No one likes to be hated, but if you're running a small business, sometimes you've got to take security measures that will make your employees really angry. You might even have to (gasp) pull some PCs off the Internet, and treat some employees like, well, children.
No matter how hard you work, no matter how many security programs you install, the biggest threat doesn't come from outside the firewall. And it isn't from unpatched software and it doesn't come from buffer overflows, etc. Your own users are your biggest, albeit unwitting, enemy.
"If all software had 0 exploits, it wouldn't drastically change the amount of successful hacking," says security Roger Grimes, a security pro and columnist. It's because the bad guys have elevated social engineering, the hack that takes advantage of a user's greed, lust or simply naivety, to open the gates to malware.
[Antivirus software and a firewall alone can't guarantee your safety. Here's how to foil the latest crop of sneaky attacks and nefarious attempts to steal your data.]
Grimes may be overstating the case a bit. Software exploits are serious and ever present.
But the modern hacker who wants to gain access to data that can be sold, knows that users can be tricked onto sites that are seeded with malware, says David Perry, global director of education for Trend Micro, whose global array of sensors (and information exchanges with other security vendors and customers) now detects an astonishing 100,000 samples of new malware a day.
And don't think that all sites infected with malware are XXX rated. By the beginning of 2009, the majority of poisoned sites were mainstream. In a typical attack, users of FoxNews.com were told they needed to install a new codec to watch clips on the site. Once installed, the "codec" was a malicious piece of code undetected by most defenses, Grimes recounts.
What you can do to secure your network
Perry suggests some distinctly unpleasant remedies for the small business.
The most draconian applies to computers that hold customer data, particularly credit card information. "If possible, take them off the Web," he says. Files don't have to be e-mailed internally. Assuming you've got a network, simply drag files from one directory to another without a browser.
Without being patronizing, employees need to be treated with some of the same concerns you might have for your children. You know the drill; tell them going to porn and gambling sites and so on will get them in serious trouble. Since they are adults, you might set up a PC in the break room that has Web access but is not on your network. They may waste time on it, but it won't endanger your firm's security.
You've got to be in control of your network. Trend Micro's Internet Security Package, for example, let's you set security policies for every computer on your network with a simple stratagem: Install the product on PCs that need to be protected and when the program asks for a password, give each PC the same one. (To be clear, we don't mean a network password, but a password to the security program.)
When that's accomplished, one person can block sites and set security policies for all PCs running the program. And if your employees don't know the password -- and they shouldn't -- they can't change the policies.
Your employees may get angry, but your business will be a lot safer. And that's a worthwhile tradeoff.
San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at firstname.lastname@example.org.