Securing your business means having a plan
By Howard Baldwin
Securing your midsize business today means managing two sometimes-conflicting priorities: vigorous protection of your corporate network and data, yet reasonably easy access for authorized employees and others. It also means spending the right amount on security, so that you have adequate safeguards but avoid jeopardizing funds earmarked for more strategic technology investments.
In Summary:
| • | Determine which of your data is most critical, and focus on its protection. |
| • | Keep critical data on separate servers. |
| • | Grant access to appropriate data solely based on job responsibility, and ensure that access is changed when employees either leave or are promoted. |
To begin, your business needs a framework around which to discuss and implement security technologies and policies. By developing a comprehensive information security plan, you will have a logical and strategic approach to managing security in your business.
We won’t make an attempt here to cover everything your security plan should include, but here are some basic steps to help.
1. Start by assessing your hardware and software assets
If you were forced to protect only one device in your company, would you choose the accounting server, e-mail server, or the e-commerce server? It all depends on what is most important to your company. If your business mostly does business over the Internet, the latter is probably the critical machine to safeguard.
When creating your security plan, pay attention to securing the IT assets that impact your business the most, and work your way down the prioritization list from there. But don’t just think about devices, warns Tim Keanini, CTO of San Francisco-based security vendor nCircle. He recommends thinking about business processes as well — that is, the flow of information, as opposed to just the location of information.
This means you have to get your trading partners involved in the security discussion. For instance, if your shipments rely on getting inventory updates from your suppliers, you need to think about two things: the reliability of the network connection, and how your suppliers are addressing information security themselves.
Need additional help in assessing your company’s IT security risks? Check out the Microsoft Security Assessment Tool, designed for businesses with fewer than 1,000 employees. See also this 12-question security checklist.
2. Develop enforceable policies
To keep security costs down, focus on the probable more than the possible. It is a lot more probable that an employee will keep a password on a piece of note paper than a malcontent is going to launch an attack on your networks. (That is one advantage of being a midsize company — you’re probably less likely to be a target than a larger company with a household name.)
Therefore, you need rational policies, and a management team willing to spend the time explaining clearly to employees the reasons for those policies. A few guidelines for developing a policy include:
| • | Ensure that your employees keep their Windows and Office systems and business applications up to date, with the latest downloads, security bulletins, and tools from Microsoft. See this article for a checklist of security tips for employees, as well as the Microsoft Security page for software updates. |
| • | Require strong passwords (those that contain numbers, letters, and characters), but don’t require that employees change them every two weeks: 45 to 90 days is a standard range. |
| • | Make sure your policies employ the concept of role-based security by allowing access based on job responsibilities. |
| • | Be clear in your policy document about the ramifications of noncompliance, and follow through if and when that happens. |
| • | Review policies on a regular basis, and inform employees of changes. |
| • | When employees change jobs, review and change their access privileges accordingly. |
| • | When employees leave the company, erase their passwords from the system. |
| • | Know that employees can be your biggest security risks, and often because of lack of proper training rather than malfeasance. (For more on this topic, see this article.) |
| • | Include a mobile security policy, for employees traveling or working off-site. See more on this in Step No. 5 below. |
Finally, make sure the policy lays out a plan of action if a security problem arises, and designate responsibility for certain decisions, advises Mark Mattis, a principal at Bellevue, Wash.-based Ascentium, a Microsoft Gold Certified Partner.
3. Invest in multiple servers to help protect data
Once you have determined your priorities and policies, then think about protection. One way to protect important information is simply to segment this data on separate servers, with each server separated by an internal firewall. In addition, be sure to segment your public Web server from your internal network.
If you began as a small business, you probably didn’t think about the ramifications of giving employees access to multiple servers but now that you are larger, it’s time to do so. "There's no reason your salespeople and support staff need access to the accounting servers," explains Jeff Jones, director of Microsoft's security and technology unit.
4. Choose the appropriate systems for securing different devices
While Microsoft has increased the level of safeguards built into its products, it has also developed a line of business security products to protect all of your network and systems. Microsoft Forefront is a family of products that protects client machines, server applications, and the network edge, and can be centrally managed and scaled to reach thousands of users. (Download this datasheet for detailed information about Microsoft Forefront.)
At a time when there are more and more choices and niche products within the security technology market, experts say that an integrated security system such as Microsoft Forefront is often the easiest to manage.
When selecting your security technology suite, consider that certain devices require certain tools:
| • | Desktops and laptops require antivirus, spyware, and firewall protection (see Microsoft Forefront Client Security). |
| • | E-mail servers require antivirus protection, such as Microsoft Antigen, within the Forefront family. |
| • | Servers and networks require firewalls and intrusion detection systems (Microsoft's ISA Server, also within Forefront, incorporates these capabilities). |
5. Develop a mobile security strategy
With more and more employees telecommuting and working from the road, it becomes increasingly important to have a mobile security policy strategy that guards against simple human error as well as viruses, vandals, and malicious hackers. Gary Chen, an analyst who focuses on midsize business issues at Boston-based Yankee Group, recommends using virtual private network (VPN) technology for remote access, as it includes encrypted and secure authentication.
Make it a point to invest in mobile devices that have what is known as a "kill" capability, Chen recommends. If the devices are lost, the server they are designed to connect to can send a signal that renders the mobile operating system useless. That way, data can’t be taken off the device, and the device cannot access the host.
For more on developing a mobile security policy, see this article; for more on mobile-device security, see these articles from the Microsoft.com Windows Mobile site.
These are some basics to get you started. See our Security section for more resources. Then make sure your business has a plan.
Howard Baldwin is a Sunnyvale, Calif.-based contributing writer to the Microsoft Midsize Business Center Web site. His work has appeared in CIO, Optimize, and InfoWorld.
