Use File-level and Share-level security.
In information security there is a big difference between having appropriate trust in an employee to view confidential information and that employee actually having a need to view that information. File-level and Share-level security offer a cost-effective (built into the operating system) way to control who has access to what information. While each operating system has it's own methods for setting file and share level security you can find helpful information for the major ones here:
Learn More about File Permission on Microsoft. Linux, and Apple
Add this page to your favorite Social Bookmarking websites
Deliver Training.
Your response to a security event, and your employees responses to a security event will only be as good as their training. Establishing and publicizing policy withing your organization, while providing an excellent starting point, does not inheritly mean that everyone will understand it.. The weakest link in any security program lies in the human components. People must know how to react when the worst (virus, theft, system failure) happens and it is the responsibility of the business to make sure that they do.
The only thing worse than the news reporting "ABC Company Employee found Neglegent in Data Loss" is when the news reports "ABC Company found Neglegent in Data Loss: Failed to properly train employees".
Add this page to your favorite Social Bookmarking websites
Use a Virus Scanner but don't believe it protects you.
Virus Scanners do a great job at seeking out, locating, isolating and deleting known viruses. To risk quoting Rumsfield, this is not that all there is to it. We also have known-unknowns and unknown-unknowns. That is to say that there are security breaches in major operating systems that have not been exploited yet and some people know that they exist and some viruses may be developed for those exploits but we haven't seen them yet (known-unknowns) and there are security holes that are as of yet undiscovered that could be exploited today to steal information from your computer, take control of your operating system, and generally make the world a miserable place. These are the unknown-unknowns. Virus scanners do a good job of finding things we know about, like the famous Code Red virus, but a rather poor job (or rather no job) protecting against unknown exploits.
Use a Multi-Tiered Approach
A reasonable person would not arm the security system on their home and then leave the property with their doors and windows unlocked. Conversely, you should not view your virus scanner as the only avenue for protection for your systems. You should view electronic threats in zones of influence and control and think about what avenues of attack are available to your systems and what deterrents and detection methods you can put in place to identify and eliminate threats that may occur.
Physical Threats: In matters of information security the loss of a physical device containing confidential data is an end-game situation for many organizations. It's difficult to do business without storing any customer data on your laptops, desktops, servers and mobile devices. Encryption is key to ensuring that when a device is lost or stolen the information contained within is protected. This won't help you get your lost device back but it may prevent you from needing to disclose the loss of data to your customers. Actual "physical" protection includes the use of locking devices, such as laptop locks, the use of screen filters to minimize the risk of "over the shoulder" spectators taking a peek at your private data and strong physical security devices such as locks for offices and deadbolts for entrances. Also keep in mind that your data in printed form needs to be protected as well. Take a walk-through of your office and look for each item of paper that contains confidential data and ensure that processes and procedures are in place to ensure that these items remain stored appropriately to deter thieves
The key word in physical security is deterrent. The fact of the matter is that if someone has enough drive and ambition to take something from your office there isn't much that can be done to stop it, but you can deter it and in regards to your electronic devices you can encrypt your data so that when a device is physically compromised it's data will remain safe.
Electronic Threats: Viruses are but one specific kind of malicious software. In addition to viruses, which spread when triggered by human interaction there are also worms, which spread from system to system on their own and Trojan Horses which imitate a useful program, leading a user to believe they're safe but secretly perform some other malicious action like recording your keystrokes, capturing and uploading your files, or allowing an attacker to take control of your system. Web threats are also a popular means of attack particularly when web software, such as an internet browser, contains security flaws that can be exploited by visiting a malicous web page.
Begin by ensuring that your operating system and software is up-to-date and ensure processes are in place to keep them that way. Consider using a spam blocker which will help to eliminate email that may contain a virus thus preventing a user from executing it. A firewall (a device or software which monitors traffic flowing across your network and takes action based upon a set of "rules") is also useful in identifying some threats which may be as of yet undiscovered like when the latest application your users downloaded begins to communicate over the network. Speaking of the latter, restrict access to 'least privelage' for users of your systems. If you're a sole proprieter this may entail setting up a seperate user account for yourself on your operating system that does not have administrative priveleges for your day to day use and only using administrator rights when you need to perform system administration tasks. If your business consists of more than 1 person then consider standardizing how your systems are configured and restricting access to system files and administrative rights for those who duties shouldn't include installing (or disabling) software.
Insider Threats: Insider threat isn't just about limiting intentionally malicious conduct, it's also focused on limiting non-malicious, accidental or inadvertent conduct that may introduce risks to your organization. Humans make mistakes and wherever and whenever possible you should ensure that your organization reduces the human potential to act maliciously and make mistakes. Reducing insider threat does not, intuitively, begin with the insider. Where reducing insider threat begins is with the data. Data within your organization must be classified based upon its ability to harm your organization if it is disclosed, altered or your organization is denied access to it (lost, deleted). Once your information is classified you can then begin to classify roles (not people) that need to interact with the data and what level of control those roles must have over that data in order to perform effectively. Lastly, assign roles to individuals that will perform those duties and assign individual user rights to systems and information based upon their roles. The core concept in preventing insider threat is the concept of "Least Privelage" which essentially states that users should have the least amount of privelage to create, share, alter or delete files.
For a detailed account of things to consider Gideon Rasmussen has written an excellent guide on Insider Risk Management available here.
Add this page to your favorite Social Bookmarking websites
Do Lots of Background Checks.
In the Internet age doing a background check is as easy as typing a name into a search bar on a website like http://www.beenverified.com. I don't consider myself to be paranoid, but I am cautious when it comes to things that mean a lot to me and my family and the protection of customer data, i.e., my livelihood, is one of those things. When being approached by a new vendor, contractor or potential hire a background check is perfectly rational. Know who you do business with especially if that business entails coming into close contact with any system or removable media device. We also want to point out that doing background checks on new or potential hires is prudent but make sure that you don't violate the law in your area by using any information you find to discriminate against them.
Add this page to your favorite Social Bookmarking websites
Go Paperless.
Each physical item your organization produces that contains confidential information must have a origin point, a management process, and an assured destruction mechanism. It doesn't take an accountant to know that the more opportunities you create for loss the greater the likelihood that a loss will occur. Where manageable eliminate the use of paper in your organization in favor of more secure digital communications.
Add this page to your favorite Social Bookmarking websites
Your wireless network puts your business at risk in at least 2 ways. There's the way you know and likely think about, and that is if someone gets access to your network and tries to access the systems on your network to access your files. That's easy enough to dismiss. Who's going to go to all that trouble just to get to your files right? ... a lot of people. A lot of organized, well funded, scary people and, truth be told, getting access to your network isn't that difficult. There are automated tools that make cracking WEP encryption virtually automatic and easy enough that a child could do it. That point aside however, there is another threat you may not have considered: Those who have no interest in your data, just your connection. Criminals have watched enough crime drama in the last 10 years to realize that they need to stop committing crimes where they live. When committing computer crimes criminals will seek out open, unsecured, or easily decrypted (i.e., WEP) connections to connect to and commit their acts using that connection. Your first indication of when this occurs is usually when the FBI shows up on your doorstep asking you some tough questions about the websites you've been visiting and after a lengthy, embarrassing and perhaps even public process you will likely be found innocent. Provided a search of your PC doesn't reveal any of the related content.
Microsoft Follow Us
