As companies grow, it’s easy to miss technology changes that can expose your business to vulnerabilities. No one is immune and protecting your business against breaches is not a “set it and forget it” situation.
According to a 2014 Forbes article, small and midsize businesses made up more than half of all targeted attacks in 2013 at 61 percent — up from 50 percent in 2012 — with medium-sized (2,500-plus employees) businesses seeing the largest surge.
This problem is only getting more serious and widespread, but there are key steps a business can take to help protect not just their data, but also their entire network.
Smart Business spoke with Stephan J. Cico, managing director of All Covered Pittsburgh, about building a security plan. All Covered will follow up with three more articles on keys to protecting your business.
Why is it critical to build a security plan?
Building a security plan is the first, and arguably the most important step, in protecting a business network. It should be a methodical process that includes the IT team and key business stakeholders. Businesses need to not only understand current security trends, but also the current state of security within their own data center. Building a plan identifies current security lapses so the team can create a comprehensive approach.
How can companies get started?
Start with fact-finding to get answers about:
Current policies — Assess all IT and security policies. Policies should be reviewed regularly to make sure they are current with the business’s plans and goals.
Device and software inventory — Every device should be part of an inventory, in order to clarify the scope of the environment and the devices, software and systems in a security plan. You also want to include hardware configuration, installed business software and current security patch levels. If it’s not possible to inventory and check each mobile phone, at least check the devices of C-suite members, the IT team and those most likely to use their devices for business.
Regulations — If your business is in a regulated industry, there may be additional requirements to keeping data secure and available for industry audits. You’ll want to speak with an industry expert.
Physical structure — Nothing should be overlooked. Do the server room doors have security card access or programmable keypad door locks? Is there an independent air conditioning system, power protection with battery backup or a backup generator, and proper fire suppression? Look at the physical space with a critical eye. Everything from building key cards to authorized access to server rooms to power is important.
How should the team build the actual plan?
Just like the initial research, the process must be comprehensive. Don’t forget to consider:
Physical servers — Develop a written backup and recovery plan. It should include the ability to restore from an image with confirmed and tested recovery points. Copies of the backup should be kept off-site to protect against a catastrophic failure.
Virtual servers — Virtualization provides wonderful benefits, but just like physical servers, they require a thoughtful plan for management and security. This should include monitoring and reporting on backup and replication, fault tolerant design and carefully planned capacity implementation.
End-users computers — Every time a computer is added, it needs to include local endpoint protection software (anti-virus, anti-malware) set to auto-update. Implement policies regarding internet and email usage, installing software, downloading attachments, etc. If possible, consider desktop virtualization or thin client computing, which provide a flexible and more secure solution for end user access.
Bring your own device (BYOD) — Top concerns for BYOD deployment is related to security. Approximately 22 percent of mobile devices will be lost or stolen during their lifetime, and more than 50 percent of these will never be recovered. Will that device contain your business data? It’s important to consider application risks, password strength, possible encryption and remote wiping for lost or stolen hardware.
Employee security training — Employees should be trained on company policies and procedures as well as best practices for email and Internet usage, handling corporate data and compliance-related requirements.
Insights Technology is brought to you by All Covered Pittsburgh