By Susan Bradley
If you’re looking for a data-protection silver bullet, you won’t find it here — it doesn’t exist. Protecting your business information is a multilayered process that combines technology, human awareness, and regular reviews of your policies and practices.
Many years ago, I got an unexpected call on an early Sunday morning. “We’ve had a break-in at the office.” So off I went to see what the damage was. The burglars broke the front door and grabbed a monitor and a desktop computer. Fortunately, no significant data was on the personal computer, but it made us take a closer look at the physical security of our office.
The event also prompted me to take another look at how we protected our data. Too often, we confine our worry about data to its transit of the Internet, the threat to it from outside hackers and cyber thieves, and its removal by criminals who target machines they can sell quickly for a little easy cash.
I want you to think about protecting your key business data from end to end: from local physical security to remote attacks to loss through accident and “acts of God.”
Protecting your business data from the inside
Before getting to the basics of protecting company data, you need to answer some important questions. What specific information do you need to secure? Where is it located? Is it data you currently use, or is it archived?
What constitutes sensitive data can be quite broad; it’s not limited to what government agencies require. It’s the key information needed to keep a business functioning. It could be an online catalog of your inventory, accounting records, customer lists, or even that secret formula for Coca-Cola.
Laws and regulations: Anyone who runs a business has to keep track of a daunting number of regulations — including those that apply to data security. The specific rules for protecting sensitive information vary with the type of business; they also set the tone for the level and form of security needed. The top priority goes to any information that can be used for identity theft, such as customer names, credit-card information, and, in the U.S., social security numbers (or other key data that can be used to spoof a person’s financial identity). The Internal Revenue Service offers some guidance in its “Safeguarding taxpayer data” (
PDF document).
Because every industry has its own unique requirements, you won’t find a blanket security law or rule to follow. In the U.S., health-care firms typically comply with
HIPAA regulations; for financial firms, it’s the
Gramm-Leach-Bliley Act and various Federal Trade Commission rules. Located in California? You’d better be up on
SB1386 and
AB1950 — two state laws that cover the protection of sensitive information.
Many of these regulations are somewhat vague and ambiguous — purposely so. Lawmakers make them that way so they’re not immediately outdated nor so restrictive that businesses can’t function. But that ambiguity can also make them hard to interpret.
Security regulators want businesses to take
reasonable precautions to protect sensitive information. I call this the
Golden Rule of data protection: Protect customers’ personal data as you’d want other businesses to protect yours. Follow that, and usually you can’t go wrong.
Physical security: If you are a firm with computers and servers located in the office, review the equipment’s physical security. Do you have an adequate alarm system and security cameras? Are servers behind a locked door, and are workstations secured by cable locks? (That’s especially important for notebooks used in the office — it’s not unheard of for a thief to simply walk into an office and walk out with a notebook in hand.) The second time we had a burglary, we had already cable-locked (
example) all computers. The burglar dragged one out a window but could not make off with it (see Figure 1). We cleaned up the slightly battered machine, and it’s still in use to this day.
Figure 1. An attempted computer theft thwarted by a cable lock Remember: If the bad guys have your systems, they can use well-known Linux boot disks, such as “Offline NT Password & Registry Editor” (
download site) to reset passwords and gain complete access to your company data stored on the hard drives (even with security products such as
LoJack for Laptops installed).
Data encryption: Identify the most sensitive information and encrypt it. You can encrypt an entire server using tools such as Microsoft’s
BitLocker or the open-source
TrueCrypt, but you don’t have to. Products such as Symantec’s PGP Whole Disk Encryption (
info page) let you encrypt just the folders containing your most sensitive data. (Microsoft’s encryption program, BitLocker, is offered only on server operating systems and on the Ultimate and Enterprise versions of Windows 7, which is why many IT managers use TrueCrypt instead.)
I choose not to use full-server encryption because it can make server remote maintenance troublesome — you might need someone at the server console to enter the BitLocker passcode when the server reboots. Furthermore, not all servers have a TPM chip (
more info) that helps BitLocker work. (Devices lacking a TPM chip need to have a USB key inserted at boot time.)
Encrypting an entire server can also make backup and recovery more difficult. And if you do encrypt your entire server, store that all-important encryption password in multiple locations — including, possibly, a lock box at the bank. I know folks who lost their one backup copy of their encrypted laptop and consequently lost all their data when they had to rebuild Windows.
Updating an encrypted system can also lead to problems. Whether you have workstations or servers, I recommend decrypting systems before applying any service pack. Once you know the update works, re-encrypt. Bottom line: Plan and test encryption carefully before securing an entire server — you might lock out not only bad guys but yourself as well.
Limit access: In addition to limiting physical access, consider limiting access rights within the operating system. You don’t have to give everyone in your business access to all company data. Windows lets you easily set file- and folder-sharing permissions. At a minimum, require that every computer in the office have a unique password. Microsoft has a handy Fix it in MS Support article
308226 that will set it up for you. (It enables — or disables — the standard CTRL+ALT+Delete sign-in sequence. If you’re in a domain or peer-to-peer network, you probably already have this setting in place.)
With all systems using a username and password, review what access you want to give staff. If Jane needs access to a folder but John doesn’t, right-click the folder, select Properties, and go to the Security tab. You’ll see a list of usernames and a Permissions box, as shown in Figure 2. Simply highlight a user and click the Edit button.
In a domain network, a folder may be set to give access to all users in the network. If you want to have more restrictive access, you can remove users from the list. But the better method is to set up security groups and assign the rights to folders by group.
Figure 2. Right-clicking a folder name and selecting Properties/Security lets you restrict employee access to sensitive folders. Another way to set permissions is with Microsoft’s recently released Small Business Server Essentials, which combines an on-premise server with a cloud-based e-mail service. Using this system, you can create a folder called something like “Sensitive Data” and use the user-account wizard to change folder access rights.
You can also choose whether to give users remote-access rights. In my office, I’ve increased remote-access security by adding a two-factor authentication system; it combines a PIN code with an eight-digit code that I obtain using an application on my iPhone. (See more on this in my
Top Story, “Keep your data safe while on the road.”)
Protecting data from outside threats
Growing threats to sensitive business information from outside sources are becoming more sophisticated.
E-mail and virus protection: I use an e-mail hygiene product from
ExchangeDefender that scans and filters mail
before it enters the office. It’s similar to the process that
Postini and Gmail use. It also ensures that attackers can’t connect directly to the mail server at my office. E-mail typically travels over port 25, so give only your mail-hygiene service access to it — don’t leave it open to the Internet universe. Your service provider can tell you how to set it up with the mail server you use. If you use online e-mail such as Gmail or BPOS (Microsoft’s Hosted e-mail provider), you already get this service.
Next, make sure that each workstation has antivirus and anti-malware installed. For firms with fewer than 10 machines, you can use Microsoft’s free
Security Essentials. Larger companies need paid products from their preferred security company. (However, in my experience they all lack excellent protection from rogue-antivirus attacks. I use a two-fold process: users don’t have administrator rights for day-to-day work, and all systems are scanned at least once a month — or after I’ve had a scare — using Malwarebytes’
Anti-Malware scanner.)
If you run XP, chances are high you’re usually running as an administrator. That means a cyber criminal who downloads malware can gain all the same rights you have — including access to all of your company data. Although you need to be an administrator to install software, you typically do not need to be an admin to run your day-to-day computing needs. Operating without admin rights reduces the risk of downloading malware if you visit a malicious site.
Windows 7 makes it easier to work without running under admin rights at all times. A Microsoft
document, “Configuring Windows 7 for a limited user account” tells you how.
Choosing your boundary: For most people, that small box with the blinking lights (the router) is merely the gateway to Internet. But it’s really a boundary line for your network, and its firewall is there to protect you.
Most consumer-grade routers/firewalls used by small businesses do not offer any kind of effective logging and review of what users are doing on the network. Is Sally on Facebook all day long? Is John sending instant messages to his friends? To give you some information on who’s doing what on the network and for how long, consider purchasing a business-class firewall or an enhanced firewall app such as
Untangle. (You can use a leftover XP machine to build your firewall appliance.)
Also make sure that only the firewall ports you absolutely need are open. If you host your own mail server, that means port 25; otherwise, make sure it’s closed. You can easily test your port configuration by going to the ShieldsUP
site. Click on Common Ports to begin the scan. That said, if you’re running Windows Small Business Server, it’s perfectly okay to have SSL port 443 open to allow remote access.
Figure 3. A typical ShieldsUP report of your firewall-port status Backing up your data: Backing up your business data is arguably the most important step in securing it. And right after that is testing your ability to restore files. If you’ve never tested whether you can restore a single file from that backup you’re diligently doing each evening, how do you know it’s working? Third-party software such as
DriveImage XML,
Acronis, or even the new
Windows Storage Server 2008 R2 Essentials makes it easy to back up and recover data on up to 25 workstations.
If you’ve never tested a restore, temporarily rename any nonessential document on your computer, launch the backup software, go to the recovery wizard, drill down until you find the archived file (with the original name), and restore it. If this doesn’t work, find out why — before you need to restore something important. For extremely important files, I keep multiple backups — on the premises and in the cloud. (Because of limited Internet speed, I can’t put everything in the cloud; nor do I really want to.)
Planning for the worst: I live in California — home of earthquakes, forest fires, mudslides, and power blackouts. Although my neighborhood is relatively safe from these threats, I still plan for contingencies should something disastrous happen. Designing my processes and technology for
worst-case scenarios requires balancing my budget against estimated risk. For example, having a duplicate server in my office is not feasible, given the cost of hardware and licensing.
But I have built processes that let me quickly move data to another hardware platform. My main servers are running on virtualization software, so they’re not tied to any specific hardware configuration. I have, in fact, made exact duplicates of the virtual-machine images and moved them to different hardware just to test this capability. I’ve even used Microsoft’s Sysinternals tool
Disk2vhd to take an exact image of a physical server and move a copy into a virtual setting.
(If you’re using Windows-based apps, moving from a physical to a virtual setting works, but it’s not always within the rules of your license agreements. Preinstalled server software, for example, is typically licensed for the hardware it came on. You should review software licensing when designing your disaster-recovery plans.)
Getting advice: If this all sounds too complicated, remember that the big firms with lots of internal resources have not done a great job of data security, either. That doesn’t mean you should give up, however. It’s easier for a small firm to protect itself precisely because of its small size and greater agility. For help, you can find Microsoft Small Business Specialist consultants at its
Pinpoint site, and Apple offers
Joint Venture. Both services can help you wade through this difficult process, providing plans and techniques for protecting your vital business data.
What I’ve given you here just scratches the surface. But it does give you the starting point you need.
Feedback welcome: Have a question or comment about this story? Post your thoughts, praises, or constructive criticisms in the WS Columns forum.
|
Keep your data safe while on the road
By Tracey Capen 
By Susan Bradley 
