Protect your business from computer intrusion
What are the keys to your security policy?
Every small business needs to have a security plan, a policy that spells out what to do if you suspect your network has been compromised and, even more importantly, how to prevent such problems from occurring in the first place.
It's Monday morning, and you have big problems. One of your employees clicked an e-mail attachment, and his computer is now rebooting spontaneously. Looks like there's a virus romping through your computer network. There's a good chance it could destroy data, mess up your hardware, and even mail itself to your entire client list, perhaps attaching information you'd rather not send to everyone. So what do you do?
Do you shut off all the computers immediately, or will that cause more damage? Can a virus e-mail itself out to everyone on your contact list even if everyone quits their e-mail programs? Do you shut down computers the usual way or yank their power cords? Should people save their work first, or will that make things worse? Do you also pull the plug on your network connection or is it better to leave machines connected so that you can get an antivirus update and get rid of this thing?
So many questions, and the time to answer them is before you have the problem--not when all hell breaks loose.
That's why every small business needs to have a security plan, a policy that spells out what to do if you suspect your network has been compromised and, even more importantly, how to prevent such problems from occurring in the first place.
Small companies typically don't have a full-time IT staff or expensive software solutions that protect the enterprise networks of larger businesses. A security policy provides step-by-step instructions on what to do if you suspect your computer or network has been compromised, how and when to take the network offline, when to back up data, and where to store the copies. It also explains what to do about restoring systems after the virus is purged from your network.
"A security policy should help prevent damage-causing panic by clearly explaining what to do in case of emergencies," said Ejovi Nuwere, chief technical officer at SecurityLab Technologies, based in New York. "Think of it as a sort of fire drill for your network. The time to locate the nearest exit is not when the smoke starts creeping under the door."
With the exception of worms, which are self-replicating computer programs similar to computer viruses, most other technological threats require help from unwitting human accomplices on the receiving end in order to do their damage. A security policy explains how employees and other users can prevent security breaches and scams such as phishing and spyware.
Albert Lantini, who owns an air conditioning installation and repair business in Chicago, created a security policy for his company a few years ago after his computer-savvy son convinced him to do it. "We normally have a staff of seven, but we hire a dozen or so temporary workers in the busy season," he said. "Handing the policy to every new hire and discussing our rules helps keep people from making mistakes like opening attachments when they are reading e-mail."
Lantini said that having such rules in place has helped his company stay virus-free and saved him money by avoiding costly work stoppages and computer repairs. "Almost every small business I know of has been hit with viruses, and usually more than once, so we're doing something right," he added. "We've never had a chance to try out our emergency virus attack instructions, and that's fine with me."
You can write one yourself or hire an expert to do it for you. A good security consultant will ensure that your policy covers all the bases, educate you about computer security, and develop guidelines based on your needs. Expect to pay $500 to $1,000.
If you decide to write your own policy, start by familiarizing yourself with technology threats. Microsoft offers a good security primer for small businesses. The SANS Institute also has a Web page dedicated to security policy issues, as well as sample security policies that can be used as a basis for developing a custom policy for your business.
Next, make a list of everything you think needs to be in your policy. Here are five must-have items:
- Rules for safe e-mail and Web browsing
- Rules against installing software downloaded from unknown Internet sites
- Password guidelines
- Data backup procedures
- Phone numbers for your antivirus vendor and/or computer security expert
Don't just parrot the standard rules found online in sample policies. It makes no sense, for example, to have a rule that says, "We never open attachments" if employees have to open attachments to get their jobs done.
Security consultant Mike Sweeney of PacketAttack advocates common sense guidelines, such as telling employees that e-mail with a generic message such as "See attached" should be treated with caution, whereas those referring to a recent conversation (assuming it actually took place) are likely safe.
A security policy should be succinct and easy to understand. Avoid highly technical language or convoluted business-speak; if people don't understand the rules, they won't follow them.
Every new employee and partner firm that accesses your network should read and sign a copy of your security policy. Keep a copy on file as proof that you have a data security plan in place.
In case your network goes down, make sure the policy is printed out and posted, as well as stored online.
Daily coverage of important security threats, and how to safeguard against them.
Read more- Popular topics
- Apple iPhone
- Apple iPod
- Cell phones
- Dell
- GPS
- LCD TV
- CNET sites
- CNET Site map
- CNET TV
- Downloads
- News
- Reviews
- Shopper.com
- More information
- Newsletters
- CNET Mobile
- Customer Help Center
- RSS
- CNET Widgets
- About CNET
-
TOP PRODUCTS FROM TOP BRANDS
