If the phrase computer security was mentioned to you, what would come to mind?

Viruses?

Hackers?

Physical Security?

Users?

Backup?

It may be surprising, but most (if not all) breaches in security arise as a result of user actions.

In my role as an independent computer consultant, I frequently require user names and passwords to access systems. I have lost count of the number of times, I have telephoned a client and asked whichever user for a user name/password combination and been given just that without even basic security (such as a telephone call-back to my published number).

In addition, many passwords are referred to as 'weak', consisting of the name of significant others/children or even as basic as 'password'. For password security, users should be forced to change their passwords at least once per month and each password should be unique. In addition, it is recommended that passwords are at least 5 characters long and contain numbers as well as alphabetic characters. An easy way to prevent 'dictionary' attacks (one of the most common password cracking schemes) is to substitute numbers for letters e.g. 1 for i, 3 for e, 5 for s, 7 for l and 0 for o and adding 3-4 numbers at the end.

Viruses are fairly easy to deal with, assuming fairly simple common-sense rules are applied;

Ensure you have anti-virus software installed, both on servers and workstations (AVG make an excellent package that is free for single machine use).

Do not open unsolicited emails, or emails that contain attachments that are unexpected.

If an email requires you to run a program – ensure you scan this for viruses before executing it.

Educate users to the steps above.

Hackers pose a constant threat to security, but realistically, a small business is unlikely to be targeted for commercial gain. Install a firewall (such as ZoneAlarm), switch off internet routers when not in use, however, again user education is the best step – most hacker attacks succeed due to 'social engineering', where a hacker pretends to be from a support company and elicits passwords from users. Having said this, most hacking attempts arise from within organisations, so ensure that you have robust policies in place with regards to computer usage.

Physical security is another consideration. If your server is located in your main office, what is to stop the cleaner from un-plugging it to plug in the vacuum cleaner? In addition, if you have technically aware users, or visitors ensure that there is no monitor/keyboard attached. I have seen numerous clients where the server is in the main office and administrator password is on a 'post it' note attached to the monitor. At the very least, your server should be in a locked cupboard/closet that provides sufficient ventilation for cooling.

Users have already been partially covered above, but to re-iterate;

Ensure you have a password policy.

Ensure you have an acceptable use policy.

Keep your users happy (most successful attacks on computers originate within the organisation).

Backup is another issue altogether, but you should aim to ensure that you can recover from complete failure/loss of your server/computer system with minimal downtime. There are various options available from on-line storage, through to re-writable DVDs/Tape.