Data Security 101 For Small Businesses
Finally! A smart, simple, plain English step-by-step guide to securing your personal data against hackers, fires, and other data-eating disasters. Secure your computer now – before the next “Melissa” hits!
[Editor’s Note: This is a very long, but very important article. Some of it (particularly the specific software recommendations) applies only to PCs running windows, but the general principles are just as important if you use Mac (as I do), Linux, or any other operating system.]
Before we get started, I want you to do a short exercise.
Please don’t just read the suggestion and go on. Actually do
Go through your computer and make a list, on paper, of all the
data on your computer systems. List all the Word documents,
databases, spreadsheet files, address books, financial
records, passwords, graphic files, HTML files, cgi scripts,
text files, email accounts and files, dialup account
information, client data, source code, ebooks, faxes, and any
other file that’s of even small significance. Oh… Don’t
forget your client lists.
Then list every piece of software that’s installed on your
system, and its cost.
This is important. Please, make that list before reading
further. Even if you don’t use it for the purposes of this
article, it’s useful for insurance records…
Took a while, didn’t it?
Now imagine that someone, maybe a competitor, maybe a complete
stranger, had copies of every one of those files. Look at your
Is there anything on there you’d rather not have anyone else
get their hands on?
How about if all of your files just went away. (*Poof*)
Gone. No copies anywhere.
How long would it take to reconstruct that data? How much
would it cost? Could you do it at all?
Assuming you could reconstruct the files, what else would you
lose in the time it took to do it?
If you don’t find that thought just a bit troublesome, odds
are you don’t rely on your computer for anything but games. If
that’s the case, quit reading. You don’t really need this
If you have any stake at all in maintaining your privacy or
keeping your files intact, you may be disturbed by how
vulnerable most PCs are. Very likely including your own.
We’re going to show you some ways to drastically reduce your
risk of catastrophic data loss. And to increase the level of
privacy and security of your irreplaceable files.
Please remember that NOTHING can completely protect you from
any of these problems. Odd coincidences and simultaneous
problems can catch even the most cautious of us. By using
these systems, you can cut the risk dramatically.
Also realise that not everyone has need of every type of
protection mentioned here. Consider your own needs and make
the best call for your personal situation.
A couple quick notes:
First, this article doesn’t pretend to be a complete recipe
for security. I haven’t made a ten year survey of all the
software in the industry, and I don’t claim that anything
mentioned here is necessarily the best thing available. But it
will do the job you need done, easily, cheaply, and
This doesn’t even touch on security issues relating to servers
or Unix/Linux/etc systems. There’s much more in-depth info out
there for those folks than I even care to try and create.
Second, I mention a lot of software and web sites. I am not an
affiliate for any of these vendors. I make no money from these
First stop – The Basics.
Save your work regularly. Nothing is quite as annoying as
doing an hours worth of inspired work, being within minutes of
having the project done, and seeing your machine lock up.
In most programs, saving your work takes no more time than
hitting a quick keystroke combination. Even better, set up
your software, if the option is available, to autosave every
three minutes or so.
If you don’t do this now, start. It’s the most basic form of
Also, keep incremental copies of work in progress. Save a
numbered copy for each session you work on. That way, if you
accidentally delete the entire file, you’ve only lost this
session’s work. (It happens…)
When did you last make a backup of your files?
The best protection you can have is frequent, multiple,
verified backups. At least one on-site backup, and one or more
This is Computing 101. You know this stuff. But do you do it?
People lose data all the time. User error, power problems,
viruses, crackers, hardware failure, software failure, and
Brother Murphy can all rear their ugly heads. You knew that.
If you have a local backup, you probably think you’re safe.
Here’s a story with a facet you might not have considered. The
editor of one of the better email newsletters on online
marketing (many of you know him) made regular backups of all
his data. He had the system automated, so he didn’t have to
rely on memory or his schedule.
Then one day there was a small fire in his office. Wiped out
his computer. No one was hurt, but his PC was trashed. Guess
where his backups were stored?
Probably just like yours, they were on the desk. With his
Gone. Including his product files and his subscriber list.
A lot of editors and list owners in the field got together and
helped him to reconstruct his list by mentioning his problem,
and recommending that those who wanted really good information
subscribe (or resubscribe). His list was back to normal fairly
quickly. But his software and other data took a lot of time to
rebuild, and he lost a lot of income and momentum in the
Last I knew, he was out of the business. I don’t know whether
the fire had anything to do with it, but it’s a fact that most
businesses that suffer catastrophic data loss go out of
business in a very short period of time after the incident.
If he had kept off-site backups, he would have lost the cost
of the computer (assuming he had no insurance) and one day of
work restoring the system. No more.
Which boat would you be in?
Okay, some suggestions for backup systems are in order.
If you only have a few hundred megs or less of critical data,
you can easily get away with using Zip disks. Keep one set at
home, and another somewhere else. Perhaps with a relative, or
a neighbor. This is a reliable and inexpensive way to keep
This is a very good way to handle things that can change on a
day to day basis. (Like email or subscriber lists…)
If you go this route, make sure you schedule your backups, and
stick to the schedule. If you have a lousy memory or just tend
to put things off, use one of the free email reminder
http://www.rememberto.com/ allows you to schedule the same
reminder once, and have it delivered as often as you like.
Another option is full system backups. Tape drives with
software that automates the process are fairly inexpensive. I
don’t personally like them, because tape fails more often than
I’m comfortable with. You won’t usually know if the tape will
despool or simply fail in the backup process until you
actually need it. That’s a bit too late for my tastes.
Many people use tape backups and find them perfectly reliable.
If you go this route, make sure you test the system you get
before betting your business on it.
I prefer CD backups, personally. You can burn the base install
CD(s), so you can put your system back in its preferred
configuration, and then just periodically update the data
backups. With CD-RW media (rewritable CDs) you can do this at
very low cost.
Again, CDs fail occasionally. I haven’t run into this often,
but it’s still a possibility. Test it to make sure the data is
readable before assuming you’re covered.
CDs have additional benefits. You can carry them easily, and
not need special equipment to read them and access your data
when on the road. They’re cheap to mail if you want to send
them to someone else for storage. And they aren’t as fussy as
magnetic media about how they’re stored. (Don’t put them in
the garage in the winter or summer, though…)
A CD burner (CD-RW drive) should run under $200-250, and is a
useful thing to have as a business tool, in addition to being
a solid backup system. There’s no reason your backup system
can’t also be a profit maker.
One small caveat: Anything written to a CD has the Read Only
bit set. When you copy it back to your PC, this bit stays set,
and you won’t be able to change the files until you fix that.
To correct the problem on a Windows system, just right click
on the file you want to edit, and select Properties from the
menu that comes up. On the General tab of the screen that pops
up will be a check box labeled Read-Only. Uncheck that box,
click Apply, and then click OK. You’re all set.
You can fix the problem for whole directories of files, by
highlighting the entire list (or part of it) and doing the
same thing. One operation.
For a quickly accessed on-site backup, a good option is a
second hard drive. Most people who go this route use mirroring
Mirroring setups are fine, assuming you don’t experience a
major electrical problem or a fire. They have the unfortunate
problem of giving people the sense that they’re completely
secure, so they don’t do other backups. Better than nothing,
but not the best.
A slightly different approach is to have a detachable hard
drive. I found one recently that’s quite up to the task. The
BUSlink USB hard drive. http://www.buslink.com/
They range in size from 6-27 gigabytes. I got the 13 gigabyte
model for $269. If you have USB support on your system, this
is a great option.
I came home from a trip and found the order waiting for me.
Perfect timing. After opening the box, it took me all of three
minutes to install the software, hook up the drive, and start
transferring my email to the BUSlink from my laptop. Same time
for the main PC. Syncing my email after being out of town was
never so easy.
(Note: BUSlink now has a USB cable that can be used
to transfer data directly between two USB-capable
computers directly, at speeds that seriously outrun
LapLink and similar systems. It’s $49, and a great
idea for you road warriors.)
The BUSlink comes with software that lets you do automatic
backups on a preset schedule. If you have a UPS
(uninterruptible power supply) in place, this is a very good
option. If not, or if you turn your computer off at times that
might coincide with your backup schedule, consider doing the
This can be a lot easier than it sounds. Set up your data so
that the main files are kept in one partition or directory. I
call mine “Data”. I just drag that, my entire email directory,
and a few program directories with important files to the
BUSlink, and it’s done. If you don’t have a UPS, turn the
drive off when you’re not using it. That will reduce the
chance of losing that data to power outages or voltage spikes.
However you do it, make sure you do it on a regular basis. How
often will depend on how much change occurs in your important
files on a weekly or daily basis.
In addition to using tangible media for off-site backups, you
have the option of backing your data up online. Essentially, you
connect to the Internet and upload your data to a remote system
for safe keeping. There are plenty of online backup sites to
ensure the protection of your data.
There are a number of companies offering this option at quite
reasonable prices. Some of them are:
- http://www.backup.net/ (Offers a 2 User version free. Varying
prices for larger setups.)
- http://www.backjack.com/ (For the Mac. $9.95/mo for 40 megs of
compressed space. Pricing goes up from there.)
- http://www.backup.com/ (Called @Backup. 100 megs of storage
- http://www.connected.com/ (Unlimited file storage. This system
only updates the backups of changed portions of files.
$19.95/mo. They offer good encryption and compression. Much
faster than @Backup.)
- http://www.atrieva.com/ (10 megs free. $9.99/month for 100
megs. $14.99 for 1 gig. Good encryption and compression.
Updates all selected files completely, regardless of changes.)
This may be the ideal solution for people or companies with a
full time connection to the net, or who want to be able to do
their backups without physically carrying them somewhere off-
Just make sure you keep backups of your configuration for the
backup software. 😉
There are also free storage options online. They’re not as
secure, but if you don’t keep particularly sensitive data, or
if you encrypt it before uploading, they’re reasonable
- Driveway – http://www.driveway.com/ – 100 megs
- X:Drive – http://www.xdrive.com/ – 100 megs
- FreeDrive – http://www.freedrive.com/ 50 megsTo use these, you’ll want to learn to use to upload files
using FTP, if you don’t know how already. Check
http://www.download.com/ for a program that works on your
operating system. There are some very good free FTP programs
for pretty much every platform, if your budget is strapped.
Using compression software like Zip or Sit will let you store
roughly three times as much data in these virtual drives.
Okay. You’ve got options ranging from robust and reasonable to
free and easy. You now have no excuse for not making regular
backups. AND keeping a set off-site.
Take another look at that list of data files. Which looks
easier to deal with?
Backups, or data loss?
Almost everyone has a surge suppressor. (You know, those power
strips that you got more for the extra outlets than for the
They’re better than nothing, but they won’t do much in case of
a power outage or drop in voltage, which can be just as bad.
50% of data loss is due to power fluctuations. The number of
hardware problems due to the same thing is probably just as
high. Surge protectors will only help with part of those
I strongly recommend getting an uninterruptible power supply
(UPS). A UPS will allow you to save your work and shut down
your computer properly in case of a power loss, as well as
ensuring that the power flow is smooth and consistent in case
of spikes or brownouts. Virtually all of them also offer
protection from phone line surges, which can wipe out a modem
TrippLite makes a great UPS that can even shut down the
machine properly if the power goes out when you’re not there
to handle the outage. You can get these for as little as $119
at most computer hardware stores.
What’s worse than losing all your data?
Losing all your data because your computer was fried.
If anyone had any doubt about the ability of viruses to wreak
havok, Melissa should have cured that. But, of course, it
Viruses can do all sorts of interesting things. They can send
email to everyone in your address book. They can email your
entire addressbook to someone else. They can make your
computer do all manner of odd things. They can wipe out your
data files, or even format your hard drive.
They can even plant RATs in your system.
RAT is short for Remote Access Trojan. These nifty little
virtual gizmos are the cracker’s equivalent of the remote
control. We’ll explain more about the dangers of RATs in the
section on firewalls.
Note: Cracker is the right word. A hacker, despite
the media’s misuse of the word, is not a malicious
person who’ll try to abuse strangers. Hacker is a
term of respect. Crackers are the creeps that play
these nasty games.
So, how does your computer get viruses?
It’s amazingly easy, actually. Any time you run code that you
got from someone else, you run *some* risk of getting a virus.
With commercial software obtained directly from the
manufacturer, the risk is minimal. Still there, but minimal.
There are other ways, but these account for the vast majority
* Loading files with macros without checking for viruses. This
is probably the most common these days. There are thousands of
macro viruses out there that are spread through sharing of
Word documents, Excel spreadsheets, etc.
* Downloading and running many games that are distributed
through private sites. (The major download sites are usually
* Opening infected emails in an HTML capable mail reader
without having disabled ActiveX and the like. (Yes, Virginia,
you CAN get a virus just from reading an email. If your system
is set up wrong.)
* Running programs that are sent to you as attachments.
* Downloading and running pirated software. (If that’s how you
got it, you deserve it!)
Have you ever done any of those?
So, how do you NOT get viruses? It’s pretty easy, actually.
Just use some simple, common sense steps.
1. NEVER run programs that are sent to you as attachments,
unless you know and trust the sender, AND KNOW THE PROGRAM IS
BEING SENT BEFOREHAND. Even then, be suspicious. Your friends
won’t deliberately send you an infected file, but do you know
how secure their system is?
If you weren’t told the program was coming, don’t run it no
matter who sent it. There are new viruses out all the time
that attach themselves to emails as their method of
propagation. The “senders” usually don’t even know the
2. For Word, Excel, and any other software that uses macros,
get paranoid. Go to the Macros menu item, and select the
Security option. Set it to high, and refuse to run any macros
except from those sources you designate as “Trusted.”
The vast majority of users won’t be affected by this at all.
Most of us don’t use macros in our documents.
3. Ask people who need to send you documents to use .rtf (Rich
Text Format) instead of .doc format. In most cases this will
give exactly the same results and appearance. And RTF files
can’t spread viruses.
If they don’t know how to do this, explain it. When they save
the file, they simply choose Rich Text Format from the “Save
as type” options instead of accepting the default .doc format.
Another advantage is that RTF files are generally readable on
any platform. Handy for dealing with people who may not have
exactly the same programs that you use.
Oh yeah… Send documents in this format yourself whenever
4. Turn off the ability of your HTML capable email software to
run ActiveX or other code without asking first. And then only
allow it when you know the sender. (Hint: How many people do
you know who write email containing ActiveX or other
5. Get a good anti-virus program.
Update it regularly.
Run it all the time.
Good anti-virus software is no longer a paranoid’s indulgence.
It’s a necessity.
You’ll want to set it to the highest security you can live
with. If you get huge amounts of email and have a slow machine
you may not want to tell it to scan every email that’s
downloaded, but you’ll probably want every other option
Yes, it will slow things down a small amount. In most cases,
you’ll never notice it. If it gets too bad, you can disable
the less important options, like scanning inside zip files.
You don’t need to scan your drives every time you boot up the
machine, of course. But do it occasionally to be safe.
Updating your AV software frequently is a must. There are tens
of thousands of viruses out there, and more developed all the
time. It does you no good to have the software if it’s not
Even with the best AV software, you still want to keep other
security measures in place. These programs don’t work on a
virus until the developers know the virus exists. And
frequently they don’t know until shortly AFTER a major
Melissa was a great example of this.
Two of the better anti-virus programs are:
- Panda Anti-Virus, from http://www.pandasoftware.com/
- Norton Anti-Virus, from http://www.symantec.com/I don’t recommend McAfee. It’s entirely too much trouble when
there are more convenient options that provide the same
With any anti-virus software, you can encounter occasional
problems. It’s an unfortunate but necessary part of the way
the programs work. Some legitimate commercial programs may be
treated as viruses, some hardware will have trouble, etc.
Usually these programs will mention the potential trouble
somewhere in their documentation. If you try installing
software from commercially purchased CDs or from trusted
download sites and have trouble, try the install after turning
off the AV program.
There’s at least one “virus” that can affect your system
without you downloading anything, opening any programs, or
reading any infected emails. All you need to do is run a
computer that’s connected to the Internet that has a shared
drive which doesn’t require a password for write access.
Isn’t that fun? Just being connected can be a security risk!
This one scans the net looking for machines with the right
vulnerabilities, and writes itself to the system when it finds
one. The effects of this virus sound like something from one
of those hoaxes that are forever going around.
* It spreads without any action on your part.
* It can delete everything in your C:\Windows directory and
sub-directories, and C:\.
* It uses your modem to dial 911….
Yeah. Can you believe that last one? The cretin who wrote this
needs to be thrown in jail for life. Tying up emergency
services like that could result in deaths.
Fortunately, this is found in a very limited area so far. The
only “sightings in the wild” have been in the Houston, TX
area. And yes, it’s confirmed. See:
Or the FBI’s advisory, at:
This is the first virus that propagates this way. You can bet
it won’t be the last. And future ones will exploit more and
more obscure weaknesses in common PC setups.
If that doesn’t scare you, the RATs should.
I mentioned RATs (Remote Access Trojans) in the virus section.
Technically, they’re not viruses, but most anti-virus software
(all the good ones) includes protection from known RAT
programs. At least the ones that are propagated like viruses.
A RAT is an interesting thing. Once planted on your system, it
allows anyone with the control software to do all sorts of fun
stuff with your machine, including downloading any files they
like, deleting files, formatting your drives, running
programs, talking through your speakers, even opening and
closing the CD tray.
There was a story in Reader’s Digest recently about
cyberstalkers. It described a case where a woman was being
stalked, and was stunned at the things the stalker knew about
her. She was REALLY scared when he claimed he could get to her
at any time, and popped open her CD tray as he said it.
The woman’s machine was infected with a RAT. Plain and simple.
Earlier I asked if there was any data at all on your machine
that you’d rather NOT get into the hands of someone else…
How do you feel about that now?
Another variant of RAT can be triggered to send data to a
specific site. With sufficient numbers of infected computers
being triggered, all pointed at one system, the traffic
generated can bring down even the most robustly connected
This is the type of distributed denial of service attack
(DDoS) that recently hit some of the biggest sites on the net.
And your computer could have helped in the attack.
Are you getting mad yet?
These are not particularly uncommon programs. There are many
thousands of machines infected with this sort of trojan. And
the control software can be found by anyone with the desire to
So, how do they trigger them, and what can you do about it?
To trigger them, all they need to do is scan the net until
they find a machine that responds on a specific port that the
RATs are programmed to listen to. This is the virtual
equivalent of walking down the street and checking to see
which homes have full mailboxes, piles of newspapers that
haven’t been brought in, or other signs that the tenants are
It’s literally no more difficult than using Find or Sherlock
to locate a file on your system.
Once they find the infected machine, they send their commands
to the RAT, and it runs them just as though the operator was
sitting right at your keyboard.
In six hours online yesterday, there were over 50 attempts to
connect to ports on my system. Many of these were undoubtedly
harmless. Some may even have been attempts by my ISP to locate
unauthorised use of the service in ways that compromise their
security. A fair number were, at the least, suspicious.
18 of them attempted to connect to Port 12345.
Port 12345 is the port that is used to control NetBus. NetBus
is a VERY common RAT.
3 attempts per hour to connect to a RAT. All from different
sources. Just on my IP address at my small local ISP.
If that’s typical, then there were over 50,000 attempts PER
HOUR across the net yesterday, just on that port. (One person
can scan a lot of space in a short period…)
Do you suppose that any of those people are up to anything
If that doesn’t make you mad enough to tear the mask off a
raccoon, you need to talk to your doctor about reducing your
So, how do you stop them?
Simple. Install a firewall.
I heard that!
“Oh no! A firewall? That’s major techno-mojo!”
Yoda say: “Difficult not. Easy it is.”
(At least for Windoze. If any of you know of a
good personal firewall for the Mac, send me the
details and I’ll add it to future revisions of
this article, with much gratitude.)
My first firewall software was BlackIce, from
http://www.networkice.com/ . If you like rules and
configuration and lots of techno-babble, BlackIce is a very
useful, reasonably priced tool. (Under $50) It’s not the
simplest thing ever created, but not particularly tough
either. There are better solutions for those of us who just
want good, no-hassle protection for our systems.
The better solution? ZoneAlarm, from http://www.zonelabs.com/
This program is a dream. It has to be. Nothing this good is
this easy in real life. It’s fairly small, simple to install,
and reputed to be the best personal firewall on the market.
And it’s free? I was sure it was a joke. (After all, it’s a
No joke, young Skywalker.
You can set different levels of security for local and
Internet connections. You can control which software is
allowed to connect to the Internet, and keep strangers on the
net from connecting to you. That’s the big key.
You can lock all Internet access, both ways. You can allow or
disallow the functioning of servers on your system. You can
add IP addresses and subnets to the program’s definition of
“local.” You can allow specific programs to act as servers.
This last is necessary for things like NetMeeting and Norton
Anti-Virus’ Live Update. Probably for ICQ as well, although
ICQ has its own set of security holes…
You can even turn off the alerts that let you know every time
there’s an attempt to connect to your system, if you get bored
or annoyed with them.
For all practical purposes, when this software is running,
your machine doesn’t exist to scanners. They literally don’t
even see a computer on your IP address.
I don’t for a minute believe that this is perfect protection.
I would guess that allowing connections for multi-purpose,
server-style software like ICQ or Instant Messenger could
introduce some neat holes that people could do their dirty
work through, for example.
Still, if you’re using ZoneAlarm and only running your
emailer, browser, or other non-server programs, you’re so far
ahead of the game it’s silly.
Combine these various security measures, and you’re golden.
A few more small points.
The most common way for people to get access to your private
data is still by physical intrusion. Actually having access to
your computer. If you aren’t sure about the physical security
of your machine, you may want to address that.
One way that works quite well is to lock up disks that contain
sensitive data. Yes, good old fashioned locks have their place
in this high-tech world.
Another (and more foolproof) way is to encrypt it. The
ultimate software for this is PGP. It’s free for personal use,
and available from http://www.pgp.com/
PGP also has plug-ins that allow it to be used in sending
encrypted email that’s so tough the NSA supposedly can’t break
it. Very useful if you think your email is being sniffed,
snooped, or otherwise covertly monitored. Or if you just like
the idea of personal privacy. (Now who cares about THAT???)
It’s currently illegal for PGP to be exported from the US.
That’s hardly an issue, since there are versions available
that were created outside the US, and which can be found and
used legally by almost anyone in the world. (It’s still
illegal in France. Can you believe that?)
If you use PGP, it’s absolutely critical that you make backups
of your public and private keys, and store them someplace
safe. And pick a passcode that you will always remember, but
which isn’t too obvious. NEVER write down your passcode
anywhere. If you lose those keys or your passcode, the
encrypted files are just random drivel, and will stay that
Watch out for people picking up your passwords by “shoulder
surfing.” (Watching as you type them in somewhere.)
Use passwords that are 8 or more characters in length, and
which contain both letters and numbers. These are much harder
for password crackers to break.
Don’t write your passwords on Post-Its and stick them to your
monitor. If you have to write them down, keep the copy
somewhere separate from your computer.
Don’t put your passwords all in one file and then call it
passwords.txt. (Yes, I’ve seen this!) Here’s a trick for you
if you want to keep your passwords in a text file on your
computer. Give it an obscure name, with a different extension.
I used to keep mine in a text file called logo12.gif in my web
graphics directory. There were 11 real logo files there, along
with hundreds of other graphics, so this was pretty low risk.
This approach is called “security by obscurity.”
Above all, use common sense.
An example: While I’m a bit of a bug about backups, I could
easily get by just backing up my email and a few databases. My
work is almost all writing, and that’s delivered to clients as
soon as it’s completed. At that point, backups are a customer
service issue, not a security problem.
Consider the actual needs of your situation when deciding on
what measures to employ. Don’t create major time and expense
protecting Mom’s secret prune dumpling recipe, unless it’s
In most cases, the bad guys aren’t looking for you personally.
(This may not be true if you’re on a fixed IP system, like a
cable modem.) They’re looking for any and all systems they can
Don’t get paranoid.
Again, this isn’t an exhaustive list. You need to look at your
own situation and consider your personal needs when coming up
with a solid data security strategy.
It’s not the sexiest part of doing business online, but if you
neglect it, it WILL come back and bite you at some point.
Take care of it with a little forethought, and those stories
you hear from other people about their disasters will stay
with other people. You’ll just happily hum along, doing
business as usual no matter what comes your way.
Isn’t that a nice thought?
This article was originally published in TalkBiz News, the
newsletter of “Hard Core How-To For Small Business.” To subscribe, send any email to mailto:email@example.com You may forward this article to anyone you want, as long as you send them the whole thing. Or, just send them the email address and let them request it themselves. The address to get a copy of this article is mailto:firstname.lastname@example.org