Articles by James Wiley

Zero-Cost Information Security Tips for the New Year

Monday, January 16th, 2012

There are two facts which are nearly always true about information security resources. Almost all experts price their services for big corporate clients (with big corporate budgets), but almost all tools are way too complicated for small businesses to implement – and reliably maintain – on a “do-it-yourself” basis.

This leaves us in a little bit of a sticky situation. Our small businesses don’t have the budgets to engage a $300.00 per hour information security expert. But, our small businesses rely more and more every year on digital records and electronic transactions.

The Wall Street Journal published a front-page article earlier this year (July 21, 2011) reporting on the increasing risks and rising costs of information security breaches at small businesses. The article focused on several small businesses that had been bankrupted by the actual liabilities that occur when customer information is breached.

The Wall Street Journal article emphasized that the bad guys are getting tired of wasting their time on the big companies who can afford premium information security programs. They want the easy pickings. And, as our small businesses grow increasingly dependent on digital records – the easy pickings are us.

It is simply no longer viable for a small business owner to cross their fingers and hope that business information is secure.

What are our options?

Here are three tips that any small business owner can implement – with zero cost – to improve their information security in the new year.

1) Get serious about your passwords

When I started my business services and security practice this summer, I decided it was time to get some real information on what the bad guys are doing. So I went to a weeklong hacker’s convention and tried to blend in.

There were about 300 hackers in attendance. During one of the sessions, the hacker who was speaking said that he was getting bored with breaking into businesses. “I never get to do anything fun”, he lamented, “because 90% of the time, all I have to do is guess the password.”

The room erupted with laughter and shouts of agreement.

The days are long past when we can safely use passwords like “123456” or “admin” or the ever-popular “password”.

There are software tools – available for free download on the Internet – than can crack just about any password in seconds.

Stop thinking password, and start thinking passphrase. Put together several words, with a few numbers and special characters (such as @, $, &, %, etc) included. A strong passphrase takes significantly longer to crack, and makes your business systems a much less attractive target.

2) Evaluate the access which your employees have to systems & resources

The Computer Emergency Response Team (CERT) at Carnegie Mellon University conducted a study several years ago in cooperation with the US Secret Service. The research paper which they published provided significant insights into the characteristics of actual information security breaches.

Their research emphasized the risks that are posed by “insiders”, meaning employees and others who have been granted authorization to use business systems for otherwise legitimate purposes. The study found that:

In 87% of the cases, the information security breach was performed by an insider using simple, legitimate system commands.
In 77% of the cases, the insider who performed the breach was not a technical expert.
In 83% of the cases, the breach took place within the business’s premises.
In 70% of the cases, the breach took place during normal business hours.

What’s the upshot of this?
read full article »

  • Twitter
  • LinkedIn
  • Digg
  • Technorati
  • Facebook
  • StumbleUpon
  • Google Bookmarks
  • email
  • RSS
  • FriendFeed