simple, easy-to-follow processes to ensure that the access people have - and therefore the damage they can do - is limited. For current members of staff, ensure that they're only given what access they need to do their job, and for people leaving the company ensure that whatever the circumstances, they return any equipment they have been issued with and all their access to IT systems is revoked.
2. Thoroughly check PCs before re-using them
Ideally you'd wipe PCs entirely and reinstall everything, but that's not always practical in a small business. In any event, you should at least ensure that you remove any personal information before you hand your old PC over to the new receptionist. This is particularly important if you've been using it to store confidential information - you probably don't want last years' pay review spreadsheet being made public, for instance.
This is good advice even if there isn't confidential information on a PC because it gives you an opportunity to wipe any software that doesn't need to be on there any more. This in turn reduces the risk of you accidentally going over your allotted licenses - which can be very expensive.
3. Centrally enforce updates
You know how your PC occasionally prompts you to say "Your PC has been updated, please reboot"? And how it never prompts you at a nice convenient time like 5:30pm on a Friday?
I know it's annoying but those updates are there for a reason. More often than not, they fix security issues which have come to light - and if you don't install them, your system will be absolutely ripe for the next big issue that causes businesses worldwide to watch their IT collapse around their ears. Mercifully such events are pretty rare, but they do happen.
If you've got more than a few PCs, it's worth setting them up so they all get their updates at a convenient time and ensure that nobody can disable it. If you've got a domain, you can do this centrally so you don't need to visit each PC in turn.
4. Don't do anything you don't need to
Virtually every piece of technology you might use has a great big long list of things it can do - and a rather shorter list of things you actually care about.
Here's the rub:
Every extra feature your technology offers is another thing to go wrong.
This doesn't mean you should turn things off indiscriminately - even for an expert, this is a very good way to break systems! - but you should be asking yourself "Do I really need to this?". Don't assume you have to explicitly enable this sort of function - frequently you'll find systems ship already set up to do everything and it's down to you to turn off things you don't want.
5. Encrypt your laptops
Just because you need a password to use your computer doesn't mean that information on it is automatically secure. It is still very easy to get at anything on there - generally all you need is a screwdriver. The solution is to use something called encryption, which uses complicated maths to make the information essentially impossible to get at without the password. There are all sorts of options available - from free products such as TrueCrypt to commercial products such as PGP. There's nothing wrong with the free products, but they tend to offer substantially fewer ways of solving the problem of "Oh dear I've forgotten my password". Which is particularly important considering that once the laptop is encrypted, nobody - not me, not you, not Bill Gates, not even MI5 - can get at the information on it without the password.
source: http://EzineArticles.com/6259356 
No comments:
Post a Comment