Controlling access to your IT

While unauthorized users must be prevented from using your equipment and gaining access to your information, controlling which data authorized users can access is also advised. According to the 2014 information security breaches survey, commissioned by the Department for Business, Innovation and Skills, most small-business security breaches were caused by failure to control access.

For example, an employee who is thinking of leaving your business may seek out commercially sensitive information about your customers and suppliers to take with them to a role with another employer. Or a dishonest employee may alter computer records to assist in fraud (or just for purely malicious reasons).

Identity and authentication

Before being able to use your business systems, legitimate users should be required to identify themselves (identification) and provide confirmation of that identity (authentication).

You also need to physically secure your equipment, of course, not only to guard against theft, but also more sophisticated threats such as the installation of ‘keyboard loggers’ and ‘screen scrapers’.

The traditional method of identification and authentication is by using a log on process that verifies a password against a username. The username selects which user account the user will connect to. The password should be known only to that person, which provides access control by verifying something that only that individual user should know (ie the password).

Stay secure

Passwords need to be changed regularly. Make sure that they are not easily guessable or so short they can be found by exhaustive search. Make sure that administrative accounts are not left with their initial default passwords set by the manufacturer. Whenever possible, remove or disable unnecessary accounts. Likewise unnecessary software. Do not give ordinary users unnecessary access to privileged system functions and other powerful programs.

Strong authentication

Stronger authentication tests are now common and you might be familiar with the passcode generators banks issue for internet banking. Businesses can now buy similar devices. Double-checking, such as verifying something you have as well as something you know, is called two-factor authentication.

Protecting your servers

Many small and medium-sized enterprises use data servers. They make sharing information easier, but they also increase the risk of paying a high price for a single failure of access control, whether accidental or deliberate. Information held on servers needs to be duplicated and stored elsewhere as part of a business’s backup and restore strategy.