Digitally securing small firms
From ATI Chennai IT and ITES Wiki
Hardly a day passes now without us hearing of cyber attacks.
- How best can a small firm best ensure protecting their data and it's integrity?
- What are some of the most efficient ways to have secure backups?
Some points that need to be considered are:
- Burgeoning costs of critical manpower
- All encompassing need for protecting business critical data from falling into the wrong hands
- Legal risks as fallout after such cyber attack incidents
- Lack of sufficient knowledge and myths concerning cyber security
Best Practices for Small Firms
- Make sure, to the extent possible, every employee owns their device - desktop / laptop - that way you do not have to bear any liability for software piracy / upkeep / insurance / replacement.
- Start some sort of an audit supervised Cyber Security / Vulnerability Assessment / Technology Preservation insurance department where you can subsidise the cost by retailing it out to your clients. ATI Chennai conducts courses to assist in this matter.
- Critical data should be stored in (Linux based) headless NAS (Network Access Storage) server)s) that run their host Operating System entirely in RAM. Anything wrong, then just switch off and switch on like the old radio or TV. Have one such entity completely offline and non networked when not in use. Avoid shared disks and folders and where not possible, secure them with restricted access credentials as acceptable.
- Block TCP Port 465 on all devices in the local network to ensure the containment of any virus to the affected device alone.
- Freeze Operating System version across the office if possible - it makes for less diversity in addressing support issues.
- Work towards a scenario of having zero technical personnel in your payroll whilst ensuring that your employee induction program provides for an acceptable level of baseline self-sufficiency in technical matters that pertain to operation and best practices as far as devices in the local environment are concerned.
- Use as few local software as possible for routing tasks of an admin nature where no critical business data are concerned. Having such software in a local cloud ensures that all users see the same data even when authorised persons change them without notification to others. Audit trail of all changes must be visible to all users with clear highlighting of incremental differences. A local Wikipedia engine is the easiest to implement.
- Extract, document and preserve all information pertaining to the documents of the firm and the software used to generate them.
- All firm owned devices must have system images created in the NAS server and offline in read only media (DVDROM) for quick (< 10 mins) restoration of the base operating system with all software installed and activated with preferences set for the user and LAN. Drivers and license activation details should be documented as well. No third parties should be involved in recovery from such media.
- When employees leave, all data they have been exposed to must be listed and assessed for damage on leakage. Access credentials must be revoked but the interaction while in service should be preserved as readonly for future reference.
- All critical data files when archived should be passed through a hashing algorithm (MD5+SHA1) and the hashes stored alongside them and elsewere as well. Before trusting any archive file in future, it's hash must be verified for document integrity.
- Multiple versions of critical client data where each one has a different subset of updates will cause confusion. A relational database of such information that generates the required documents dynamically will always spew the latest version with all updates if the change management system is followed diligently.
- Evaluate the cost of data loss for each set of data and the time it would take to re-enter the critical part of such data if possible at all and the integrity / verification process that it would entail before it can be business as usual.
- Assess the impact of death / staff leaving service on the availability of information stored in such person's head alone and the impact of "tuned" information thru the mouth of another person of unknown integrity.
- Use local cloud servers for all servers (including firewalls) in the firm to save on hardware, power, networking components, etc whilst being independant of device drivers and repetitive activations. This will also endure the availability hot and cold spares for rapid swapping on failure. The caveat of putting all eggs in one basket applies, mitigated with sufficient cross locational redundancy and professional support.
The easiest way currently is to see if anyone will do all this locally and/or with remote assistance for you in a trusted manner to the best of their ability and pray for the best. This dictum applies here as for all types of insurance - live first to claim insurance - and don't die of the costs thereafter.
Every professional organisation will charge thru the nose the moment they see monopoly opportunity and fear / paranoia / ignorance in a client's eyes. Everyone with the money will shortchange those with skillsets and straddle them with expenses to keep doing their bidding. That is the business of "negotiation" after all.