Small Company Security Resources 

by Roman H. Kepczyk, CPA.CITP 

Desktop computers to search for small company security resourcesToday, companies rely on technology to manage and operate virtually every aspect of their business, with a critical focus being protecting sensitive financial information and client, vendor and employee data. Unfortunately, in the news nearly every week, there are security breach reports ranging from hacked databases to stolen information, both resulting in significant company losses.

The majority of large- and medium-sized companies have personnel and external resources dedicated to securing their IT environment. However, smaller businesses often have minimal resources focused specifically on protecting their infrastructure. What can these companies do to protect themselves?

Although “one-shot” implementations that seemingly do not affect other areas of technology – including servers, firewalls and Internet connectivity – should always be installed by an experienced integrator, there are best practices and resources available to evaluate the company’s current exposure, while minimizing the day-to-day risk of becoming another headline.

One of the first steps to minimizing the risk of loss is to understand what causes the most damage. According to the 2006 CSI/FBI Computer Crime and Security Survey, most damage is caused by computer virus contamination. As a remedy, companies should have an anti-virus application that is automatically updated and rolled out to users to minimize this risk.

The top three products available and capable of aiding the decontamination are from Symantec, McAfee and Trend Micro, and each option should be set to check for updates on an hourly basis. Spyware and malware can also cause security risks. As such, it is recommended that companies additionally have at least two additional spyware applications at their disposal. These could include, for example, Windows Defender, Webroot Spy Sweeper, Lavasoft AdAware SE Enterprise or SpyBot Search and Destroy.

An even stronger layer of protection against viruses and spyware is the outsourcing of e-mail maintenance to a remailer service that scans and identifies spam. Companies such as Postini, AppRiver and MX Logic handle enterprise-class spam and anti-virus filtering. These services filter and deliver the good, yet questionable e-mails to the company while further minimizing e-mail viruses, some of these services also provide an added layer of disaster recovery for the company’s e-mail in the event that the server becomes inaccessible for any reason by storing and forwarding emails while also providing access to the emails.

Next on the CSI/FBI list of losses due to security is unauthorized access to data. This occurs from physical and virtual breaches. Physical security begins with access to the building and having an up-to-date security alarm system that can change codes when an employee is terminated. Physical security also means locking down resources, such as the server room and using cable locks on workstations, particularly laptops, whether in the office or being used remotely. Kensington and Targus have locks for under $50 – particularly important for laptop users; the CSI/FBI survey listed “laptop theft” as the third greatest loss.

From a virtual perspective, it is imperative that companies change passwords at least four times each year. It is best to use “hardened” passwords that are at least eight digits long, and that include upper and lowercase letters, numbers and punctuation characters. Another safety precaution includes setting workstations with screensaver passwords that lock out the screen after 15-30 minutes, while reminding users to “lock” their screens when leaving their workspace. Security items within the CSI/FBI study pointed to breaches caused by the Internet when companies lack the most current patches on their network operating system. To minimize risk, companies running on Microsoft networks should first load and run the Microsoft Security Assessment Tool (MSAT); individuals should also run the Microsoft Baseline Security Analyzer on their workstations.

For companies running other operating systems, the Center for Internet Security has online CIS Benchmarks and Scoring Tools available to test for the latest versions and patches. Other critical components of network security include verifying that the firewall is working properly and keeping the company aware of which ports are open to the Internet. Gibson Research Corporation has a Shields Up! online tool that tests the first 1,056 ports to see which are open, closed or in stealth mode. Running this test on a regular basis will help companies stay abreast of any changes.

Finally, one of the weakest potential links in maintaining a secure computing environment is the company’s personnel, who may be creating security risks without even realizing it. Companies should update computer and Internet usage policies annually, and include the impact of new technologies being used by the company. Social engineering and phishing attacks, as well as unsecured wireless access from remote computers accessing the company network can create security issues that company personnel may be unaware of. By educating employees on these types of attacks and doing annual reminder training, this risk can be minimized. 

Computer technology has driven today’s accounting professionals to manage more and more of their information in a digital format. It is our duty to secure this information. By implementing today’s security best practices and working with outside resources, smaller companies can go a long way to keeping their information and their client’s information protected.


Copyright © 2006-2016 American Institute of CPAs.