Below are my personal recommendations that I feel all Small Businesses and Non-Profit organizations should use to help maximize their company security.
There are news stories that come out almost everyday in the tech news world about small businesses or non-profit organizations like Churches or fundraising foundations being hacked or taken advantage of my malicious software entering their internal networking system. Many of these intrusions could have been easily prevented by utilizing the methods explained below.
I will start by showing a generic small business network diagram that I will explain and refer to throughout this discussion. If you are a small business owner or a non-profit organization leader you should know the basic layout of you network. If you don’t, you should ask your IT professional/representative to answer any questions or give you a network diagram similar to the one I have made below.
As always post your questions or comments here. I would like to hear from you and what you would like me to write about next.
(Click to see the full image)
The first thing to note is the type of internet connection your company is using. Depending on the size it may be just a cable modem or router like you have at home, or it could be fractional or full T1. If you have T1 at your company you will see a big box with tons of wires everywhere. In some cases you may have built-in firewall features with T1 (not confirmed).
Next up is your firewall. Every network whether it’s at home, a business, or a restaurant it should have a firewall in place. If you are not able to have a firewall installed for some reason then at the very least you should have a router with the built-in firewall setting enabled. These days there is never a reason not to have a router or firewall in place and as always, you should consult your IT professional to make sure that you are properly protected.
Customer Wireless Access
To the right is a wireless access point (wireless router). If your company offers free wireless access to your customers like many coffee shops etc. then the placement and connection configuration of this is very important. The wireless router should have an Ethernet (CAT5) cable to the input (uplink) port only and never have any work computers plugged in to other ports or connected to the public wireless access point. The input cable to the router should also be straight from your firewall as in the diagram. This is crucial because in this setup, nothing can intrude your work network from a wireless connection. If your router was placed on a switch with the back-end server for example then your entire system is vulnerable. Another thing to consider when offering you customers wireless access is to use a web authentication form since there are no authentication procedures in place. If you have used the internet at a coffee shop such as Panera Bread for example you will have noticed that you have to accept an agreement in you web browser before you are connected to the internet. This can help reduce the amount of rogue devices trying to connect you the public wi-fi. This type of service is available in most firewalls, especially for businesses. If you cannot setup a web authentication method and you have work related computers that you want to be able to connect via wi-fi you can tackle both of these at the same time. Almost every wireless router now allows you to set up two wireless connections with the same router. This means that you can set up an open network for your customers and setup a WPA2 secured connection for your work computers. With this configuration you can securely connect your computer to the internet while being completely isolated from any customer computer or rogue devices that they may bring in.
Next is the Backend Server and the Network Attached Storage. I will cover the NAS when I cover my personal file backup recommendations. The backend server is what your company’s Point of Sale software runs on and speaks to for transactions. There are many different types of Point of Sale software but they are all pretty similar. I am going to use FuturePOS for this example since that is what I am most familiar with. FPOS requires that you install the software on a computer that will act as the “Server” for the whole company. The “Server” is what I would consider a pseudo server because its sole function is not dedicated to FPOS. You can also use the computer as normal but I highly recommend that you do not. The FPOS should ideally never be used for anything other than FPOS functions. There are two reasons for this. First, if your main server is running any kind of Point of Sale functions, then it is logging sensitive financial information. This means that if you are checking some business emails or surfing the web for client information, etc. then you are directly threatening your main server and all of its financial information. This exact scenario happens to companies all the time and it is easily prevented by having a dedicated computer for administrative office work only. Second reason is that if you are using your server to surf the web or other daily business activities, it will inherently slow you whole network down. Every time an employee makes a sale at the register, their terminal needs to communicate with the server to compete the transaction. So if you have multiple front end stations you can have a lot of data traveling through the server. Then if you add email clients, web surfing, word processing and so on you have a serious bottleneck o your hands which leads to system instability and finally crashes. You should also consult with your IT professional about the best antivirus and firewall solutions for the server.
Dedicated Administrative Workstation
Next up is the dedicated administrative computer. Many restaurants and non-profit organizations have only a single office for administrators to conduct their work. Since this is the case you can often get away with a single workstation. This is where the temptation comes in to save some money and use the server as your workstation. If you have a separate workstation then you can get your work done much faster since you are not trying to do tedious tasks on a busy server.
Video Surveillance System
Next up is the Video Surveillance System. In my opinion, anywhere that has any sort of financial transactions regardless of the amounts should have a video surveillance system in place. In many cases this is your sole means of making a case for the police and can protect (or harm) you in a legal suite against you or your company. If you are a non-profit organization or a company with a small budget you can set up a video surveillance system on your own with an old computer. The only requirements are that it runs and has a USB port available to a cheap web cam. For more sophisticated systems with multiple cameras you have more options. For example if your company is running POS then you can have your VSS linked with the POS server so that text is displayed at each transaction. You can have it give the time and the amount the transaction should be. This is obviously split into sectors matching a camera with a cash register. This makes it easier to fast forward through old data to find the time in question. Another thing to consider is how much surveillance data to keep. Most people recommend at least a week’s worth before the data is overwritten. I however recommend at least a month if possible. This gives you ample time for any incidences to be reported to you or your staff.
Next up is front-end cash registers or employee workstations. These stations should never be used for anything other than specific work duties. You should have a policy in place that restricts the use of any electronic devices from being connect to these stations. If this is permitted then it is just a disaster waiting to happen. People unknowingly carry malware on their mp3 players all the time and if an employee plugs one in to charge then your whole network can be in danger.This policy is crucial because the front end stations have direct access to the server and are configured to bypass any firewall rules in place.
Network Attached Storage (NAS) and Backing up Data
Lastly I’m going back to the network attached storage. Network attached storage can be configured to automatically backup selected data on a predefined interval over your network in place. In my opinion, any place of business or anyone that has important data that they cannot afford to have lost should follow these backup rules. First is to store a local copy of the data on the device that uses it most often. Then use a network attached storage device or an external hard drive to back up the data. This backup is useful for when a hard drive fails or you are forced to restore the system to a previous state in which you may lose valuable data. This method will not help you if your business catches on fire or floods for example. This is why a third copy of the data should be stored off site and in a secure location. Options for this are online backup storage like Dropbox, or Carbonite. Another option is to use an external hard drive and store it in a safe deposit box at a local bank. If the drives are stored in a close location then it makes it easier to do frequent backups. In some cases the quickest solution is online storage, but you have to be careful of what you are backing up. If the data is sensitive then it should be encrypted with a powerful encryption program such as Truecrypt before it is uploaded. The last thing about file storage is about the server setup. Yous may ask, well why not just use online backup instead of both NAS and online? Well, the unfortunate truth is that online backup servers can go down at any time and usually happens when you need the data most. If possible you should have your server setup with the hard drive in a RAID 1 formation. This is a data redundancy feature which means that you will have your server running on two hard drive instead of one and all of the data is mirrored. This way if you have a hard drive failure (which can happen often in servers) all you have to do is put a new drive in of the same type and the system will automatically restore itself.
Hope you learned something new. As always post your questions or comments here. I would like to hear from you and what you would like me to write about next.