Five essential security measures to protect your business--no matter its size

Take these basic steps to safeguard your business's invaluable information assets.

Paranoia--in small doses--is an excellent preventive medicine. If you think your business is too small to be a target for hackers, identity thieves, and similarly unsavory characters, you're dangerously underestimating the value of your business.

IT security might seem to be a daunting prospect for a small business without an expert staff, a large budget, or expensive consultants, but you can take a number of easily implemented measures to lock down the personal computers your business relies on. Here are five simple security tips you should implement today.

Encrypt your hard drives

The first step is to implement full-disk encryption on each one of your company's PCs. This step is crucial because system passwords alone offer no defense against hackers' accessing the hard drive from another computer, or against someone's attempts to clone its entire contents for off-site examination. In addition, recovering previously deleted files from an unencrypted storage device or disk image is a relatively trivial matter for an attacker or snoop.

Selectively encrypting sensitive folders or files works, too, but full-disk encryption is the best means of ensuring that every file is protected. Microsoft's BitLocker is the gold standard for this task, thanks to its ease of use and the fact that it comes standard with the Ultimate and Enterprise versions of Windows 7, and with the Ultimate and Professional versions of Windows 8.

Although you can upgrade to one of these versions of Windows to obtain BitLocker, such a move can be cost-prohibitive if you have more than a few computers in the office. You can also find no-cost encryption software in the form of DiskCryptor and TrueCrypt (although the latter is not compatible with Windows 8). You must take care, however, to ensure that these programs are properly configured.

"One needs to consider every particular case," says ReclaiMe spokesperson Elena Pakhomova, "since encryption is sometimes implemented incorrectly and you still have a chance to extract data." ReclaiMe develops software for recovering data from hard drives and RAID configuration parameters, among other programs. For details on how to encrypt files the right way, read our hands-on guide.

Limit access

Enabling disk encryption automatically mandates the use of passwords, but it does nothing to stop users from choosing passwords that are easily cracked. Given that the strongest encryption is of little use if the passphrase is quickly guessed, it makes sense to choose a robust password that is not too short and that contains sufficient complexity.

Once disk encryption and strong passwords are in place, you can further harden your security by configuring Windows to prompt for the password upon waking from sleep mode. Be sure to set a reasonably short inactivity timeout of no more than 10 to 15 minutes for the PC to enter sleep mode.

Better yet, develop the habit of using the Windows-L keyboard shortcut to lock your PC when you step away from it--even if you'll be gone for just a few minutes. This step not only prevents data from being siphoned out during your absence but also serves as an effective way to prevent unscrupulous insiders with physical access to your computer from installing malware on it surreptitiously.

Use secure portable storage 

Conceived by Microsoft as a way to protect data stored on portable storage devices, the excellent BitLocker to Go technology can prevent lost or stolen storage devices from becoming liabilities. Although you can enable BitLocker to Go on an external drive only through one of the aforementioned BitLocker-equipped versions of Windows, a BitLocker to Go-enabled device can be subsequently used on all supported Windows operating systems, meaning that a small business can implement it companywide without having to upgrade everyone to a Windows edition that includes BitLocker.

You should be aware, however, that computers running Windows XP or Windows Vista won't recognize USB drives encrypted with BitLocker to Go unless you install the BitLocker to Go app. Mac OS X computers won't recognize such drives, either. You can read more about using BitLocker to Go with Windows 8 in our complete guide.

A hardware alternative would be to make use of specialized hardware-encrypted storage devices, such as the Lok-It flash drive or the Apricorn Aegis Bio portable hard drive. Be particularly careful with unbranded devices or those from vendors with no track record, as not all devices offering hardware encryption implement it correctly.

Use a password manager

No one disputes the value of using a different password for each website, but surprisingly few people actually follow the practice. Most users opt for the convenience of using the same password across multiple Web services, even though it leaves them open to severe consequences--including identity theft and financial loss--should hackers snag their password.

Instead of trying to memorize a dozen different passwords, set up the right tool to better manage your passwords. Numerous apps are capable of this, including Sticky Password Pro, LastPass, and Roboform. As a bonus, many of these tools can generate strong passwords on demand and can even fill out login pages with the correct password automatically.

Don't ignore security updates

Finally, it is of paramount importance to ensure that your computer has the latest software updates and security patches. Confirm that Windows Update is correctly configured to download updates automatically, and then periodically check for errors or failed updates. The same advice goes for common attack vectors such as Oracle's Java runtime environment (JRE) and popular software such as Adobe Reader and Apple QuickTime. A software tool that is of invaluable help here is Secunia Personal Software Inspector (PSI), a free patch-management program that tracks and installs updates to a large number of third-party applications.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitypasswordsencryptionbusiness security

More about Adobe SystemsAppleApricornEnablingMicrosoftOraclePSISecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Mah

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place