Insecure Location
If you use a home or small office computer for sensitive, classified, or proprietary work, you know that it must be protected against theft, damage, or intrusion. The security of the physical environment can be just as important as the logical security.
A physical security plan for a SOHO has three components:
-
Access control—Controlling who can physically gain access to a secured space starts before that secured space. For example, in a home office, access control can begin at a front gate, the front door, and most definitely, an interior door. Limiting access to only authorized individuals reduces the exposure to threats and attacks.
-
Asset protection—Identifying the assets that require protection and then applying protective measures that are appropriate to the value of the assets should provide the protection needed. In the context of security, an asset is any object of value that is vital to the operation of an organization, which on the internet and web is primarily data. However, additional access control measures for specific assets of high value, such as multifactor authentication, can add an additional layer of protection.
-
Surveillance—The security guards and high fences with hazardous preventive measures, such as razor wire and electrified fencing, that are used in large warehouses or corporate office buildings may be a bit of overkill for a SOHO situation. A motion-detection security camera in the area where safeguarded data, information, or materials are accessed can be a good idea. Computer log files are an excellent surveillance tool. Any action on a computer is or can be configured to create log events that record a wide range of activities. The key to any surveillance device or system is review. The captured results of these systems aren’t preventive if they are only viewed after a security event.
System and Application Updates Not Applied
Generally, the updates or patches that software vendors issue between major version releases are fixes for errors in the programming and, as is the case most often, security issues in the software. Vendors test products to prove their functions and safeguards, but a correction for one problem can cause one or more other problems that are overlooked during testing. If these problems create vulnerabilities that a threat actor can exploit, chances are that is what will happen, in what is called a zero-day attack. A zero-day attack is made on an application or system vulnerability that a vendor is either unaware of or has not yet corrected.
A program for applying all patches, updates, and fixes is a security procedure much more than it is a functional procedure. Any computer that is being used for business or commercial purposes should be updated with each of its vendor’s patches or fixes as soon as possible after each release. However, these updates should be controlled by a procedure that safeguards the operating environment and tests the effect of the patch on the production systems, but only on a replica of the system.
No Backup Plan
A backup of a system is never so valuable as just after a system has crashed and the data resources are inaccessible or destroyed. Not bothering to make a backup of the critical data, if not all of the data, on a computer is a very high price to pay for the time saved. Even irregularly taken backups are better than no backups, but only slightly. A backup of a complete system is wise for several reasons, not the least of which is disaster recovery. The best plan is to create a backup daily, even if nothing major occurred, and a full backup weekly. If a small company is required to maintain periodic copies of certain files, monthly, quarterly, and annual backups should also be included in the plan. The backups can be taken and stored locally on tape or optical disk or stored on the cloud.
Natural Vulnerabilities
Natural vulnerabilities make up an area that is perhaps the hardest for which to prepare. A natural vulnerability is created by the weather, geological events, and unexpected catastrophes. Events include hurricanes, tornadoes, earthquakes, volcano eruptions, war, tsunamis, sink holes, or a meteorite falling on your roof. Your system is vulnerable to these events and others, and yes, they will cause disruption. The threat here is the loss of business continuity and the need for disaster recovery. Backups, electrical power supplies or generators, identified emergency computer systems, and the like are the countermeasures to be developed.