Computer security

computer security

1. Start by assessing your hardware and software assets

If you were forced to protect only one device in your company, would you choose the accounting server, e-mail server, or the e-commerce server? It all depends on what is most important to your company. If your business mostly does business over the Internet, the latter is probably the critical machine to safeguard.

When creating your security plan, pay attention to securing the IT assets that impact your business the most, and work your way down the prioritization list from there. But don’t just think about devices, warns Tim Keanini, CTO of San Francisco-based security vendor nCircle. He recommends thinking about business processes as well — that is, the flow of information, as opposed to just the location of information.

This means you have to get your trading partners involved in the security discussion. For instance, if your shipments rely on getting inventory updates from your suppliers, you need to think about two things: the reliability of the network connection, and how your suppliers are addressing information security themselves.

Need additional help in assessing your company’s IT security risks? Check out the Microsoft Security Assessment Tool, designed for businesses with fewer than 1,000 employees.
Top of pageTop of page
2. Develop enforceable policies

To keep security costs down, focus on the probable more than the possible. It is a lot more probable that an employee will keep a password on a piece of note paper than a malcontent is going to launch an attack on your networks. (That is one advantage of being a midsize company — you’re probably less likely to be a target than a larger company with a household name.)

Therefore, you need rational policies, and a management team willing to spend the time explaining clearly to employees the reasons for those policies. A few guidelines for developing a policy include:
•

Ensure that your employees keep their Windows and Office systems and business applications up to date, with the latest downloads, security bulletins, and tools from Microsoft. See this article for a checklist of security tips for employees, as well as the Microsoft Security page for software updates.

•

Require strong passwords (those that contain numbers, letters, and characters), but don’t require that employees change them every two weeks: 45 to 90 days is a standard range.
•

Make sure your policies employ the concept of role-based security by allowing access based on job responsibilities.
•

Be clear in your policy document about the ramifications of noncompliance, and follow through if and when that happens.
•

Review policies on a regular basis, and inform employees of changes.
•

When employees change jobs, review and change their access privileges accordingly.
•

When employees leave the company, erase their passwords from the system.
•

Know that employees can be your biggest security risks, and often because of lack of proper training rather than malfeasance. (For more on this topic, see this article.)
•

Include a mobile security policy, for employees traveling or working off-site. See more on this in Step No. 5 below.

Finally, make sure the policy lays out a plan of action if a security problem arises, and designate responsibility for certain decisions, advises Mark Mattis, a principal at Bellevue, Wash.-based Ascentium, a Microsoft Gold Certified Partner.
Top of pageTop of page
3. Invest in multiple servers to help protect data

Once you have determined your priorities and policies, then think about protection. One way to protect important information is simply to segment this data on separate servers, with each server separated by an internal firewall. In addition, be sure to segment your public Web server from your internal network.

If you began as a small business, you probably didn’t think about the ramifications of giving employees access to multiple servers but now that you are larger, it’s time to do so. "There's no reason your salespeople and support staff need access to the accounting servers," explains Jeff Jones, director of Microsoft's security and technology unit.
Top of pageTop of page
4. Choose the appropriate systems for securing different devices

While Microsoft has increased the level of safeguards built into its products, it has also developed a line of business security products to protect all of your network and systems. Microsoft Forefront is a family of products that protects client machines, server applications, and the network edge, and can be centrally managed and scaled to reach thousands of users. (Download this datasheet for detailed information about Microsoft Forefront.)

At a time when there are more and more choices and niche products within the security technology market, experts say that an integrated security system such as Microsoft Forefront is often the easiest to manage.

When selecting your security technology suite, consider that certain devices require certain tools:
•

Desktops and laptops require antivirus, spyware, and firewall protection (see Microsoft Forefront Client Security).
•

E-mail servers require antivirus protection, such as Microsoft Antigen, within the Forefront family.
•

Servers and networks require firewalls and intrusion detection systems (Microsoft's ISA Server, also within Forefront, incorporates these capabilities).
Top of pageTop of page
5. Develop a mobile security strategy

With more and more employees telecommuting and working from the road, it becomes increasingly important to have a mobile security policy strategy that guards against simple human error as well as viruses, vandals, and malicious hackers. Gary Chen, an analyst who focuses on midsize business issues at Boston-based Yankee Group, recommends using virtual private network (VPN) technology for remote access, as it includes encrypted and secure authentication.

Make it a point to invest in mobile devices that have what is known as a "kill" capability, Chen recommends. If the devices are lost, the server they are designed to connect to can send a signal that renders the mobile operating system useless. That way, data can’t be taken off the device, and the device cannot access the host.

For more on mobile-device security, see these articles from the Microsoft.com Windows Mobile site.

These are some basics to get you started. See our Security section for more resources. Then make sure your business has a plan.