SMB Disaster Preparedness: A Recipe for Disaster
SMBs are not making disaster preparedness a priority until after they experience a disaster or data loss.
In today's continuation of my Eight IT Projects for SMBs series, I would like to explore how SMBs can better position their defenses on the security front. While the challenges of securing a corporate environment might appear to be intimidating at first glance, the steps that businesses need to take to realize it are really not that complex.
Cover the Basics
While it might be tempting for small- and mid-sized businesses to buy into the latest security appliances and tools, I would caution against placing too much emphasis on going with the latest fad. An analogy that comes to my mind would be that of a house owner splurging on the absolute latest burglar alarm system before leaving for a long holiday ... but forgetting to lock the door.
Training Your Users
A recent incident saw computer hackers masquerading as support personnel from Microsoft, successfully convincing a hapless staffer into following a series of instructions over the phone for more than 20 minutes. This included visiting a site that enabled remote access of the employee's computer, though it fortunately appeared to be nothing more than a ruse to sell unneeded security software. While it would be next to impossible to defend against every conceivable social engineering attempt, the above scenario epitomizes why it makes sense to train computer users with a basic level of security knowledge to lower the chances of such scams succeeding against your company.
Blacklisting Versus Whitelisting
When it comes to actually defending against malware, the concept of blacklisting refers to traditional anti-virus software that seeks to weed out malicious software by referring to a virus definition file. On the other hand, whitelisting means that unknown software that cannot be found on an existing whitelist are simply not executed. I've wrote about it last year in "Deploying Whitelisting for Your SMB," and it might be worthwhile to note that some companies have actually opted to deploy both whitelisting and blacklisting solutions. In addition, the new Symantec Endpoint Protection 12, Small Business Edition does incorporate some elements of whitelisting.
The ease of deploying data encryption products has declined over the years even as the performance penalty of implementing it is practically negligible with the use of modern operating systems and hardware. Businesses can acquire either the Enterprise or Ultimate edition of Windows 7 to gain access to robust encryption technologies that offer protection against data loss when laptops are lost or stolen. (BitLocker is a full-disk encryption technology, and I have also written at length how SMBs can protect themselves with BitLocker.) Other affordable and easy-to-use full-disk encryption products exist too, though it remains the onus of SMBs to acquire and deploy them.
Finally, there is another facet of today's topic on how to best protect the increasing number of mobile devices and tablets used on the corporate network, which I will address in another blog.