For quite some time, small and midsized businesses dared to feel safe from most malicious attacks — thanks to their relative smallness. Over the last couple of years, that’s been changing, because larger firms are tightening defenses and, as I’ve said before, the bad guys exploit opportunity.

Which is why shoddy IT security is a wide open opportunity for hackers to rip you off. 

So I’m finishing our list with two elements easily overlooked as you face the hassles of keeping up with criminal creativity.

#9 Educate your employees about security

More...

Did I mention that when it comes to IT security and defense in depth, the more layers the better?

One of the weakest points in many organizations is #7 on our list:

#7 Authenticate

You need to think in terms of both user authentication and information authentication. When it comes to user authentication, before allowing users access to your data, apps, systems, or networks authenticate them with at least two factors (something they know, something they are, something they have). Also …

• Make sure passwords are unique. The same password should not be shared among users nor used on different systems.
• CHANGE DEFAULT CREDENTIALS!  When your system/network admins deploy a new system or service, change the password.
• Consider using an identity/access management system with single sign-on capability to reduce the complexity, risk, and cost of managing employee authentication and access.

More...

It’s appropriate, I suppose, to think of Quest’s list of 10 ways to boost security as layers: Strategy and guiding principles first, then infrastructure basics you may not have considered much. And now a couple of layers that address some of what are sure to rank among 2012’s imminent threats …

#5 Deploy computer security incident response capabilities to better address advanced persistent threats. 

Too often, attacks and breaches take weeks, months, and even years to be uncovered.  According to Verizon’s 2011 Data Breach Investigations Report (which includes information from the U.S. Secret Service and the Dutch National High Tech Crime Unit as well as Verizon’s information), 38% of data breaches aren’t discovered for weeks, and 36% aren’t discovered for months.

More...

Anyone who visits here to check out my ramblings knows I tend to talk lists. This time I’m beginning a list of 10 ways a business can boost its IT security.

#1 Never forget: Your security is only as good as its weakest link, so build your defenses in-depth and ensure someone is watching your security devices and processes.

Given enough time and resources, an attacker can breach any defense. But attackers’ time and resources are limited — hence they choose easy targets over tough ones.

Your goal is to always be a tough target. Since any single defense has its limits, you want to layer your security and never forget the first rule of defense-in-depth: There is no such thing as total, complete security against threats. Layered security serves to hinder a threat’s progress until either it ceases to threaten or additional resources can be brought to bear. 

More...

Cyber-attacks tend to take the path of least resistance. So what are some of those paths? What vulnerabilities do hackers look for first? 

According to a survey conducted at the Def Con 18 hackers’ convention, poorly configured networks tops hackers’ lists. They like to exploit inadequate security audits and IT staffers who don’t know what to look for when they’re monitoring and testing networks.

Hackers also prefer threats that change too fast to be properly addressed. And they look for insiders who can be persuaded — or forced — to aid their attack.

More...

It’s a new year, that moment for both reflection on the year gone by and anticipation of the year just begun. I’m guessing the last thing you want to think about is IT security — but after last year, referred to by some as The Year of the Hack, by others as The Year of the Data Breach, IT security is something you simply can’t afford to ignore.

More...

It’s a 21st-century truth that even small businesses need complex information technology infrastructures to thrive. Which is why so many enterprises, both large and small, depend on the expertise of independent providers of managed and cloud services.

But using managed and cloud services can be risky, too. How reliable is the service? Where’s your data? And what about security?

More...

How secure are the data, applications, systems, and networks your business depends on? If you’re like too many of the executives I talk to, you may believe all is well — but only because you haven’t asked the right questions.

One executive told me recently, “We’re cool; we haven’t had to touch our firewalls in three years.”

Another ticked off all the security products his IT guys have installed — but, it turns out, without ever changing the manufacturers’ default passwords.

More...