Identity theft is one of the fastest growing risks that your company and employees could be facing. Misuse of electronically stored information is easily identifiable, and small or midsize companies can be at greater risk if the proper precautions aren't in place. We asked Kevin Beaver, founder and information security advisor with Atlanta-based Principal Logic, LLC, to answer some frequently asked questions on identity theft at SMBs.
Given how pervasive the ID theft problem is, especially with insider jobs, can you really prevent the problem completely?
Absolutely not. Just as with anything related to information security and privacy, there's no guarantee. But you can do a lot to prevent ID theft from occurring as well as minimize its impact when it does occur. It's all about risk management. There's always going to be some risk leftover, and if a breach does slip through at least you can back it up by showing your clients, board of directors, a judge and a jury that you have taken reasonable precautions. That's what keeps business executives out of hot water.
I have a small network of three servers and about 20 workstations. How often should I test my network for these ID theft vulnerabilities?
It depends on several factors, including whether or not your servers are publicly-accessible and what type of information you are storing or processing on them.
A general rule of thumb is to test no more than once a quarter and definitely no less than every six months to a year. You'll also want to test your systems if you make any major system changes like adding new servers, deploying a new application or rewriting a new one, or upgrading your operating systems. Don't forget to test from both the outside and the inside. Most people only test from the outside from an external hacker's point of view. However, most problems I see are usually accessible only from inside the network.
What's the best way to create an audit trail to trace unauthorized people accessing sensitive personal information on my network?
This is easy and free. The most practical thing you can do is to enable audit logging on your operating systems and applications: Windows, NetWare, Linux – basically all the operating systems allow you to do this pretty easily. Your databases and Web and client/server applications may or may not have audit logging, but this is certainly something you should look for or build in if possible. And remember that logs are only effective if they're being monitored. I'm not a big advocate of monitoring individual log files, as it's not very effective. Look for some log management programs to help with this. One low-cost tool is GFI.
If I've locked down my wireless network using all the common best practices such as enabling WEP, changing default settings and not broadcasting my SSID, is my information relatively safe?
The thing with wireless is that there's no physical boundary keeping your signals and airwaves safe as with wired networks. So you're never going to be 100% safe. You shouldn't let that stop you from using wireless networks though…a couple of other things you can do that will really help lock down your airwaves is to toss those omni-directional antennas and replace them with directional ones that send the signals inside your building where they belong and not broadcast them 360 degrees. Also turn down your power setting on your APs. And by all means, enable Wi-Fi Protected Access or WPA.
How much are the tools you mentioned going to cost me?
Most are just a few hundred dollars and well worth it. Keep in mind that usually the more you pay the more you get. And of course, the higher end products can be much more beneficial. But don't overlook the free ones. Check out my list of favorites in my tip on SearchSMB.com, Essential security testing tools for SMBs.
Even with all the new laws and regulations, I still can't convince my boss that we need to protect the personal information of our clients. How can I get buy-in?
I recommend three things:
1. Get involved with the business -- show management that you care about what's going on
2. Establish your credibility and gain their trust
3. Show that what you're doing is valuable to the organization -- prove to them that what you're doing and what they're investing is working.
Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC. He has over 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.
