In this day and age, only a small number of businesses can function without a network of computers. Unfortunately, there are inherent risks to computer usage — hackers, viruses, worms, spyware, malware, unethical use of stolen passwords and credentials, unauthorized data removal by employees with USB flash drives, or servers crashing and bringing productivity to a halt. Owners of small to midsize businesses have to be cautious of cyberattackers, and depending on your industry, your business may be an easier target than larger businesses.
With cyberattacks on the rise, Smart Business spoke with Jalal Nazeri, a certified information systems auditor at Sensiba San Filippo LLP to discuss what business owners can do to protect themselves.
What is the first step toward protection?
The first task in creating a secure network is to draft a security policy, which, if carefully managed, can lower the risk of these threats.
When drafting a policy, consider every perceived threat, no matter how unlikely it may seem. Communicating and monitoring these policies regularly will lay the groundwork for compliance in defense of your network.
There are a number of core ideas to consider in implementing a policy. First, you will need to do a risk assessment to identify risks and determine the best methods to prepare for them. Then you will need to classify data by sensitivity level and develop access restrictions. Consider what the security requirements are of an authorized user and assess the possible risk, both logical and physical. In addition, create a plan to back up each user’s data. Finally, ongoing monitoring and maintenance of your risk assessment and the underlying policies and procedures is a must.
How do you manage employees’ usage of company computers?
An acceptable use policy is a common element to include in your security policy. The acceptable use policy restricts users by giving them guidelines on what they can and cannot do on your company’s network. Adding these restrictions can place an inconvenience on the end user, but it’s imperative to have them in place for the protection of your organization. The end user can be an organization’s weakest point.
Once a user reviews the policy and accepts the restrictions in place, it’s important that he or she sign the policy. Users should be made to re-sign the policy whenever it changes, and at regular intervals even when unchanged. Some companies set a six-month timeline, others vary. The value of the policy depends on the communication and monitoring of compliance. Without enforcement, its value is greatly reduced.
What are other tools businesses can use?
A few other key items a business can use are firewalls, content filters, encryption, virus protection, and accounts and passwords. Business owners need to maintain these tools, not just put them in place and forget about them.
Firewalls act as a barrier to the internal network, blocking unwanted traffic, while content filters restrict material delivered on the network and control what content is available to users on the Internet. Encryption is becoming more vital for transferring and storing data, whether it is for regulatory compliance or customer protection from theft.
Anti-virus software is a must on all your servers and workstations. A scheduled virus scan should never be missed, and always have automatic updates turned on.
Never use generic passwords or account names, and restrict users to using only their own login. Passwords should follow a complexity requirement, like the use of a mix of letters, punctuation, symbols and numbers, and should also have a limited lifetime and a rotation.
What is the value of taking these steps?
With small to midsize businesses, budget is always a major consideration in what is plausible in obtaining the most secured environment. With a good policy in place, identification of priority spending can be determined and can reduce the need for excess software and hardware.
Cyberattackers look to gain access to networks that have the least amount of resistance. A good security policy protects data against potential threats. Without one, the company may incur significant remediation costs, lose productivity and even lose clients.
Jalal Nazeri is a certified information systems auditor at Sensiba San Filippo LLP. Reach him at (925) 271-8700 or [email protected]
Visit our blog for more market insights.
Insights Accounting is brought to you by Sensiba San Filippo LLP