This story bears repeating. The more things change, the more they stay the same.
Many small business owners treat their business computers like their home computers; they run minimal security and engage in unsafe computing practices. This isn’t my opinion, mind you, it is based on my years of field experience servicing small business clients. My most recent call to one such client was to restore a PC that had become infected by malware. It was my first visit to their office and during the course of that visit, I got familiar with how lax they were in setting things up.
The office runs on a Windows 2003 domain controller. Four PCs running Windows XP Service Pack 2 are domain members and all business data is stored on the server. They’re backing up daily to tape. That’s about as far as it goes before getting ugly. Suffice it to say that even a mediocre attempt to compromise their network would probably be successful. This got me to thinking about what level of security comprises a baseline for small business networks. Here’s what I came up with, see if you agree:
- Physical access to servers, backup, and network equipment is restricted and controlled.
- Backup power sufficient to allow for graceful shutdown of servers is in place.
- The local network is isolated from the Internet by a hardware UTM device, firewall, or NAT router.
- If wireless access is in use, security is applied, preferably WPA or WPA2 with AES encryption.
- File servers are protected by appropriate anti-malware applications.
- Mail servers are protected by anti-spam software or this is implemented at the gateway.
- Password policy requires strong passwords, frequent changes, and is enforced.
- Desktops use screen savers and they are password protected.
- Unless they are required to be left on for security scanning or backup purposes, desktops are powered down at night.
- Desktops have appropriate anti-malware applications installed.
- Company policy regarding appropriate use of the Internet is in place and enforced.
- Data is backed up and media is stored securely off-site.
- Encryption is implemented and in use for the storage of sensitive information.
- Procedure is in place for denying access to personnel upon termination of employment.