SMBs Engaging in Risky Security Practices

Slide Show

Seven-Step Security Health Checklist

See how you fare with this security checklist.

A new survey by Lenovo and AMD has discovered that a notable portion of SMBs engage in risky security practices. As reported by SmallBusinessComputing, this includes piggybacking off non-company Wi-Fi networks in the course of doing business (25 percent), and backing up important information onto USB flash drives and optical media such as CDs/DVDs (50 percent). The Lenovo-AMD Small Business Tech Survey polled a total of 722 small business professionals between Oct.14 and Nov. 9 of this year, and the poor security practices appear related to the pressures to keep IT budgets at a bare minimum.


Let's take a closer look at the security ramifications of these two practices today, as well as possible solutions to set matters right, if applicable.


Piggybacking on Wi-Fi


Piggybacking, in this context, refers to using the unsecured Wi-Fi network of a nearby business, often without their permission or knowledge. Personally, I know of friends who have, at one time or another, tapped into their neighbor's open wireless access point (AP)-not a particularly challenging feat to those living in apartments-to the Internet in order to conduct their work or business affairs.


As I explained last month in Free Wi-Fi at the Cafe? Read this Before You Connect, the use of an unsecured Wi-Fi network means that the connection between the laptop and wireless AP is not encrypted. Users on such a network end up wirelessly transmitting all their Internet activities "in the clear," which could range from instant messaging sessions, visited websites or possibly even e-mails downloaded by e-mail clients. This represents extremely risky behavior in my book, with these users also putting themselves at risk of attacks from the likes of session hijacking tools such as Firesheepor other more sophisticated attacks.


Given the security and possibly legal issues at stake here-it is a crime to piggyback without permission in some countries-my advice here is that companies should pony up for a dedicated Internet connection and set it up to be accessed via a properly-secured Wi-Fi AP.


Use of USB Flash Drive


To be clear, the use of a USB flash drive to store important business files doesn't necessarily mean that your data is unsecure. However, the risk of data breaches resulting from these portable (and usually small) devices is greatly heightened due to the fact that they can be easily misplaced, dropped or stolen. Indeed, I wrote about the threat posed by USB storage devices as far back as two years ago when the U.S. Army imposed a ban on USB flash drives.


Fortunately, alternatives exist that can be implemented by small and mid-sized businesses relatively easily and cheaply. On that front, I've reviewed the IronKey Secure Flash Drive and the LOK-IT Secure Flash Drive on this blog. Both of these USB flash drives incorporate hardware-based encryption technology that promises to keep your confidential or business data safe from privy eyes. To help maintain the confidentiality of your data, the encryption key required to decrypt the stored data is deleted should authentication fail for a pre-determined number of times. If you are planning on implementing the use of secure flash drives, do beware that unsecure versions exist.


Ultimately, security entails more than keeping one's anti-virus software up-to-date, or diligently applying Patch Tuesday updates from Microsoft. A proper approach requires the implementation of good security practices, as well as the diligent application.