Quick Contact

News and Updates

Cyber-Security for Small Businesses

Cyber-Security for Small Businesses –

Serious Enough for the U.S. Government to be Concerned

Recent media stories about the Flame and Stuxnet computer viruses serve to underscore the very real need for businesses to take seriously the security of their computers and data network.  The U.S. Government is concerned; with over 27 million small business representing 95% of all U.S. businesses, unaddressed vulnerabilities represent a serious threat to the entire economy.

NIST (the National Institute of Standards and Technology, part of the U.S. Department of Commerce), the FBI, the Small Business Administration, and otheragencies have all come together to provide information and workshops around the country to help small businesses take the steps necessary to reduce their exposure to these threats.

There are multiple areas of which the small business owner needs to be aware and address.  Below are the recommendations
of NIST with regard to Network Security:

1. Secure internal network and cloud services

Your company’s network should be separated from the public Internet by strong user authentication mechanisms and policy enforcement systems such as firewalls and web filtering proxies. Additional monitoring and security solutions, such as
anti-virus software and intrusion detection systems, should also be employed to identify and stop malicious code or unauthorized access attempts.

 Internal network

After identifying the boundary points on your company’s network, each boundary should be evaluated to determine what types of security controls are necessary and how they can be best deployed. Border routers should be configured to only route traffic to and from your company’s public IP addresses, firewalls should be deployed to restrict traffic only to and from the minimum set of necessary services, and intrusion prevention systems should be configured to monitor for suspicious activity
crossing your network perimeter. In order to prevent bottlenecks, all security systems you deploy to your company’s network perimeter should be capable of handling the bandwidth that your carrier provides.

 Cloud based services

Carefully consult your terms of service with all cloud service providers to ensure that your company’s information and activities are protected with the same degree of security you would intend to provide on your own. Request security and auditing from your cloud service providers as applicable to your company’s needs and concerns. Review and understand service level agreements, or SLAs, for system restoration and reconstitution time. You should also inquire about additional services a cloud service can provide. These services may include backup and-restore services and encryption services, which may be very attractive to small businesses.

 2. Develop strong password policies

Generally speaking, two-factor authentication methods, which require two types of evidence that you are who you claim to be, are safer than using just static passwords for authentication. One common example is a personal security token that displays changing passcodes to be used in conjunction with an established password. However, two-factor systems may not always be possible or practical for your company.

Password policies should encourage your employees to employ the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. That means passwords that are random, complex and long (at least 10
characters), that are changed regularly, and that are closely guarded by those who know them.

3. Secure and encrypt your company’s Wi-Fi 

Wireless access control
Your company may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and visitors. If so, it is important that such a WLAN be kept separate from the main company network so that traffic from the public network cannot traverse the company’s internal systems at any point.

Internal, non-public WLAN access should be restricted to specific devices and specific users to the greatest extent possible while meeting your company’s business needs. Where the internal WLAN has less stringent access controls than your company’s wired network, dual connections — where a device is able to connect to both the wireless and wired networks simultaneously — should be prohibited by technical controls on each such capable device (e.g., BIOS-level LAN/WLAN switch settings). All users should be given unique credentials with preset expiration dates to use when accessing the internal WLAN.

Wireless encryption
Due to demonstrable security flaws known to exist in older forms of wireless encryption, your company’s internal WLAN should only employ Wi-Fi Protected Access 2 (WPA2) encryption.

4. Encrypt sensitive company data

Encryption should be employed to protect any data that your company considers sensitive, in addition to meeting applicable regulatory requirements on information safeguarding. Different encryption schemes are appropriate under different circumstances. However, applications that comply with the OpenPGP standard, such as PGP and GnuPG, provide a wide range of options for securing data on disk as well as in transit. If you choose to offer secure transactions via your company’s website, consult with your service provider about available options for an SSL certificate for your site.

5. Regularly update all applications

All systems and software, including networking equipment, should be updated in a timely fashion as patches and firmware upgrades become available. Use automatic updating services whenever possible, especially for security systems such as
anti-malware applications, web filtering tools and intrusion prevention systems.

6. Set safe web browsing rules

Your company’s internal network should only be able to access those services and resources on the Internet that are essential to the business and the needs of your employees. Use the safe browsing features included with modern web browsing software and a web proxy to ensure that malicious or unauthorized sites cannot be accessed from your internal network.

7. If remote access is enabled, make sure it is secure

If your company needs to provide remote access to your company’s internal network over the Internet, one popular and secure option is to employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor authentication, using either hardware or software tokens.

We can help you understand the implications for your business and help you implement solutions that will help eliminate some of these security concerns and keep your business safe and running.

Leave a Reply

You must be logged in to post a comment

Sound Technology Services sign up form

Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non

Sound Technology Serviceslogin form