Recent security incidents and news reports have cast a pall over the state of the security landscape. In the wake of prominent security incidents such as the PlayStation Network break-in and the Epsilon data breach, one cannot help but wonder if SMBs can possibly protect themselves from hackers and digital espionage.
Today, I want to highlight three security strategies that should be within reach of even cash-strapped small- and mid-sized businesses.
Make Use of Data Encryption
Yet protecting data loss against misplaced or stolen laptops is not rocket science. Indeed, the Enterprise and Ultimate Editions of the Windows 7 (and Vista) operating system already come with BitLocker, a powerful full-disk encryption utility. Many third-party solutions exist, too, and can be purchased at very reasonable prices; though more paranoid businesses may do well to pay a little extra for self-encrypting hard-disk drives (HDD) that transparently encrypt all data as it is written.
Deploy Multiple Layers of Defenses
Conventional wisdom dictates that multiple layers of security have a much better chance of identifying and neutralizing external threats. This is probably best epitomized by the suspected database breach at LastPass recently. As reported at PCWorld, preventive systems within the company detected a "network traffic anomaly" that saw the company scrambling to reset its customers' master passwords. While it is never good news to suffer a security breach at all, the fact is that it is far better if it can be detected and repaired.
On top of basic anti-malware software, systems that contribute to a multiple-layer-of-defense scheme are network firewalls, IDSes (Intrusion Detection Systems) or proxy servers with URL logging and filtering. Not only can these additional defenses help fend off potential attacks, but they also play an important part in detecting an on-going attack. Cost wise, most of the software can be obtained for free and can be deployed on virtual servers, which helps to substantially bring down the cost of implementation. Moreover, anti-malware software such as Microsoft Security Essentials is available for free. And, of course, do remember to practice basic measures such as properly securing Wi-Fi access points with WPA or WPA2 encryption.
Few would disagree about the importance of proper employee training, which can be particularly effective against social engineering attempts. When it comes to recognition of new security threats, it must be pointed out that computer literacy alone is insufficient. An executive summary of a recent study titled "Why Do People Get Phished?" says:
The study also showed that a person's competency with computing did not protect them from phishing scams, but their awareness about phishing in conjunction with healthy email habits, helped them avoid online deception.
While the study focused on phishing and not security in general, I strongly feel that this finding relates to security awareness as well. As such, it is important to make employees aware of the latest security threats and techniques used by hackers, which should go a long way towards ensuring that staffers stay alert on the security front.
Feel free to leave a comment below.