the winxnet blog Blog Header Image

Information Security on a Budget: 5 Ways to Help Save Money

Posted on 8/26/2014 8:00:00 AM by Dr. Eugene Slobodzian
Category: Security & Compliance



Information Security

In part one of my Security on a Budget post, I listed three ways that you can begin to create your own Information Security Program without breaking your technology budget.  In light of recent news of major security breaches in the retail and healthcare sectors, I feel it is necessary to reiterate my two main points of this first post:

a). Security breaches do happen to all types of businesses, frequently with dire consequences.

b). There are things that you can do, inexpensively, that will dramatically improve the security of your sensitive information.

If you are a leader in a small or medium sized business, it is time to take Information Security seriously. The financial cost of breach remediation will be steep, but the loss of trust of your customers may be your most expensive repair.

In the last post we talked a lot about APT (Advanced Persistent Threat). This is the constant barrage of attacks your systems endure each day.  Since there are a number of affordable things you can do to protect yourself from these APTs, here are five more.

  1. Assure timely updates to your operating systems and third party software. While Microsoft is getting progressively better at handling these security patches automatically—if you are vigilant about approving updates—applications frequently require a little more work.  Also, don’t forget to keep your other devices (mobile, printers, routers, firewalls, switches, etc.) up to date.
  1. Virus-protect all systems you can. While modern malware warfare is proving to be an uphill battle to most anti-virus companies, the newer tools contain an arsenal of controls to prevent infestations. These anti-virus tools are now available on mobile devices. There are plenty of free resources and reasonably priced solutions from those in the industry with the time, focus and resources to implement them.
  1. Enforce traffic filtering where possible.  In simple terms, there is traffic that has no business in your environment. Stopping this traffic will protect you from a number of potential threats. This filtering can be enforced at the company firewall, personal firewalls (part of AV protection above) or through security plug-ins for modern web browsers (AdBlock, NoScript, WOT-Safe, BetterPrivacy). There are also service providers to help you stay secure, ranging from simpler, inexpensive solutions like OpenDNS to fully-managed firewall packages.  Ask your IT provider what would be the best fit for your environment and budget.
  1. Set good passwords on all accounts and promote good passwords practices.  Take care to set or change from default all passwords on your supporting equipment, such as printers, mobile devices, voicemail, switches and routers. Use reasonably strong passwords, but don’t go overboard. A password that is too complex will have to be written down, and this is exactly what we want to avoid. As a rule, pronounceable passwords are easier to remember. There is also a multitude of password vaulting solutions for PCs and mobile devices that can be helpful.
  1. Encrypt all mobile devices and sensitive files. Modern mobile devices come with the ability to encrypt built-in, so use it. Research and use whole disk or volume encryption tools such as BitLocker. Where possible, set mobile devices with remote wipe capabilities and enforce local wipe after a set number of unsuccessful unlock attempts.

These are just a few basic controls that are available to you at little or no cost to protect your information.  Please know that these suggestions are not exhaustive and that there are many other controls. Becoming and staying more secure does not have to cost a fortune. It does require some vigilance and some elbow grease.  If you feel as though you do not have the resources or the time to create or manage an Information Security Program, perhaps it’s time you contacted your trusted IT advisor to inquire about their Managed Security Services.