Hide it! Yes, not all data was created equal and certain data was meant for certain eyes, from making sure employees cannot read each others email, to hiding your grandma’s recipe that you empire is built upon.

The 12 Secrets of SMB Security

Secret #10: Limit Access to Sensitive and Confidential Data

Cost: Moderate to High depending on the options selected

Technology skill level: Moderate to High

Participants: Technical support

If everyone could be trusted there would be no need for security measures anywhere. It is from this lack of trust that the need for security and control mechanisms arises. E-mails should only be viewed by those to whom they are sent. Data files should only be accessed by individuals who have the permission to view them. If the data is stored in files, folders, and databases within your network, you can control who can see and use the contents with an access control list, or ACL. ACLs define who can perform actions on a file or folder such as reading and writing. When access to information cannot be tightly controlled, such as e-mail or a credit card transaction over the Internet, this information can be concealed through a mathematical process called encryption. Encryption transforms information from one form (readable text) to another (encrypted or scrambled text). The encrypted text cannot be understood by most and remains so for people who don’t have the formulas (encryption transformation scheme and the decryption keys) to turn the encrypted text back into readable text. The encryption mechanism must be sufficiently complex or someone with electronic tools could guess the formulas and defeat the encryption.

There is a wide range of people who work in an organization. Employees may be working full time, part-time, on a temporary basis, as contractors and vendors. All these people will have legitimate access to your network but should not have unrestricted access to every piece of information on the network. When a person can access your network, he can see every communication that passes among the devices on your network and can view, modify or destroy the contents. There may be a employees who harbor some grudge against the company. Unfortunately, they have legitimate access to your network. They can initiate programs to search your network communications for credit card numbers, social security numbers, and financial information for criminal intent. They can search for passwords to databases, applications and other networks to expand their access capabilities. It is these dangers which you need to safeguard yourself against.

A few steps can be taken to achieve this objective. Some important ones are:

• Educate employees to use care in sharing sensitive and confidential information electronically.
• Do not use real information for the testing of any new processes.
• Do not use public computers or Internet café computers to access online financial services accounts. Do not make any financial transactions from these places. Use a secure computer to do that.
• Do not disclose personal, financial, or credit card information to any website which you do not have enough information about or suspect.

Additional Steps

Ensure that your browser supports strong encryption (at least 128-bit or 256-bit is possible). Get technical assistance to establish automatic encryption. When possible, try use encryption for all electronic communication that passes outside of your network, and notify the sender when information cannot be sent encrypted.

Get technical assistance to establish ways to encrypt sensitive and confidential information which is stored and shared on the network.

Turn off the caching feature for the browser so sensitive and confidential information is not stored in unprotected temporary locations.

Establish ACL’s for access to all shared files, folders, and databases to assure that access is only available to those who have permission. These lists will have to be altered and maintained over time as staff changes. Further put a restriction on who can update and delete data and files. This allows for greater protection.

Here is an example of how your employees can use information shared on your network for their personal gain.

Credit Union Employee Gets Private Customer Information and Uses It for Personal Gain

The US Justice Department has prosecuted a woman who worked at Sacramento, California, Credit Union. The woman used her firm’s computer to obtain customer account information including names, social security and driver’s license numbers, and addresses to open accounts in the names of others and incur unauthorized charges. Some of the credit card accounts were opened on the Internet. After the phony accounts were established, the defendant made numerous purchases totaling well over $50,000.

Thanks so much for taking the time to read Part 12 of 15 in the “The 12 Secrets of SMB Security” series. Please feel free to contact CopiaTECH with any questions about anything you read or your small or medium-sized business and cyber security.

Please continue on to Part 13 in the series, “Fail to plan and plan to fail”.