With careful planning and the proper tools, an organization can address these threats and put in place a proper security net around their data.
One of the first things a company can do is to carry out an extensive audit of all security measures in place. This should start with the SMEs physical security set-up – are the file servers and databases stored in a secure area? Is the server room adequately protected? Who has the keys or access codes to the room?
This would then by followed by an extensive audit of all hardware, software and other devices, especially laptops; their location within the building and a list of those who use or have access to this property.
When the physical aspect of storage security is addressed, administrators then need to look very carefully at how this data is accessed by employees within the organization. The next step would be to audit the privileges and file permissions given to all employees in the organization. It is often the case that employees are giving access privileges to data systems they do not need. Others change departments with the same level of access they had before. Group Policies in Active Directory are very important but they must be configured properly.
The next and final step – and often forgotten – would be to actively test the security of the storage environment. This can be done internally by the IT administrator or outsourced to third parties who will carry out penetration testing to identify flaws in the network’s security net. Although this may be an expensive exercise, it is certainly much cheaper than the cost of a security breach.
It is also good practice that during testing or at least when testing is completed, the logs of the network and storage security controls such as firewalls, IDSs and access logs are checked to see if anything was discovered and highlighted as a possible security event. Event logs are an important, but often neglected, source of security information.