Security is at the core of the SMB network

There seems to be a shared sense of confidence on the part of small and medium-sized businesses that their organization will never face a critical security breach. If you had a dime for every SME owner or decision maker who ruled out potential security threats, you could buy a yacht. The truth is that there is no safe haven when it comes to security, and no organization is safe; not the largest retailers, the smallest mom-and-pop distributors, or any size organization in between.

Verizon Business conducted a study in 2010 on the number and severity of data breaches and found alarming statistics. The Data Breach Report showed that there were 760 intrusions in 2010, compared to just 141 in 2009 (Baker, et al., 2010). Ironically, the amount of data affected or compromised was less than in previous years, but at the end of the day, what impact would a single security incident have on your business? It could be something relatively minor, like some thug desecrating your website, or it could be a serious incursion into your sales records, customer payment information, and/or intellectual property. How much would that type of breach cost your business? Only you know the answer to that.

In general, network security can be classified as physical or virtual. One of the best security documents I’ve seen was written by Richard Kissel for the National Institute of Standards and Technology, a division of the US Department of Commerce. In it, Kissel outlined essential considerations for all small and medium-sized businesses, regardless of industry or specialization. According to Kissel, the main areas to consider are “‘absolutely necessary’ steps to take, highly recommended practices to prevent problems before they happen, and other optional planning contingencies should a problem arise.” (Kissel, 2009) Most of these three sections fall into the two distinctions mentioned above, physical and virtual.

Physical security is fairly straightforward to address. Essentially, it encompasses the mitigation of any direct attempt to access facilities and/or assets by an individual or group. Measures to consider include the obvious locked doors, security cameras, security guards, etc., but potential areas of compromise also include some that are not so obvious. Not making sure non-employee staff are up to date can be a huge oversight. Maybe someone on the cleanup team has light fingers or enough technical knowledge to penetrate your network. This is the perfect app for an IP camera. There are some multipurpose units like the APC NetBotz product line that combine environmental and intrusion monitoring with IP cameras to collect data over a defined period of time. Email alerts are made available to staff or other designated individuals who can then act on the information provided.

There are cases where the physical and virtual elements of network security merge, and a great example of this is a token-based solution. The user has a “fob” key or other physical device that generates a random access code as needed to enter an internal network as a login. If lost, the device cannot be accessed without the proper credentials, and an IT staff member can remotely wipe all information. Some of these solutions, including RSA offerings, place a software widget on employee terminals to perform the same function. These token-based solutions can be very expensive, which is usually a stopping point for most SMBs. However, for those who are extraordinarily sensitive to the possibility of a leak, it could be money well spent.

It closed its doors, trained its staff, and added specially designed IP “eyes” for surveillance. So now you can tackle external threats, but where do you start? Most networks in the modern world are protected by a firewall. The term “firewall” originates from the firefighting community, and in that world, a firewall is a barrier established to prevent the spread of fire. In a way, this is the basic function of a network firewall, as the goal is to keep out anything that could harm your infrastructure. SearchSecurity.com’s broad definition of a firewall is “a set of related programs, located on a network gateway server, that protects the resources of a private network from users of other networks.” (SearchSecurity.com, 2000) Did you notice that this definition doesn’t specify hardware or software? That’s because you don’t have to! Typically, an SMB network may include a device such as those made by Cisco, SonicWALL, or Barracuda. However, there is no reason why a network firewall cannot be software, as mentioned in the definition above, which can be located on the network router or on the main server. A good example of this is the firewall services built into the operating system of Cisco’s line of routers.

Other applications that work within the realm of the firewall include antivirus/antimalware, content filtering, and intrusion prevention. The first is a way to mitigate the infiltration of viruses, spyware and the like through email or other “friendly” traffic. Content filtering prevents employees and other users from browsing websites that are unrelated to the business, may present potential risks, or are inappropriate on the subject. Intrusion Prevention is designed to defend against attacks by hackers and automated network or PC groups seeking to exploit any network flaw or unprotected opening.

While the firewall is the most common application for security-conscious organizations, it shouldn’t be the only measure taken to keep the infrastructure secure. It is important to secure other entry points such as wireless networks, user PCs, and laptops. Wireless networks must have an enhanced security protocol for access, such as WPA (Wi-Fi Protected Access) or WEP (Wired Equivalence Protocol). In many cases, if the attacker has to strain to get in, they are likely to move on to an easier target. Individual users with laptops can inadvertently bring bad things inside your firewall. Maybe some casual home users drop malware that you don’t see because it’s outside the network boundaries. It is imperative that when the machine is brought back online, potential threats are analyzed and quarantined before they can spread through the network.

Some security risks arise from user behavior, suggesting the need to implement best practice policies regardless of hardware and software investments. These include, but are not limited to:

• Require users to change passwords every 30 to 60 days

• Require passwords to contain uppercase letters, lowercase letters, at least one number, and at least one special character

• Limit access to various areas of the network based on user types and job function

Since training is imperative, users should be required to sign upon receipt of these guidelines, as well as an agreement to abide by them.

Having physical and virtual security is not enough. Routine maintenance of these devices and software is critical to keeping them secure. The first step is to make sure all patches and firmware are up to date on network endpoints and core devices. Second, your maintenance program should include verified, usable backups of all critical data, and there are a variety of different methods, from older tape drives to newer external hard drives and remote electronic backup solutions without drawbacks.

The choice of backup solution has a lot to do with budget and downtime tolerance. For most, having data encrypted and automatically routed offsite to a secure location provides the best peace of mind and a valid disaster recovery platform to mitigate loss should a situation occur.

There have been documented cases of data loss due to poor document disposal practices and old hardware. I think of a scene in the movie Animal House when several members of the Delta fraternity were rummaging through a dumpster to find a copy of their midterm. Don’t be fooled into thinking that there are no individuals or organizations that would take such action. Law enforcement has opened near-death cases based on evidence obtained from dumpsters and landfills. Once it goes out for collection, the garbage becomes public property and anyone has access to it. Completely shredding organizational documents, not just financial documents, is vital. This rule doesn’t just apply to paper; includes hard drives, data collection or any network device that stores data. Remember, properly destroyed data must always be accompanied by a certificate of destruction. If your organization must maintain government compliance, such as HIPAA or Sarbanes-Oxley, taking these precautions may not be an option but a requirement.

Another thing, which has something to do with training, is the awareness of the impact of “social engineering”. SearchSecurity.com defines this concept as “an electronic or personal attempt to obtain unauthorized information or gain access to sensitive systems/facilities or areas by manipulating people.” We’ve all seen phishing scams claiming that we won the lottery in a foreign country, or that our cousin is stranded somewhere and needs money transferred immediately. The same types of scams can be aimed at a business using a sympathetic ear on the phone to gain access, or a harrowing email to get an unsuspecting employee to click on a link to help stray animals. Again, education and training will eliminate such violations.

The bottom line is that there is a world of bad things out there looking for a chance to make an impact. Ignoring the warnings could be costly, as nearly 50% of small businesses fail within two years of a total or catastrophic data loss or event. Therefore, security should be the number one priority to make sure your organization is on the right track. Do not let your guard down and stay alert, the resulting tranquility is irreplaceable.