While network attacks are expected to rise in 2008, security experts say small Canadian businesses can protect themselves by implementing seven practical steps.
“Protection is not always an expensive proposition,” said Marc Fossi, manager of the Canadian security response team at Symantec Corp.
When it comes to network attacks, he said, small and mid-sized businesses (SMBs) are favourite hacker targets, as they have lots of confidential client information, but often lack adequate means to protect these assets. “Attackers are opportunistic; they’ll get at anything that provides an opening.”
North American companies lost an estimated US$30 million in 2007 due to network attacks, according to Infonetics Research of Campbell, Calif.The costs – associated with lost sales and labour due to downtime – eroded as much as 2.2 per cent of the revenue of large enterprises, and as much as half the annual revenue of some SMBs.
To avoid falling prey to such attacks, Canadian experts have the following tips:
1. Adopt a “defense-in-depth” approach
“No one system will adequately protect your organization from all the attackers out there,” says Robert Beggs, CEO of DigitalDefense Inc. a Toronto-based provider of information security services.
He said defense-in-depth employs multiple defense systems, such as firewalls, anti-virus software, anti-spyware software and security best practices. “Each defense system might have its own set of vulnerabilities, but if you have many systems in place you reduce the chance of your defenses falling apart.”
2. Always keep patch levels up-to-date
Operating systems and applications must always contain the latest security patches, says Adam Cole, director of specialty technology for McKesson Canada and national director for the Toronto chapter of the Canadian Information Processing Society (CIPS).
“A lot of times attacks get through simply because companies fail to download the latest patches,” Cole said.Cole advices organization to designate a person or team to manage patch updates.
3. Consider network compliance solutions for mobile users
Security issues in businesses rose last year because of employees using mobile devices to access the company network, according to Computing Technology Industry Association (CompTIA), a Chicago-based worldwide group of IT professionals and companies.
Some organization reported security issues increasing by as much as 60 per cent, said Steven Ostrowski, director of corporate communication for CompTIA.He said it is often more difficult to manage security for laptops and mobile devices such as BlackBerry handhelds. Fossi recommends that businesses set up strict policies about laptop and mobile device use and beef this up with security tools.
4. Enforce effective password policies
This is a no-brainer but a large number of users forget to periodically change passwords, often give them away or post them in the open, said Fossi.
5. Configure mail server to filter e-mail
A lot of spyware and viruses can be avoided by setting mail servers to block unauthorized or unwanted file attachments. Fossi said file attachments commonly used to spread viruses include: VBS, BAT, EXE, PIF and SCT files.
6. Train employees to be vigilant
Fostering a culture of security is often the best and cheapest defense, said Fossi. The basics include: not opening attachments unless they are expected or come from a trusted source, and avoiding downloading software from the Internet unless it’s authorized and scanned to be virus free.
7. Ensure emergency procedures are in place
Employees should be trained to recognize threats and coached on how to respond to them. It is also very important to have a back-up and restore system and procedure, said Fossi. “This gives you the ability to recover data and get your network up and running in case an attack does get through.”