By Harry McCracken | Thursday, August 27, 2009 at 11:36 am
I had a great time conducting a Webinar on small-business security over at Verizon’s Small Business Center last week. If you wanted to attend but missed it, you can check out the one-hour archived version here.
Folks who attended the event asked some smart questions, but time constraints prevented us from responding to all of them. Here are quick answers to a few more of the questions that attendees submitted.
What are your thoughts on Web-based servers such as https: sites vs traditional servers in terms of security? I’d worry less about the fundamental safety of the two approaches and more about the specifics of particular implementations–a Web service provider who does a great job of protecting your data will keep it safer than it would be on a not-very-well-protected traditional server in your company. Of course, there are plenty of horror stories involving companies doing a crummy job of protecting data on the Web. Bottom line: Don’t trust vital data to a Web service provider without asking tough questions about what it does to safeguard data. Also, remember that the fact a service uses https: to log you in doesn’t mean that it’s doing anything to protect your documents once you’re logged in. (Here’s a Google blog post on that issue.)
Is a single firewall sufficient? i.e. Windows, router, virus provider etc? First of all, you definitely shouldn’t run more than one software firewall at a time on a PC; multiple firewalls can conflict with each other. If your router’s the sole source of Internet connectivity for the machines on your network, and it has a solid built-in firewall, and you’ve configured it well, it should be your primary source of protection. It’s a good idea to make sure it’s monitoring outbound communications as well as inbound ones, to defend against malware which sends data from PCs on your network back out over the Internet. And you still might want to run firewalls on local PCs just in case (I do, including on Macs).
Securitywise, what do you think of remote access solutions such as GoToMyPC or LogMeIn? I’ve certainly known IT managers who wince at the very idea of remote control, since it opens up the possibility of users on a network putting their computers on the Internet without permission. Both of the services you mention offer plentiful security features (here’s info on GoToMyPC’s and here are details on LogMeIn’s); I’d fret less about hackers penetrating them and more about staffers getting sloppy with their passwords. And I’d fret less about that than I would about malware that lets hackers install their own pernicious remote-access software on your PCs.
What can we do if we have already blocked Facebook, Twitter, MySpace etc. and employees use backdoor sites that allow them to get through? You can block access to social networks. You can block the anonymous proxies that lets people get to social networks even if you’ve blocked them. But if you’ve got a smart enough geek on your staff, I’m not sure if it’s possible to use technology to absolutely, positively prevent that person from doing stuff on the Web which you don’t want him or her to do. Which is why a significant component of small-business security ultimately boils down to setting policies, making clear what will happen if they’re violated, and finding employees who you can trust.