business builder data security
Offline security steps
have big impact
for minimal cost
by Robert Newman
While small and medium-sized businesses spend considerable time and energy securing their computer systems, several offline security measures are just as essential to ensure customer, inventory and employee data safety.
As computer manufacturers make set-up processes easier, both office personnel and visitors can be problematic. Lock-down keys on laptop docking stations, for example, are now essential. Spyware antidotes are needed to prevent your computers from being used as “zombies” to generate spam without the user’s knowledge.
All computer systems need to be wiped down as employees come and go. And business owners need to realize that whoever has the keys to your office also has access to your databases.
An ill-intentioned hacker, for example, can sit down and use a Universal Serial Bus (USB) connector to plug into a computer and create more damage in just a few minutes than a thief who gets in through the Internet. Other risks can come from the inside, from someone who might have access but uses it maliciously. Damage could be caused by other mishaps, such as inadvertently spilling coffee on equipment, or fire or flood.
Protecting your data from threats both online and offline is critical because losing your data can be catastrophic. In fact, one-third of small and mid-sized businesses that lose data find themselves out of business within one year. And over two-thirds who experience a sizable data loss go out of business within two years. So caution is the byword of the day. Fortunately, most threats can be avoided with some smart physical security measures.
There are a number of things you can do inside and around your office as an extension of your IT security. Some of these security measures are more obvious than others: setting up back-ups in a fireproof box, frequently changing passwords, using data mirror sites, and recording inventory and computer serial numbers in a safe location.
There are also further steps you might not have considered.
•Identify what needs protecting and from whom. Measures should be taken to physically protect anything that has data on it. Take time to mark computers and components with identifying information, including your company name and location.
A portable electric engraver sells for about $25 and is available at most hardware stores. As you do this, you should also create an inventory of the serial numbers of the computers and components so they can be identified and recovered if stolen.
• Consider the risk vs. reward ratio. Security is similar to personal health and disability insurance. You don’t buy the policy to make money; you buy it so you can continue to make money if injured. Similarly, protecting data is unlikely to add to your company’s bottom line, but it will give you peace of mind if you experience a data loss.
• Place IT systems in the safest location. I am surprised by how often I find file servers residing in reception areas, coat closets, even hallways or other publicly accessible spaces. In one case someone walked in and quickly stole a $1,500 server.
Another danger is data theft. Data can be copied from an unprotected PC very quickly by plugging in a portable disk drive (such as a Thumb drive or Pen drive) to the USB port and copying data from the hard drive. Then the thief just pockets the drive and walks away.
• Who has the keys? Keep track of who has keys — employees, cleaning service, building maintenance — and what keys they have. Do they all need the keys in order to do their job? Keys to the storage closet and building may be reasonable for some, but do they really need access to the server room or the mailroom? Most importantly, make sure to get keys back from employees and maintenance crews who are no longer going to be on the job.
• Remember to lock your personal computers. Every computer user should get in the habit of locking their computer when away from it, even if it's just for a few minutes. In Windows NT, Windows 2000, and Windows XP, all you need to do is Ctrl+Alt+Delete, then "k" (the shortcut for the Lock button).
Of course, all the IT security measures to protect data are irrelevant if a thief's goal is to steal a whole machine or open it up and steal sensitive parts such as the hard drive or other storage media. That kind of thief doesn't even care about the potential value of the data in the machine. For that reason, you should always lock the CPU case.
Most desktop and tower cases have locking lugs that you can use to keep an intruder from opening the case. And if you have a laptop computer, you need to use a cable-type security lock. There may be additional anti-theft techniques built into your computer, so consult the documentation that came with your computer to find out more.
• Be aware of data harvesting. People do this by breaking into offices and stealing computers, hard drives and any other storage media. Many companies routinely dispose of or donate their computers when they upgrade their hardware. It takes little technical skill to view the files on a hard drive.
With a little more skill, passwords and other sensitive data can be extracted. Institute a policy of securely wiping all data from hard drives before they leave the building and storing all sensitive (or even better, all) data on one or more central servers.
Most of these measures cost nothing, but they will give you peace of mind knowing you have taken positive steps toward increasing the physical security of your business data.
[contact] Robert Newman is president of CMIT Solutions in Maple Grove, which works with small and medium-sized businesses in managing their computer, networking and technology needs: 763.416.7744; rnewman@cmitsolutions.com; www.cmitsolutions.com
