June 2008: Protect Your Business From Digital Intrusion
Protect Your Business from Digital Intrusion Take precautions now so you can avoid accusations of negligent handling.
By John Benson
In 2007, TJX Companies Inc., the parent company of retailer TJ Maxx, began settling lawsuits resulting from a security breach that led to the disclosure of an estimated $94 million customer credit and debit card records. With the increased focus on identity theft, consumers want organizations to be held responsible when their identities are stolen. Currently, the legal requirements of businesses to protect consumer information are unclear. What is clear, however, is that to avoid a claim of negligence in handling of sensitive information, businesses must take steps to protect consumer data.
Preventing Intrusions and Data Loss Retention of sensitive consumer and employee information, such as birth dates, Social Security numbers and account numbers, should be kept to a minimum and the retained data closely guarded. Encrypt hard drives containing this information and consider keeping this information on desktop PCs, which are less likely to be stolen than laptops. Any backups of these drives should also be encrypted and stored in a secure location.
Map the location where information is stored so any vulnerable data can be identified and secured. Also, include the location of removable storage such as burnable discs, flash drives and external hard drives. This is also useful in the case of an electronic discovery request as part of litigation. Once the data is mapped, you can take steps to protect your most valuable information.
Make sure employees are aware of the responsibility that comes with the convenience of mobile computing. They should take steps to avoid theft of laptop computers by not leaving computers visible inside automobiles by using storage cases that doesn't bear show the laptop manufacturer's logo¾a clear indication of what's inside. Require user logins for computers to prevent thieves from accessing your data and encrypt the data on the hard drive to thwart more skilled attacks.
Wi-Fi Precautions Public Wi-Fi is insecure and should be treated as a hostile environment where network activity is easily monitored. On a shared Internet connection, a skilled individual can monitor network traffic, capture passwords or attempt to directly break into a system. Wi-Fi can be accessed from a few miles away with proper equipment, so an attacker may not be immediately visible. If employees use public Wi-Fi, make sure to use a strong firewall, work with service providers to secure e-mail communications and consider setting up a VPN (Virtual Private Network) to secure all communications when away from the office.
If you currently use Wi-Fi at your office, seriously consider whether the access is necessary. If you must have wireless networking, take steps to secure the network. Use strong encryption, such as WPA2, which is easier to use and more effective than WEP, which can be broken in less than five minutes. Always change router passwords from their default values.
Protect your office network by placing a firewall between your broadband modem and the rest of your network. Firewalls with advanced features such as a built-in VPN, stateful packet inspection (SPI) and a wireless access point can be purchased for less than $150. Each computer should have a fully patched operating system running up-to-date anti-malware applications, including anti-virus and anti-spyware components.
Incident Response Using a cleaning tool or recovering data from a backup can resolve malware infections. More serious intrusions may require additional action, such as involving law enforcement. Signs of intrusion may be obvious, such as the too familiar wave of advertisements or your anti-virus software alerting you of an infection. More serious intrusions may reveal themselves through an increased amount of identity theft reports from employees or customers alerting you that they have received spam from your company.
If you believe that you have suffered a serious breach of security, contact a certified information security professional to assess the situation. If sensitive information has been compromised, contact those who may be affected so they can protect themselves by closely monitoring their accounts and credit reports. The next few years will bring clarity to the laws surrounding information security breaches. In the meantime, small businesses should make sure they take reasonable steps to protect their data. By limiting the amount of sensitive personal information your business retains, encrypting the information and limiting access to it, the risk of loss through theft can be minimized.
Be aware of the dangers posed by Wi-Fi. Secure office networks and make sure that you have updated anti-malware tools installed. If you are confronted with a situation where you believe that sensitive data may have been compromised, always look to a professional with sufficient credentials, and document the response in the event that law enforcement needs to become involved.
John Benson is frequent lecturer on topics of technology, security and the law, and currently works as an electronic discovery consultant within the practice support division of Stinson Morrison Hecker LLP. He holds a law degree from the University of Missouri - Kansas City. You can reach him at
