11 Practices to Tighten Up Basic Information Security

It’s amazing to see what the average employee does during their daily work routine to unintentionally let anyone see information that nobody should have access to. Many companies try to do their best to protect their information from unauthorized access or disclosure, but fail to do so.

Keeping your company’s information safe is critical to your business. The disclosure of confidential or proprietary information to the wrong people can have bad consequences: breach of privacy, regulatory non-compliance, and revenue loss.

You can keep your data and system secure by carefully looking at what you have, who uses it and how they share it. Once you know that, you can put simple measures in place to “stop the leaks” and employee training to minimize the chances of leaks happening again.

Not sure where to start to make your important information more secure? Take these basic steps to know who really has access to your system, documents and files:

The Practices (Learn more about each below):

1. Know your users – get a list of system accounts.
2. Find out what they can see – review all system accounts to see what they can access
3. Give them only what they need – restrict access to applications & folders they need
4. Know what you have – take an inventory of everything to see what’s new (you’d be surprised) and turn off what’s not used anymore.
5. Use Strong Passwords – don’t make life easy for hackers or nosey people
6. Backup your data – enough said – do you really want to type that document again?
7. Have an E-mail use policy / Virus Scanning Software – let your employees know what they can and cannot do with your E-mail system.
8. Have an Internet use policy / Firewall/Router/Content Filter – to keep viruses, spam, spyware and unwanted people away from your network that get in by employees visiting unauthorized sites.
9. Keep a clean desktop & PCs secured – Have a PC Use policy and password protected screensavers, etc.
10. Keep your systems and software up to date – with the latest software patches.
11. Use encryption for all types of communication – for E-mail, individual files and phone and facsimile lines.

Call SOHO Solutions today to find out how to implement these steps to make your corporate information systems and data more secure by calling Tom Witt at (718) 261-1353 or E-mail tomw@sohosolutionsinc.com. Visit our website at www.sohosolutionsinc.com.

Learn More:

1. Know Your Users

Knowing who has login rights to your system and what they can access is important to minimize the risks associated with unauthorized access. A periodic user account review can help tighten up your systems and information security:

1. Get a list of your current employees (check with HR or start with your company’s directory)
2. Get a list of all user names/accounts that have access to your network
3. Compare the lists to see if there are network accounts that are old, or shouldn’t be active anymore:
   1. Circle the user names/accounts that are no longer used
   2. Note any employees that are missing or no longer with the company
   3. Circle any account that looks unfamiliar or you don’t know who uses it
   4. Work with your IT staff to disable or delete old or unused accounts
   5. Delete any temporary or “Guest” accounts

2. Find Out What They Can See

Over time, more employees are added to the system and employees change positions within the company and need access to different information. Vendors and contractors are given temporary access. Some employees need access to data in their old position while having access to data for the new position. Sometimes these access rights are forgotten and never turned off. Do the following to make sure that each employee / network account has access to only what they need:

1. For each account:
   1. Check what file directories, applications and type of data each account has access to
   2. See what directories / data / programs they actually need for their responsibilities

3. Give Them Only What They Need

1. Remove access to any directory, applications or data they don’t need
2. Add access for data or directories that they need

The end result should be a list of users with limited rights restricted to the systems and data that they need to do their work. It also follows up on former employee accounts and other accounts that are no longer used or used on a temporary basis. Contact SOHO Solutions for assistance if you need help.

4. Know What You Have

Take a quick inventory of what you have – servers, desktops, notebooks, blackberrys etc. You’d be surprised how much more you have than what you thought. Taking inventory of what you have can give you a pretty good idea of what you are really using and what you don’t need. Over time, your system may build a collection of unused program, old documents and software

maintenance contracts for items you don’t use anymore. All of these unused items take up space, time and money.

1. Take an inventory of your PC’s , notebooks and peripherals such as printers, scanners, tape drives etc.
2. Make a note of items no longer used
3. Have your IT staff provide the following:
   1. a listing of the software and services installed on your server
   2. a directory listing all of the folders setup on the server
   3. all hardware and software maintenance agreements and their coverage dates & vendor
   4. a listing of all data communication lines used for Internet access and the network
   5. Make a list of the software applications loaded up on each PC; make a note of software or hardware not authorized by the company
   6. Go through your lists and mark items that are
      1. Used frequently and critical to the department / company
      2. Rarely used
      3. Not used at all
      4. Turn off what you don’t use and carefully review what applications/services you do use to see if the right people have access to it.

You may discover items that you never realized you had or shouldn’t have. Conducting an inventory will help you “Trim the Fat” and give you an opportunity to check on how you’re your equipment is used, who uses it, and what can be accessed from it.

5. Use Strong Passwords

The best defense in protecting your corporate data is to train your employees how to keep it safe. What should they be trained in? The basics:

1. Use strong passwords – no names, birthdates, pet names. Put characters in mixed with letters and numbers.
2. Don’t share passwords with anyone or store them in a place that anyone can see it or easily figure out where they are (e.g. top desk drawer, on Post-it notes on desk etc.)
3. Passwords must have an expiration date. Passwords should be reset frequently if they give you access to highly sensitive or critical information (e.g. 30 days). They can be set to expire less frequently for non-sensitive, public or non-critical information.

6. Backup Your Data

Backing up your data is the simplest way to keep your data safe in the event files are accidently deleted, or if there is a hardware failure.

1. Make sure all applications autosave your documents while being edited
2. Networked PCs should have all user files stored on the network; there shouldn’t be any stored on the C:\ (unless you have a separate backup for the PC).
3. Check your server backups every day
4. Have a secondary backup (e.g. backup to another drive or have an online backup).
5. Keep multiple versions of a backup that covers at least a six-month period.
6. Backup laptops and portable devices to the network or to an external hard drive
7. Keep backup media (tapes, thumb drives, CD’s etc.) in a safe place where they can be accessed only by authorized individuals

Industry studies show that it takes up to four times longer to re-create lost data compared to the first time it was created. Restoring lost data from a tape to disk generally takes a few minutes once the files are found on the backup.

7. Have an E-mail Use Policy and use Virus / Spam Scanning Software

Have a E-mail use policy outlining what can and cannot be done with your company’s E-mail system (e.g. personal use). Make sure your employees understand what they can or cannot do with their (and your company’s) E-mail:

1. Be careful with E-mail attachments – use encryption software if sent outside the company and be careful who the E-mail is addressed and cc:’d to.
2. Use E-mail scanning software for virus and Spam and let your employees know who to call if they get a scan warning to get the problem resolved
3. Do not send login names/ passwords or other sensitive information (SS#, Date of Birth etc..) over E-mail.
4. Report any suspicious E-mail to your supervisor (e.g. asking for names, passwords, bank account numbers etc..).
5. Consequences if employee disregards your corporate policies.

8. Have an Internet Use Policy and use a Firewall/Router /Content filter

An Internet Use policy spells out when and what employees can search the Internet for. Your policy should, at a minimum, specifically state:

1. Visiting gambling, pornography and unapproved sites is prohibited;
2. Times and durations that the Internet can be used for private use
3. Who to contact when filter warnings or approved sites cannot be accessed
4. Report any suspicious webpage / pop-up to your supervisor (e.g. asking for names, passwords, bank account numbers etc.).
5. Consequences if employee disregards your corporate policies.
6. Use wireless encryption for your laptop and other devices using wireless networking
7. Check your firewall options on your PCs and network

Implementing this policy reduces the risk of virus, spamming and tracking software installed across your network. Content filters can be used to restrict or provide access to specific sites and to monitor the Internet traffic to and from our company.

9. Keep a clean Desktop & Keep your PCs Secured

Have a “PC Use Policy” that strictly prohibits employees/users from installing unauthorized software or hardware on their PC. Also, keeping a clean desktop minimizes information from being accidently shown to others.

1. Set your screen saver to activate when you are away from your desk, or not using the PC. Make sure it is password enabled.
2. Minimize applications that are not in use to prevent document information to be displayed on the screen and viewed by unauthorized individuals
3. Only keep frequently used icons on the desktop
4. Do not store login names / passwords on icons, links
5. Do not auto save names and passwords

10. Keep your Systems and Software up to Date

Keep your servers, desktops, notebooks, Blackberrys and software up to date with the most recent security patches and software fixes/updates. Have a routine maintenance schedule to check for updates for all of your equipment to keep everything safe and running at peak performance.

11. Use Encryption for all types of communication

Use data encryption for files, E-mail and for your phone and fax lines whenever possible. Use hard disk encryption software for Laptop and Desktop hard disk drives in the event the laptop is lost or stolen. Operating systems and PC manufacturers have options for disk encryption that may be available on your current system(s).