Small Business Network Security
How safe is your small business network? What are the threats to your network? What are its vulnerabilities? Moreover, what can be done to protect your (and your clients) information? Overall, how safe is your business computer network?
Before diving into this subject, I’ll explain the difference between a threat and vulnerability. In my IT courses, I’ve used Hurricane Katrina and New Orleans as an example to demonstrate the difference. For decades, the threat to New Orleans was evident–that a major hurricane could come ashore, cause major damage, and ultimately flood the city. With New Orleans below sea level, this was an even greater threat.
Vulnerability, on the other hand, actually caused New Orleans to fall into chaos. Remember, it was the levee, not Katrina that ultimately led to dire situation in the city. In summary, the threat was the hurricane and the vulnerabilities were the broken levees.
Another great example is the Gold Bullion Depository located in Fort Knox, Kentucky. It is a heavily guarded facility with no public access. Armed guards with live ammunition are located on top of the building and on the grounds. Moreover, a heavily armored fence with barbed wire, electricity, and other deterrents encompass the building to keep threats away. All that protection, however, can be null and void by one vulnerability in that security system. That vulnerability could be an ill-trained security agent or a weak area of the fence surrounding the compound.
The same is true in small business. Threats are always present, yet vulnerabilities of small business networks are the real dangers. A small business owner may have the proper security on a computer network with firewalls, virus protection, and strict password requirements, yet vulnerabilities still exist.
Do you have strict password requirements? Moreover, can employees use similar passwords by changing just one character? I’ve visited several businesses where password requirements are very loose. Employees will openly say things such as “I just change the last digit to a different number”. When passwords are set with workers’ first or last names, pet names, children names, and so forth, it’s much easier for unauthorized users to gain access.
Strict password requirements, although more troublesome for employees, will remove some vulnerability from your computer network. In regards to the various universities for whom I teach, I quickly see the differences in those institutions that have secure password requirements and those who do not. For example, some mandate changes every 45 days and individuals are not allowed to use one of their previous 7 passwords. Others where I have taught have not prompted a password change in 6 months.
Another simple way to protect your network and information is to password protect any wireless networks. I test this frequently when making business visits. With my laptop, I attempt to locate and connect to open wireless networks in the area. More than 50% of those networks are not password protected and allow any user to gain access. An unauthorized user within range of an open wireless network can piggyback and obtain a free internet connection. Even worse, unauthorized users can gain access for malicious intent.
How can the small business owner protect a computer network and information? First, a risk assessment must be completed. Analyze the current network setup and how it is structured. What are the threats? What are the vulnerabilities? If you don’t think you’re network is at risk, think again. According to an FBI Computer Crime and Security Survey from 2005, 56% of all computer networks had unauthorized users. Read more about that story at: http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf.
Still don’t think your network is in danger? According to Small Business Network Security 101, “Perhaps the greatest threat to small business networks is the owner’s false sense of security and their lack of proficiency in protecting their networks. Very often, small business owners push network security issues down the priority list in favor of more pressing matters, and in many cases, network security is not a concern at all.”
Remember the different types of unauthorized users:
-
Hacker – user with un-granted access on a network simply for the curiosity or challenge, with no intent to harm.
-
Cracker – user with un-granted access on a network with malicious intent to steal, damage, or cause harm to the network.
As you can see, many people define hacker incorrectly. Hackers are normally just after the thrill of accessing a network. Conversely, it’s actually a “cracker” who is out to do harm. In class I normally get a few laughs when discussing the difference between the two. Even though most hackers do not intend to do harm or want to steal your data, it’s still a good policy to prevent ALL unauthorized access to a network paid to maintain and operate.
Once a risk assessment is complete, the small business owner can develop a strategy to protect its network and information. If an unauthorized user accesses your network and uses client data for identity theft, that’s an entirely different situation. In this case not only has the network been breached, but the lifeblood of your business (your customers) has also been jeopardized.
Due to the associated negative publicity in the past, many businesses have not prosecuted individuals who have gained access to or stolen data. After all, who wants their business to be associated with an unsecure network concerning client data? Moreover, if you outsource your network operation and security, verify with your vendor that steps have been taken to appropriately secure your network and to protect the data it contains.
An entire class could be taught just on securing a network; however, for a concise way to do this, read and verify that your small business network is secure by visiting www.computerworld.com.
