Securing Small Businesses by Securing Email

Share with friends

by Rick Caccia
According to The Radicati Group’s Q1 2006 market update, the total worldwide daily e-mail traffic grew to roughly 171 billion messages worldwide. Moreover, the volume of e-mail message sent and received continues to increase each year as businesses increase their dependence on this form of communication. It’s also been estimated that 75 percent of corporate intelligence is contained in e-mail traffic. This is especially true with small and mid-sized businesses (SMBs).

However despite being the communication of choice for most companies, e-mail presents a security and availability threat to their intellectual property, especially for SMBs.

A number of these threats manifest themselves in the form of malicious code, including spam, viruses and worms, phishing scams, and Trojan horses. Each of these presents the potential for confidential information and intellectual property to be stolen, destroyed, or secretly distributed. In addition, misuse of email can introduce potential legal issues for SMBs, particularly when employees send offensive or inappropriate content via company e-mail or as a hacker takes control of the e-mail server to send forged messages.

All too frequently SMBs believe they are not vulnerable to malicious attacks, thinking they are too small to be noticed by attackers. They discount statistics that report the small business market is among the most frequently attacked business segment. Additionally, SMBs often lack the resources – both budgetary and staffing – to effectively address information security, which leaves them open to these risks. And those with criminal intent recognize this and use it to their advantage.

To ensure confidential information stays within the organization, most SMBs need to retool their e-mail protection and management strategies. Employing industry best practices and educating employees, along with staying up-to-date with security solutions can enable SMBs to quickly and easily implement an effective e-mail security policy.
Understand What Assets Need Protection As SMBs address their security strategy, the first task is to create an in-depth sketch of their information assets and all access rights to that information. Doing so helps identify what items each business needs to protect. Without this understanding, assets that should be protected may be left vulnerable to attacks.

Understanding what they need to protect, SMBs can then identify and assess the threat risks posed to their information assets and the legal implications for not complying with regulatory procedures. Evaluating the current threat landscape can also help SMBs understand how they need to spend their time and budget, ensuring they’re taking the right protection measures to address their individual needs. For example, risks that may be of concern for a small bank or credit union may not be the same as risks posed to a small construction firm. As a result, the security measures they may need to protect their businesses and assets differ in order.
Once risks have been identified and evaluated, the next step is to develop a security policy. A team of managers, including the head of IT, finance and HR, should be assembled and involved in developing the policy.

With responsibilities assigned, businesses should create the security policy, while also keeping in mind their information assets and identified risks.
Educate Employees
Intentional or not, user error is often behind many of the security problems SMBs face. Therefore, along with technical setup, policy execution should also include employee education and training.
The two most important things to keep in mind with employee education and training are to ensure every employee, from top to bottom, is included in the training and to refresh the training regularly. When new employees are hired, require the training to be included in their new-employee orientation.
This training should include discussion points such as how to create strong passwords. Passwords are the most common method of authenticating users to provide system entry for hackers. Hackers can gain unauthorized access to the network by cracking passwords. Therefore, strong passwords are another layer of protection SMBs businesses can use to secure their network.
For example, a strong password should be at least eight characters and include a combination of lowercase and uppercase letters, digits, and symbols. Require users to employ a different password for each service or system they access, and to create new passwords every 45-60 days.

In addition, emphasize the importance of not writing down passwords or doing other things that would possibly make them public. A recent study by global research firms Nucleus Research and Knowledge Storm found that one in three employees are still writing down passwords and leaving them either on a piece of paper or in a text file on a PC or mobile device. This compromises the security of their computer as much as having no password at all.

Because e-mail is the path of least resistance, part of the training program should also include training on how to be smart e-mail users. One way to do this is to introduce employees to the following guidelines:


    Do not use the preview pane function in the e-mail program.
    Refuse e-mail attachments from unknown senders and scrutinize all attachments before opening them—if it ends in an unusual extension, delete it immediately.
    Discard spam. Do not reply to unsolicited e-mails as it alerts spammers that the address is accurate.
    Never perpetuate spam by forwarding e-mail chain letters.
    Be alert to phishing scams. All they want is employees to divulge personal information.

Employees play a highly critical function in ensuring that e-mail is secure and safe. Therefore, after the policy has been introduced to employees, perform an audit of both the policy and employees to ensure proper security practices after the training.
Implement Multiple Layers of Defense
No small business can afford to put itself at risk to Internet threats. To stay secure in today’s highly connected world, SMBs need layered security. Multiple layers of security around computers and valuable data help keep the compromise of one level from causing a general compromise of the entire network. This layered defense is necessitated by the advent of blended threats and the blurred network perimeter.
The most important layers that should be part of any effective security program are:

    Antispam software
    Antivirus software
    Firewalls
    Intrusion detection/prevention software
    Virtual Private Networks
    Disk imaging applications

By doing all of the above, SMBs can help protect themselves from growing security and availability risks, and feel much more secure in leveraging the use of e-mail in their business.

Integrate Best Practices

Some best practices SMBs can employ to ensure they are covering their bases in terms of preventing and addressing potential security issues are:

    Harden the operating system by configuring it for maximum security, removing unnecessary tools and utilities, and updating patches as fixes to newly discovered security vulnerabilities are offered.
    Install only approved applications.
    Turn off and remove unneeded services that may be backdoors allowing access to attackers.
    Restrict access to only select users who must log in with a username and password by setting up authentication, monitoring server access, and restricting file access privileges to select users.
    Configure e-mail servers to block or remove e-mail containing file attachments commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR.
    Isolate infected computers immediately to prevent further network comprise. Disable or block access to services that have been exploited by a threat until a patch is available and applied.
    Have a backup and restore solution ready in case of an attack.
    Put an incident response plan in place, which will help recover the business quickly and easily, by anticipating the various possibilities that could affect the business.
    Keep server equipment in a secure location and only allow designated persons access.
    Test the IT security policy and make necessary changes.

Once the policy is in place, make sure to monitor it. The security landscape is never static and an SMB’s security plan shouldn’t be either. Revisit it every six months for potential updates. Conducting a semi-annual review of the security policy is a great way to ensure that it is up-to-date and being followed.

Conclusion


While most SMBs don’t have the resources that many large enterprises possess, they can still protect themselves from malicious threats by understanding and following these simple steps. These guidelines can help each SMB establish a secure e-mail infrastructure and internal network.

About the Author:

Rick Caccia is senior director of product management for Messaging and Web Security at Symantec, where he leverages more than 14 years of experience in building and managing enterprise infrastructure software. In this role, he is responsible for overseeing the direction and delivery of Symantec's e-mail, instant messaging and web security solutions, which includes software, appliances, and hosted services.

B2B EGypt

We provide you with a group of services that guarantee best added value to your corporate,website,company classification,system.Through proffessional experienced team members.

© 2009 Articles. All rights resevered. Designed by B2B Egypt