Today’s modern business is about data. This information is the lifeblood of any business. It is your company’s finances, customer information and history, inventory, payroll, invoices and documents. You have data that your clients have entrusted you with as well: payment information, account numbers and PII (personally identifiable information). Your business has a responsibility to protect this data if it wishes to remain in business.
At TS Conard, we feel there is no greater responsibility for any IT provider than to protect the integrity of the client’s data. In order to achieve that goal, we educate our clients on what we call our four main pillars of data protection:
- Network Security – Firewall/Security Appliance
Your network firewall is the frontline defense against cyber-criminals, so you need a really good one. This is the edge security of your network that separates your internal network from the global internet. It needs regular monitoring and maintenance. We are not talking about a Linksys “Wal-Mart special” here, but rather commercial-grade Next Generation Firewall.
- Endpoint Security – Device Protection
Speaking of commercial-grade, your Antivirus solution needs to be business-class as well. Don’t be using AVG Free edition or a hodge-podge of different AV programs across your network. Invest in a quality Antivirus program (like McAfee, Symantec or ESET), buy the correct number of licenses, and keep them up to date. This will protect your users from threats that are initiated on the workstations inside your network.
- Employee Education
Educate your employees on how to recognize the “bad stuff”. We do this by using real instances as examples for recognizing the scams from both email and phone calls. Review your company security and computer use policies. Make sure staff members understand the real risks in not following them. Establish password discipline guidelines and ensure they are followed.
Every business has that one employee who will click on anything. Fraudulent emails are being received daily. These phishing attempts are getting VERY GOOD at simulating legitimate email notifications. Our best solution has been to have employee-wide meetings and show them snapshots of these fraud emails, and illustrate how these attempts work (by collecting personal or sensitive business info).
Hopefully, in doing these things, you will establish a company culture that can recognize bad security behavior. Bring instances up for review in order that you may develop a methodology to handle that threat.
- Backup & Disaster recovery
This is your last line of defense against malicious activity or hardware failure. Consider a good BCDR (Business Continuity & Disaster Recovery) solution as an insurance policy for your company’s data. And in my experience, you are far more likely to use this insurance than ANY OTHER insurance you’re paying for.
- Insist on regular, remote and redundant processes. A good rule of thumb is 3-2-1. That means three copies of your data stored in two off-site locations, backed up a minimum of one time per day.
- Guard against human error. Make sure people performing backups and restores know exactly what to do – and what not to do. Or better yet, take people out of the loop and automate wherever possible.
- Could some files be getting left out? As resources are added and priorities shift, files and folders can get misplaced or accidentally left off the backup list. Insist on a quarterly or annual meeting with your backup management team to make sure all mission-critical files are included in your organization’s data recovery systems.
- Trust but verify. Test your backups to make sure your data is recoverable. Take it a step further: shut down your server and ask yourself, how do I get back to operational? Basically, simulate the worst-case scenario, and then plan how to get back into business.
Of course, even with all these measures in place, there is no silver bullet for protecting your business from malicious activity or hardware failure. However, I can promise you, an organization that has these safeguards in place is under FAR LESS risk for damage than an organization that doesn’t.
If you are unsure about the status of your organization’s network or security health, there are a number of technology solutions providers in the area that will perform an assessment of your security posture at no cost.