news / tech talk

Business Security

by Lee LeClair
01/20/2006
As seen in Inside Tucson Business

Recently I was asked to advise some small to medium sized businesses what they should do to cost effectively protect their IT assets. While every business is different, many small and medium sized businesses have common characteristics – their IT infrastructure grew over time, it grew with little organization or resources, but now its pretty much critical to the business.

By now, most businesses (even small and medium sized ones) have firewalls and some form of anti-virus protection but that’s about the extent of the security measures. What more can and should a limited-resource businesses do to keep their automation safe but effective? I recommend combining technical knowledge and common sense.

First, do a basic risk analysis. To do this without too much formality, consider the worst case scenarios: how bad would it be if your most valuable data was lost (e.g., data corrupted, erased, or copied by your competitor)? What is and where is your most valuable data? Is there any employee who is singularly critical because of his knowledge and/or access? Write this stuff down. Armed with this knowledge, take a hard look at your IT assets and processes: how old are your servers? Is your critical data all on one old hard disk? Do you backup your data regularly? When was the last time you tested RESTORING backed up data? Is your critical server visible and accessible (physically and on the network) by everyone in your business?

Based on the answers to your first set of questions and this second set of questions, you should have a rough feel for how much risk your business is taking every day its running. Write down what you feel are the highest risks and try to prioritize them. Take into account your past experiences; for example, if you have had several lost days due to virus outbreaks on your computers, then make a note of the risk of viral infection and rank it in your priorities. If you have had several power outages that caused problems during monsoon season, make a note of that and rank it. There are clearly some judgment calls in the rankings – if you need technical advice because you’re unfamiliar with how risky certain things are, seek it out from a consultant or knowledgeable friend. At this stage, you should have a roughly ordered list of things to upgrade, fix, organize, or just plain deal with. As a business owner, you’ll naturally factor in the costs to make adjustments and then prioritize again.

Here are some basics for some degree of network and data security. Make sure you have a firewall if you have Internet access (and how doesn’t) and use private IP address space for your internal network. Make sure the firewall is very limited in what it allows into your network (i.e., email and web traffic) and only allows that into a special network area (or de-militarized zone). Separate your servers from your PCs even on your internal network using a firewall so you control exactly what can reach the servers. Setup a backup system for your critical servers – you can use tape or disks but definitely do this because hard disks WILL fail. Then, check that your backups are actually occurring and TEST restoring lost data. You will never know if backups are successful until you restore the data and actually try to use it. Plug servers into Uninterruptible Power Supplies. Keep your servers in a locked room which only trusted people can access and use tough passwords. Typically, servers are where your important data sits; protect them! Run anti-virus updates and file checks daily in addition to live checking of incoming email. If your PCs support automatic operating system updates e.g., Windows XP, then turn it on.

There are lots of other things you can add to these basics; use your risk analysis results to manage your risks and you can safely and effectively run your business.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business