Who Has the Keys to Your Small Business?

CYBERSECURITY-USB/ATTACK

Your business is only as good as your employees, and it turns out your data may be unsafe in the hands of disgruntled ones.

In light of the recent data breaches at major companies, the Federal Bureau of Investigations recently issued an alert, warning businesses that hostile current and former employees are using cloud services and other Internet tools to wreak havoc on company networks. The Feds are investigating “several” situations where people used their access to destroy data, steal proprietary software, secure customer information, make unauthorized purchases and use it for professional gain.

You may think your business is too small for this to happen to, but no company is immune. The difference is if it happens to a small business the harm will be far greater than for a deep-pocketed company.

“It’s a very serious problem,” says Jason Glassberg, co-founder of Casaba, a security company. “In a lot of cases the data theft, destruction and mayhem is an inside job.”

Blame it on an ineptitude for technology, or a lack of interest in that piece of the business, but either way many small business owners are leaving their networks wide open for employees to access. Not only does that increase the likelihood of getting infected with malware or spyware, it makes it way too easy for current or former employees to cause trouble.

The first step in preventing anything from going awry is limiting employee access to the network based on job function.

“There’s no reason why a guy in sales should have access to anything that has to do with HR. Just like a guy in engineering doesn’t need to have access to anything that has to do with tax and planning or accounts payable,” says Glassberg.

Monitoring your employees Internet usage is the last thing you want to do, which is another reason why limiting access to the network is important. Without it, employees have free reign to install potentially malicious apps. You also want to know what cloud based application employees have access to and keep a close eye on them. Glassberg says, for instance, you can allow connection to the online storage service, but only under very specific conditions.

“You need to understand that the people you entrust with your systems, both users and administrators, really do hold the keys to the kingdom in terms of data and connectivity,” he says.

A layoff or termination can turn a good employee into a bitter one. Which is why equally as important as limiting access to the network is having a termination policy on the books. Not taking immediate steps to disable access puts you and your business in a very vulnerable position.

“When someone is terminated you want to remove access to the server, you want to make sure email is closed down and the account is deactivated,” says Glassberg. “All of those things should happen as part of the terminations process.”

Marc Malizia, chief technology officer at RKON Technologies, says an easy way to quickly disable a fired worker’s access is to use a provisioning system. The system lets IT or HR terminate all system and network access in one click, he says. The defense doesn’t stop there. If possible IT should pay attention to server error logs following a termination. The idea is to lookout for any malicious activity.

“This could show up as a large number of incorrect password attempts for an account, or attempted login to remote access systems using the terminated user’s account,” says Malizia. Having employees change their passwords can also be an effective defense. By changing it every 90 to 180 days you’ll shorten the window former employees have to access to the network.

Your IT staff aren’t the only ones who can cause damage on your network, but because of their importance to the business you want to make sure you are hiring top notch professionals. Joe Loomis, chief executive of security company CyberSponse, says running background checks and actually checking references are key. Potential employees’ social media and Internet presence should also be considered.

“Don’t just believe what people write on their resume,” says Loomis.