I am researching the internet but I wanted to pose my questions here as well.
I work for a very small company (4 of us). All of our computers are networked. I need to secure the network.
1. Is there a better way to secure individual computers and the hard drives so if they are stolen, the information could not be accessed? Right now we only use the windows log-on password that activates when the screen saver activates.
2. I want to protect our network from being hacked by outside persons through the internet. Is ZoneAlarm good enough for this?
3. I have a network attached storage that I use to back up our working data every night. How can I secure those hard drives if the network attached storage is stolen? Would it be better to pay for on-line storage to back up our files?
4. Do you have any suggestions for email security? We send medical records and such by email.
Its not like we have data that people actually want to steal. Its more that we dont want our data out their for all to see if the computers are stolen.
Thanks.
If you're handling medical records, HIPAA compliance needs to be part of your considerations and that's going to include a lot of security requirements. Talk to people in your line of work, or a trade organization if you have one, and know your exposure to HIPAA. If something bad happens with records in your possession, you don't want it to be because you were out of compliance.
A security evaluation isn't one-dimensional. It isn't just about stopping someone from hacking into your network or breaking in and stealing your computers. What you do to protect against that is going to have an effect on recovering from something like a drive failure and how easy it is for your staff to do its work. Everything is a trade off and you have to find the best balance for your needs.
That's why I'm inclined to not recommend encrypting everything. As protection against physical theft, encryption is only as strong as your user password policy. Encryption is great for protecting data being sent across a public network or files that are stored on a server that multiple users can access. But it comes with some big drawbacks. Backing up encrypted files takes a lot longer than regular files, and the encryption process increases the chance of a file being corrupted as its being backed up. It also creates an exposure to internal sabotage. If a user changes the password for an encrypted file and quits, you're probably going to lose that data. There are ways to reset the password in Windows, or if you have an administrator account set up you can get to any file on the system. You can't do that with encryption programs.
With four users I'm guessing that you're on a workgroup and not a domain. I'd recommend setting up the administrator account on all of the workstations if you haven't done that already, and enforcing a strong password policy. No words that are in the dictionary, require at least one capital letter and number or character, and do not allow anyone to keep their password written down. Explain that it doesn't have to be random, something like "S@ints123" will work fine. If you are on a domain you can enforce it through the user account and security settings, but make sure the passwords for the local machine meet the same requirements. (On XP, you'll want to turn of simple file sharing, too: http://support.microsoft.com/default.aspx?scid=kb;EN-US;307874)
About your NAS, the ones I've worked with offer password protection for the admin and users to access files. If you want to use encryption at this level, make sure you test the backups regularly. Off-site backups are a great idea, but if you have a lot of files online services can get expensive in a hurry. A lot of our clients have two NAS drives that they swap out every day and the drive not in use that day is kept out of the building.
On network security, I think you're looking at it through the wrong end of the telescope. Zone Alarm is fine for stopping external threats. But the much bigger threat are malware and viruses that users unknowingly install on their machines, and these programs then send information out in a way that's likely to go unnoticed by any firewall program. You have to address this threat from a number of angles. Workstations have to have good antivirus/antimalware programs and they need to be kept up to date, and users have to be educated about the potential damage they can cause by installing software on their computer.
About email, most POP3 and Exchange providers encrypt all messages. If yours doesn't, go to someone who does. We use AppRiver for our clients and have been very happy with their service.
HTH