Editor’s note: One-third of all data breaches occur in small businesses: the following piece provides excellent tips for protecting your small business. It was written by freelancer Jason Turbow for BizWise, the monthly Cisco newsletter for business owners.
 
In January, a credit card payment-processing company found malicious software on its network. It had compromised the private customer information held by more than 200 financial institutions. A month before that, a U.S. payment processor suffered cyber attacks on its ATM records that affected 1.1 million people and resulted in $9 million in customer losses.  A cyber-crime battle has broken out across business networks nationwide, and it’s not just enterprises in the line of fire. A study by Verizon Communications released in April found that one third of all 2008 data breaches came at the expense of businesses with 100 employees or less. The scale of these breaches might not compare with those at their enterprise counterparts, but for small businesses, the sting of malware, botnets and Trojan horses can be just as sharp.

“A small business’ attention to customers has to remain paramount,” says John N. Stewart, vice president and chief security officer at Cisco. “Security aimed at protecting your customers’ information – as well as your own – must be an integral part of how you operate.”

Even as threats grow more exotic, small business owners can take some basic steps to reduce the risk of falling victim.

Step 1: Treat Your Business Like a Business
For many small businesses without dedicated IT personnel, the answer to technological needs is often a trip to the local retail store for an easily deployed piece of hardware. This saves on installation hassles, but it can also open up sensitive information to outside intruders. As a whole, built-in security features on devices designed for home use don’t come close to those made for even the smallest businesses.

“You can still walk into many small businesses and see an entry-level device that’s fine for a home, but totally insufficient for a business entity,” says Ryan Halper, president of Cynnex Networks, a technology-support company in Seattle. “You need to go one step beyond that if you have any type of business-critical, sensitive information to protect.”

Even business-class hardware that doesn’t provide security as a primary function – routers, for example – can provide important layers of protection when it comes to securing a network.

Step 2: Protect the Perimeter
An effective firewall essentially serves as a virtual barrier between your network and the outside world. “Firewall protection should be obvious, but with many of our small business customers we see less than what we consider to be minimum perimeter security,” says Cynnex’s Halper.

Even entry-level business-class firewalls provide essential security features such as packet inspection (to verify every piece of data that passes through them) and intrusion protection. Firewalls can also function on a “white-list” basis, allowing nothing but data from approved domains to enter the network. This is especially important when it comes to the subset of malware-infected sites and e-mail attempting to pass itself off as having come from a legitimate organization. “It doesn’t matter what it looks like, it matters what it is,” says Stewart, the Cisco chief security officer.

Step 3: Stay Updated
The people who create malware are both smart and relentless. Should new security technology effectively block their efforts, they simply adjust their tactics until they’re able to avoid the existing traps. For an example, look no farther than spam. Just a couple years ago junk e-mail was among the top security issues facing business networks, until a spate of anti-spam vendors stepped in and eradicated much of the risk. Problem solved? Not quite. Spammers got more creative, and soon the anti-spam contingent was once again scrambling to keep up.

“I just need to look at my in-box for confirmation of this,” says Charles Kolodgy, research director of security products for market research and analysis firm IDC. “I’ll get a lot of items that should have been filtered, then three to five days later, my e-mail will go back to normal as the anti-spam programs figure out what this spam is doing and either block or quarantine it.”

“If the company whose security measure you’re using says there is a new version, you have to get it, evaluate it, and ideally, deploy it,” says Stewart. “You absolutely have to keep your security posture current.”

Step 4: Pay Attention
Botnets – collections of malware-infected machines that can be unwittingly controlled by a third party for nefarious activities such as mass spamming – are especially dangerous because there’s often little tactile evidence they’re even present. The best botnets work in the background, offering slightly slower processor speed as the primary clue to their activity.

“You really have to look at your logs, which is something small businesses aren’t usually doing,” says Kolodgy. “See what communications are going on. Look at network traffic going to strange IP addresses at various times during the day – places that a business might have no reason to contact, like Russia or China.”

Numerous security companies have placed defense against botnets among their priorities, making updated anti-virus subscriptions and software patches all the more vital.

Step 5: Protect Yourself from the Inside
In January, a study from Purdue’s Krannert School of Management quoted 46 percent of the American companies it surveyed saying that “laid-off employees are the biggest threat caused by the economic downturn.”  A prime example of this happened last year when Terry Childs, a disgruntled network administrator for the city of San Francisco, sat in jail for five days while refusing to divulge the passwords he used to effectively lock the government out of its own municipal data. Most small businesses don’t have an employee with the same combination of knowhow and ill intentions, but that hardly grants them immunity from the problem. Cynnex’s Halper recommends that companies employ a containment strategy, allowing employees to access only the portions of the network necessary to their duties. Similarly, network privileges can limit the types of tasks that can be executed from a given workstation, eliminating many options for those who seek to do something outside the scope of their regular job duties.
 
But it isn’t just disgruntled employees who may create security breaches; employees who don’t know how to properly protect assets can also pose a risk.

“The blending of work vs. home and public vs. private means that data can be accessed, transmitted, stored and stolen from anywhere at any time,” said Stewart. “As a result, the approach to data protection must change.”
 
That means businesses must foster a security-aware culture in which protecting data is a normal and natural part of every employee’s job, providing the tools and education that employees need to keep their businesses secure.
 
“Everyone in the company has to understand why they’re protecting what they’re protecting,” says Stewart. “It’s one thing to tell everyone to lock the door on the way out, but they really have to understand why they’re locking the door. They need to know that if we lose this data, it’s business-impacting and possibly business-threatening. We must understand that we’re not just protecting our customers – we’re protecting ourselves.”

About the Author: Jess Wells, Editorial Director of Cisco’s Innovators Forum, and her team her guest bloggers interview experts, entrepreneurs and authors on how to run a small business better.  To learn more about small business best practices and the technologies behind them, visit www.CiscoInnovators.com.