Thanks to the numerous security breaches in the news, the C-suite members of your business should be thinking about regular security audits. While size does matter, the more employees you have and the more data you generate, security audits are critical to the long-term stability of your business. And remember, no one is immune to a data breach.
Wondering where to start? Check physical security first. Then work your way in. The simplest way to steal data is to steal the device where it’s stored. You would be surprised by the number of businesses that don’t do the easy things. They forget to lock their windows or doors. They forget to set alarms, and if they have cameras, they forget to check to see if they’re in working order. These are all easy fixes.
Train your staff to question any stranger they don’t know who walks around your offices unescorted. You should have a plan in place that might include the distribution of an email to all employees to alert employees of new additions and also include details as to the location of a new employee’s desk/cubicle/office so they don’t get hassled.
Most employees assume – often incorrectly – that someone else will take action. I’ve heard stories of employees noticing strangers walking around, the employees do nothing, and laptops went missing. This could have been stopped.
Now let’s move to the inside – into COMPUTER NETWORKS:
For those of you who do not know what active directory is, according to Wikipedia, an Active Directory is “a directory service that Microsoft developed for Windows domain networks and is included in most Windows Server operating systems as a set of processes and services. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network – assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.”
Active Directory is a powerful tool that any size business can run on a client/server environment to update who has access to what and to keep employees from accessing files and folders and other network objects that they should not have access to. This is referred to as “Least Privilege.”
Auditing Active Directory takes the team effort between HR and IT. The reason for this collaboration is so that the IT Department knows who has been fired, demoted, and/or promoted. These situations allow the IT Department to use Active Directory to make changes to file access or to delete employee accounts. One of the biggest problems that businesses encounter is when people leave. Too often, IT is unaware of the employee status change, and as a result, the accounts remain active – thereby allowing former employees to access files or a business Intranet after their departure/termination.
Now let’s look at something that requires almost daily attention: PASSWORD POLICIES:
Do you have a policy that forces employees to change their passwords on a monthly or quarterly basis? Depending on your business, your industry, your compliance requirements, and the type of data that your employees access, you might want to have them changed every thirty, sixty, or ninety days. This also can be achieved through Active Directory. You can force them to change their passwords. Changing passwords is also important for your vendors.
Another thing that’s easy to do and often overlooked is changing the default password settings that come on many (if not all) hardware devices. In all my years of working in the security industry, you’d be surprised by the number of times I’ve encountered devices that still have their default passwords active. Manufacturers do this as an ease-of-use issue. They would rather you be able to set up your new device easily – than force you to devise a complex password before you install it.
Don’t overlook PENETRATION TESTING:
Lastly, something that’s overlooked but should be done is to close all of the unused ports on your firewalls. With unused ports open, attackers have easy access to your network. They can start an attack through a routine called port scanning. They look for vulnerabilities through open ports. Port scanning is part of the “routine” to gather information about your company. This is called penetration testing. Attackers (although hopefully your business and tech experts first) try to penetrate the defenses of your business. Of course, there are many more complex ways to develop pen-testing programs, and in fact, some businesses specialize in pen-testing, but as a midsized business, tackle these areas either by yourself or with professional help — so that you’re better prepared for a possible data breach.
Image Credit: Ambro via FreeDigitalPhotos.net
This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.