The small business security guide

The small business security guide
How to avoid being a date in a hackers diary

Keeping your business secure largely depends on all business employees exercising good, common sense and being aware of security risks, both digital and otherwise. But there are also a number of effective security technologies and techniques that can help to secure valuable business information and office computers.

Creating and setting strong passwords

It starts with getting each user to set a secure password for when they log onto their systems. Rather than using the word 'password' or the name of a spouse, child or pet, which a criminal could work out without much difficulty, a strong password should be difficult to guess.

Strong passwords should incorporate a combination of numbers and upper and lowercase letters, and even punctuation. Longer passwords are more secure, and some businesses use random password generating programs to create them. This means they are not likely to be linked to the personal lives of the computer user, and will therefore be impossible to guess.

It's also important to use strong passwords for logging into websites that the organisation uses for business, for example Gmail, Salesforce, Dropbox or LinkedIn, because web-based cyber criminals are always active in trying to break into peoples' accounts. Encourage staff to set a different password for each different website account that they use, and remind them to change these frequently.

You can also use passwords to encrypt individual files, such as spreadsheets or text documents. Encryption basically scrambles a document's contents, making it unreadable if you don't have the right password. This facility is incorporated into the 'save' function in Microsoft Office, which will ask you to use a password to encrypt or open a document.

Operating a clean desk policy

Passwords should be changed regularly, particularly login passwords, and, naturally, they shouldn't be written up on post-it notes near the computer. It may be worth operating a 'clean desk' policy, where important or confidential information is removed at the end of the working day, and not left lying around.

It is a good idea to disable or delete unused 'guest' accounts, which are used to allow people to temporarily access a computer, or the company's network. Guest accounts that either don't have any login passwords, or lack strong password protection, can be a security risk. By allowing entry into one account on the system, it makes it easier for a hacker or malicious user to gain entry into more secure accounts. It's not unknown for hackers to use social engineering methods eg "sorry having to use the guest account, can you remind me, what's the password for..?" to gain access in this way.

Security software

From a software perspective, businesses can use multiple levels of security in their systems to limit access to particular machines on the network, shared folders, or even ensure that individuals are limited in the data or servers they can access. These access rights and prohibitions can be set for individual files and folders, but there is also software available that can enforce security across the network. This is useful where the business uses lots of temporary or contract workers.

You can even restrict what can be copied from the system, and stored on pen drives or memory sticks. Again, software is available that can do this, and helps give the business peace of mind that important electronic documents can't be carried out of the building.

E-mail and web security is a huge area of concern, but again, businesses can restrict the sorts of attachments that their employees can receive or open, with e-mail spam being a common way for malicious users to send out viruses or Trojan horse programs.

This is where it is a good idea to have a clear policy for office workers, reminding them not to open e-mail attachments from unfamiliar senders, or to click on links in e-mails whose integrity they do not fully trust. Similarly, the policy can remind employees not to download suspicious files from the Internet, or from websites that they do not have confidence in.

Intrusion detection software

Security software can help to detect and remove computer viruses and other malware, whilst a firewall can block hackers from gaining access to your network. A third software tool, intrusion detection, can spot potential security breaches and raise the alarm. These security tools are available as individual software applications or suites, or as hardware appliances, which are computing devices that attach to the network and carry out their security activities automatically.

If your business uses a wireless network, which is increasingly the case, it is essential to turn on the security settings for the wireless equipment, which will use encryption to secure any data that is being transmitted. It means that visitors to the office, or people passing by outside, will not be able to get onto the network and attempt to access your information.

Physical security

It's also worth thinking about the physical security of your office computers. Like bicycles, these can be asset-labelled for anti-theft and identification purposes. You can also get hold of inexpensive, but highly effective, locking kits that use strong metal cables and Kensington locks, for example, to prevent computers and peripherals from being carried off.

Expensive, or high-value computer equipment, such as mobile computers, hard drives with sensitive information, and so on, could be locked in a safe overnight, as this will lower the businesses risk exposure and hopefully reduce insurance premiums.

The most successful security strategy for any business will use a combination of good software and physical security, coupled with clear policies and guidelines that are put into action by all employees. After all, security is only as good as the weakest link.