Data Security 101 For Small Businesses

Finally! A smart, simple, plain English step-by-step guide to securing your personal data against hackers, fires, and other data-eating disasters. Secure your computer now - before the next "Melissa" hits!

[Editor's Note: This is a very long, but very important article. Some of it (particularly the specific software recommendations) applies only to PCs running windows, but the general principles are just as important if you use Mac (as I do), Linux, or any other operating system.]

Before we get started, I want you to do a short exercise. Please don't just read the suggestion and go on. Actually do this:

Go through your computer and make a list, on paper, of all the data on your computer systems. List all the Word documents, databases, spreadsheet files, address books, financial records, passwords, graphic files, HTML files, cgi scripts, text files, email accounts and files, dialup account information, client data, source code, ebooks, faxes, and any other file that's of even small significance. Oh... Don't forget your client lists.

Then list every piece of software that's installed on your system, and its cost.


This is important. Please, make that list before reading further. Even if you don't use it for the purposes of this article, it's useful for insurance records...


Took a while, didn't it?

Now imagine that someone, maybe a competitor, maybe a complete stranger, had copies of every one of those files. Look at your list.

Is there anything on there you'd rather not have anyone else get their hands on?


How about if all of your files just went away. (*Poof*) Gone. No copies anywhere.

How long would it take to reconstruct that data? How much would it cost? Could you do it at all?

Assuming you could reconstruct the files, what else would you lose in the time it took to do it?

If you don't find that thought just a bit troublesome, odds are you don't rely on your computer for anything but games. If that's the case, quit reading. You don't really need this information.

If you have any stake at all in maintaining your privacy or keeping your files intact, you may be disturbed by how vulnerable most PCs are. Very likely including your own.

We're going to show you some ways to drastically reduce your risk of catastrophic data loss. And to increase the level of privacy and security of your irreplaceable files.

Please remember that NOTHING can completely protect you from any of these problems. Odd coincidences and simultaneous problems can catch even the most cautious of us. By using these systems, you can cut the risk dramatically.

Also realise that not everyone has need of every type of protection mentioned here. Consider your own needs and make the best call for your personal situation.


A couple quick notes:

First, this article doesn't pretend to be a complete recipe for security. I haven't made a ten year survey of all the software in the industry, and I don't claim that anything mentioned here is necessarily the best thing available. But it will do the job you need done, easily, cheaply, and effectively.

This doesn't even touch on security issues relating to servers or Unix/Linux/etc systems. There's much more in-depth info out there for those folks than I even care to try and create. Second, I mention a lot of software and web sites. I am not an affiliate for any of these vendors. I make no money from these recommendations.


First stop - The Basics.

Save your work regularly. Nothing is quite as annoying as doing an hours worth of inspired work, being within minutes of having the project done, and seeing your machine lock up. In most programs, saving your work takes no more time than hitting a quick keystroke combination. Even better, set up your software, if the option is available, to autosave every three minutes or so.

If you don't do this now, start. It's the most basic form of data protection.

Also, keep incremental copies of work in progress. Save a numbered copy for each session you work on. That way, if you accidentally delete the entire file, you've only lost this session's work. (It happens...)


When did you last make a backup of your files?

The best protection you can have is frequent, multiple, verified backups. At least one on-site backup, and one or more off-site.

This is Computing 101. You know this stuff. But do you do it?

People lose data all the time. User error, power problems, viruses, crackers, hardware failure, software failure, and Brother Murphy can all rear their ugly heads. You knew that. If you have a local backup, you probably think you're safe.

Here's a story with a facet you might not have considered. The editor of one of the better email newsletters on online marketing (many of you know him) made regular backups of all his data. He had the system automated, so he didn't have to rely on memory or his schedule.

Then one day there was a small fire in his office. Wiped out his computer. No one was hurt, but his PC was trashed. Guess where his backups were stored?

Probably just like yours, they were on the desk. With his computer.

Gone. Including his product files and his subscriber list. A lot of editors and list owners in the field got together and helped him to reconstruct his list by mentioning his problem, and recommending that those who wanted really good information subscribe (or resubscribe). His list was back to normal fairly quickly. But his software and other data took a lot of time to rebuild, and he lost a lot of income and momentum in the process.

Last I knew, he was out of the business. I don't know whether the fire had anything to do with it, but it's a fact that most businesses that suffer catastrophic data loss go out of business in a very short period of time after the incident. If he had kept off-site backups, he would have lost the cost of the computer (assuming he had no insurance) and one day of work restoring the system. No more.

Which boat would you be in?


Okay, some suggestions for backup systems are in order.

If you only have a few hundred megs or less of critical data, you can easily get away with using Zip disks. Keep one set at home, and another somewhere else. Perhaps with a relative, or a neighbor. This is a reliable and inexpensive way to keep things current.

This is a very good way to handle things that can change on a day to day basis. (Like email or subscriber lists...)

If you go this route, make sure you schedule your backups, and stick to the schedule. If you have a lousy memory or just tend to put things off, use one of the free email reminder services. allows you to schedule the same reminder once, and have it delivered as often as you like.


Another option is full system backups. Tape drives with software that automates the process are fairly inexpensive. I don't personally like them, because tape fails more often than I'm comfortable with. You won't usually know if the tape will despool or simply fail in the backup process until you actually need it. That's a bit too late for my tastes.

Many people use tape backups and find them perfectly reliable. If you go this route, make sure you test the system you get before betting your business on it.

I prefer CD backups, personally. You can burn the base install CD(s), so you can put your system back in its preferred configuration, and then just periodically update the data backups. With CD-RW media (rewritable CDs) you can do this at very low cost.

Again, CDs fail occasionally. I haven't run into this often, but it's still a possibility. Test it to make sure the data is readable before assuming you're covered.

CDs have additional benefits. You can carry them easily, and not need special equipment to read them and access your data when on the road. They're cheap to mail if you want to send them to someone else for storage. And they aren't as fussy as magnetic media about how they're stored. (Don't put them in the garage in the winter or summer, though...)

A CD burner (CD-RW drive) should run under $200-250, and is a useful thing to have as a business tool, in addition to being a solid backup system. There's no reason your backup system can't also be a profit maker.


One small caveat: Anything written to a CD has the Read Only bit set. When you copy it back to your PC, this bit stays set, and you won't be able to change the files until you fix that. To correct the problem on a Windows system, just right click on the file you want to edit, and select Properties from the menu that comes up. On the General tab of the screen that pops up will be a check box labeled Read-Only. Uncheck that box, click Apply, and then click OK. You're all set.

You can fix the problem for whole directories of files, by highlighting the entire list (or part of it) and doing the same thing. One operation.


For a quickly accessed on-site backup, a good option is a second hard drive. Most people who go this route use mirroring systems.

Mirroring setups are fine, assuming you don't experience a major electrical problem or a fire. They have the unfortunate problem of giving people the sense that they're completely secure, so they don't do other backups. Better than nothing, but not the best.

A slightly different approach is to have a detachable hard drive. I found one recently that's quite up to the task. The BUSlink USB hard drive.

They range in size from 6-27 gigabytes. I got the 13 gigabyte model for $269. If you have USB support on your system, this is a great option.

I came home from a trip and found the order waiting for me. Perfect timing. After opening the box, it took me all of three minutes to install the software, hook up the drive, and start transferring my email to the BUSlink from my laptop. Same time for the main PC. Syncing my email after being out of town was never so easy.

(Note: BUSlink now has a USB cable that can be used to transfer data directly between two USB-capable computers directly, at speeds that seriously outrun LapLink and similar systems. It's $49, and a great idea for you road warriors.)

The BUSlink comes with software that lets you do automatic backups on a preset schedule. If you have a UPS (uninterruptible power supply) in place, this is a very good option. If not, or if you turn your computer off at times that might coincide with your backup schedule, consider doing the backups manually.

This can be a lot easier than it sounds. Set up your data so that the main files are kept in one partition or directory. I call mine "Data". I just drag that, my entire email directory, and a few program directories with important files to the BUSlink, and it's done. If you don't have a UPS, turn the drive off when you're not using it. That will reduce the chance of losing that data to power outages or voltage spikes. However you do it, make sure you do it on a regular basis. How often will depend on how much change occurs in your important files on a weekly or daily basis.


In addition to using tangible media for off-site backups, you have the option of backing your data up online. Essentially, you connect to the Internet and upload your data to a remote system for safe keeping. There are plenty of online backup sites to ensure the protection of your data.

There are a number of companies offering this option at quite reasonable prices. Some of them are:

  • (Offers a 2 User version free. Varying prices for larger setups.)
  • (For the Mac. $9.95/mo for 40 megs of compressed space. Pricing goes up from there.)
  • (Called @Backup. 100 megs of storage costs $99/year.)
  • (Unlimited file storage. This system only updates the backups of changed portions of files. $19.95/mo. They offer good encryption and compression. Much faster than @Backup.)
  • (10 megs free. $9.99/month for 100 megs. $14.99 for 1 gig. Good encryption and compression. Updates all selected files completely, regardless of changes.) This may be the ideal solution for people or companies with a full time connection to the net, or who want to be able to do their backups without physically carrying them somewhere off- site.

    Just make sure you keep backups of your configuration for the backup software. ;)


    There are also free storage options online. They're not as secure, but if you don't keep particularly sensitive data, or if you encrypt it before uploading, they're reasonable solutions.

  • Driveway - - 100 megs
  • X:Drive - - 100 megs
  • FreeDrive - 50 megs

    To use these, you'll want to learn to use to upload files using FTP, if you don't know how already. Check for a program that works on your operating system. There are some very good free FTP programs for pretty much every platform, if your budget is strapped. Using compression software like Zip or Sit will let you store roughly three times as much data in these virtual drives.


    Okay. You've got options ranging from robust and reasonable to free and easy. You now have no excuse for not making regular backups. AND keeping a set off-site.

    Take another look at that list of data files. Which looks easier to deal with?

    Backups, or data loss?


    Almost everyone has a surge suppressor. (You know, those power strips that you got more for the extra outlets than for the protection?)

    They're better than nothing, but they won't do much in case of a power outage or drop in voltage, which can be just as bad. 50% of data loss is due to power fluctuations. The number of hardware problems due to the same thing is probably just as high. Surge protectors will only help with part of those problems.

    I strongly recommend getting an uninterruptible power supply (UPS). A UPS will allow you to save your work and shut down your computer properly in case of a power loss, as well as ensuring that the power flow is smooth and consistent in case of spikes or brownouts. Virtually all of them also offer protection from phone line surges, which can wipe out a modem easily.

    TrippLite makes a great UPS that can even shut down the machine properly if the power goes out when you're not there to handle the outage. You can get these for as little as $119 at most computer hardware stores.

    What's worse than losing all your data?

    Losing all your data because your computer was fried.


    Ahhh, viruses.

    If anyone had any doubt about the ability of viruses to wreak havok, Melissa should have cured that. But, of course, it didn't.

    Viruses can do all sorts of interesting things. They can send email to everyone in your address book. They can email your entire addressbook to someone else. They can make your computer do all manner of odd things. They can wipe out your data files, or even format your hard drive.

    They can even plant RATs in your system.

    RAT is short for Remote Access Trojan. These nifty little virtual gizmos are the cracker's equivalent of the remote control. We'll explain more about the dangers of RATs in the section on firewalls.

    Note: Cracker is the right word. A hacker, despite the media's misuse of the word, is not a malicious person who'll try to abuse strangers. Hacker is a term of respect. Crackers are the creeps that play these nasty games.


    So, how does your computer get viruses?

    It's amazingly easy, actually. Any time you run code that you got from someone else, you run *some* risk of getting a virus. With commercial software obtained directly from the manufacturer, the risk is minimal. Still there, but minimal.

    There are other ways, but these account for the vast majority of cases:
    * Loading files with macros without checking for viruses. This is probably the most common these days. There are thousands of macro viruses out there that are spread through sharing of Word documents, Excel spreadsheets, etc.
    * Downloading and running many games that are distributed through private sites. (The major download sites are usually pretty safe.)
    * Opening infected emails in an HTML capable mail reader without having disabled ActiveX and the like. (Yes, Virginia, you CAN get a virus just from reading an email. If your system is set up wrong.)
    * Running programs that are sent to you as attachments.
    * Downloading and running pirated software. (If that's how you got it, you deserve it!)

    Have you ever done any of those?


    So, how do you NOT get viruses? It's pretty easy, actually.

    Just use some simple, common sense steps.

    1. NEVER run programs that are sent to you as attachments, unless you know and trust the sender, AND KNOW THE PROGRAM IS BEING SENT BEFOREHAND. Even then, be suspicious. Your friends won't deliberately send you an infected file, but do you know how secure their system is?

    If you weren't told the program was coming, don't run it no matter who sent it. There are new viruses out all the time that attach themselves to emails as their method of propagation. The "senders" usually don't even know the attachment exists.

    2. For Word, Excel, and any other software that uses macros, get paranoid. Go to the Macros menu item, and select the Security option. Set it to high, and refuse to run any macros except from those sources you designate as "Trusted."

    The vast majority of users won't be affected by this at all. Most of us don't use macros in our documents.

    3. Ask people who need to send you documents to use .rtf (Rich Text Format) instead of .doc format. In most cases this will give exactly the same results and appearance. And RTF files can't spread viruses.

    If they don't know how to do this, explain it. When they save the file, they simply choose Rich Text Format from the "Save as type" options instead of accepting the default .doc format. Another advantage is that RTF files are generally readable on any platform. Handy for dealing with people who may not have exactly the same programs that you use.

    Oh yeah... Send documents in this format yourself whenever feasible. ;)

    4. Turn off the ability of your HTML capable email software to run ActiveX or other code without asking first. And then only allow it when you know the sender. (Hint: How many people do you know who write email containing ActiveX or other scripting... ?)

    5. Get a good anti-virus program.

    Update it regularly.

    Run it all the time.

    Good anti-virus software is no longer a paranoid's indulgence.

    It's a necessity.

    You'll want to set it to the highest security you can live with. If you get huge amounts of email and have a slow machine you may not want to tell it to scan every email that's downloaded, but you'll probably want every other option checked.

    Yes, it will slow things down a small amount. In most cases, you'll never notice it. If it gets too bad, you can disable the less important options, like scanning inside zip files. You don't need to scan your drives every time you boot up the machine, of course. But do it occasionally to be safe. Updating your AV software frequently is a must. There are tens of thousands of viruses out there, and more developed all the time. It does you no good to have the software if it's not current.

    Even with the best AV software, you still want to keep other security measures in place. These programs don't work on a virus until the developers know the virus exists. And frequently they don't know until shortly AFTER a major outbreak.

    Melissa was a great example of this.


    Two of the better anti-virus programs are:

  • Panda Anti-Virus, from
  • Norton Anti-Virus, from

    I don't recommend McAfee. It's entirely too much trouble when there are more convenient options that provide the same protection.

    With any anti-virus software, you can encounter occasional problems. It's an unfortunate but necessary part of the way the programs work. Some legitimate commercial programs may be treated as viruses, some hardware will have trouble, etc.

    Usually these programs will mention the potential trouble somewhere in their documentation. If you try installing software from commercially purchased CDs or from trusted download sites and have trouble, try the install after turning off the AV program.


    There's at least one "virus" that can affect your system without you downloading anything, opening any programs, or reading any infected emails. All you need to do is run a computer that's connected to the Internet that has a shared drive which doesn't require a password for write access.

    Isn't that fun? Just being connected can be a security risk! This one scans the net looking for machines with the right vulnerabilities, and writes itself to the system when it finds one. The effects of this virus sound like something from one of those hoaxes that are forever going around.
    * It spreads without any action on your part.
    * It can delete everything in your C:\Windows directory and sub-directories, and C:\.
    * It uses your modem to dial 911....

    Yeah. Can you believe that last one? The cretin who wrote this needs to be thrown in jail for life. Tying up emergency services like that could result in deaths.

    Fortunately, this is found in a very limited area so far. The only "sightings in the wild" have been in the Houston, TX area. And yes, it's confirmed. See:
    Or the FBI's advisory, at:

    This is the first virus that propagates this way. You can bet it won't be the last. And future ones will exploit more and more obscure weaknesses in common PC setups.


    If that doesn't scare you, the RATs should.

    I mentioned RATs (Remote Access Trojans) in the virus section. Technically, they're not viruses, but most anti-virus software (all the good ones) includes protection from known RAT programs. At least the ones that are propagated like viruses.

    A RAT is an interesting thing. Once planted on your system, it allows anyone with the control software to do all sorts of fun stuff with your machine, including downloading any files they like, deleting files, formatting your drives, running programs, talking through your speakers, even opening and closing the CD tray.

    There was a story in Reader's Digest recently about cyberstalkers. It described a case where a woman was being stalked, and was stunned at the things the stalker knew about her. She was REALLY scared when he claimed he could get to her at any time, and popped open her CD tray as he said it.

    The woman's machine was infected with a RAT. Plain and simple. Earlier I asked if there was any data at all on your machine that you'd rather NOT get into the hands of someone else... How do you feel about that now?


    Another variant of RAT can be triggered to send data to a specific site. With sufficient numbers of infected computers being triggered, all pointed at one system, the traffic generated can bring down even the most robustly connected servers.

    This is the type of distributed denial of service attack (DDoS) that recently hit some of the biggest sites on the net. And your computer could have helped in the attack. Are you getting mad yet?


    These are not particularly uncommon programs. There are many thousands of machines infected with this sort of trojan. And the control software can be found by anyone with the desire to look.

    So, how do they trigger them, and what can you do about it? To trigger them, all they need to do is scan the net until they find a machine that responds on a specific port that the RATs are programmed to listen to. This is the virtual equivalent of walking down the street and checking to see which homes have full mailboxes, piles of newspapers that haven't been brought in, or other signs that the tenants are absent.

    It's literally no more difficult than using Find or Sherlock to locate a file on your system.

    Once they find the infected machine, they send their commands to the RAT, and it runs them just as though the operator was sitting right at your keyboard.

    In six hours online yesterday, there were over 50 attempts to connect to ports on my system. Many of these were undoubtedly harmless. Some may even have been attempts by my ISP to locate unauthorised use of the service in ways that compromise their security. A fair number were, at the least, suspicious. 18 of them attempted to connect to Port 12345.

    Port 12345 is the port that is used to control NetBus. NetBus is a VERY common RAT.

    3 attempts per hour to connect to a RAT. All from different sources. Just on my IP address at my small local ISP.

    If that's typical, then there were over 50,000 attempts PER HOUR across the net yesterday, just on that port. (One person can scan a lot of space in a short period...)

    Do you suppose that any of those people are up to anything benevolent?

    If that doesn't make you mad enough to tear the mask off a raccoon, you need to talk to your doctor about reducing your medications...


    So, how do you stop them?

    Simple. Install a firewall.

    [Long pause]

    I heard that!

    "Oh no! A firewall? That's major techno-mojo!"

    Yoda say: "Difficult not. Easy it is."

    (At least for Windoze. If any of you know of a good personal firewall for the Mac, send me the details and I'll add it to future revisions of this article, with much gratitude.)

    My first firewall software was BlackIce, from . If you like rules and configuration and lots of techno-babble, BlackIce is a very useful, reasonably priced tool. (Under $50) It's not the simplest thing ever created, but not particularly tough either. There are better solutions for those of us who just want good, no-hassle protection for our systems.

    The better solution? ZoneAlarm, from This program is a dream. It has to be. Nothing this good is this easy in real life. It's fairly small, simple to install, and reputed to be the best personal firewall on the market. And it's free? I was sure it was a joke. (After all, it's a Windoze program!)

    No joke, young Skywalker.

    You can set different levels of security for local and Internet connections. You can control which software is allowed to connect to the Internet, and keep strangers on the net from connecting to you. That's the big key.

    You can lock all Internet access, both ways. You can allow or disallow the functioning of servers on your system. You can add IP addresses and subnets to the program's definition of "local." You can allow specific programs to act as servers. This last is necessary for things like NetMeeting and Norton Anti-Virus' Live Update. Probably for ICQ as well, although ICQ has its own set of security holes...

    You can even turn off the alerts that let you know every time there's an attempt to connect to your system, if you get bored or annoyed with them.

    For all practical purposes, when this software is running, your machine doesn't exist to scanners. They literally don't even see a computer on your IP address.

    I don't for a minute believe that this is perfect protection.

    I would guess that allowing connections for multi-purpose, server-style software like ICQ or Instant Messenger could introduce some neat holes that people could do their dirty work through, for example.

    Still, if you're using ZoneAlarm and only running your emailer, browser, or other non-server programs, you're so far ahead of the game it's silly.

    Combine these various security measures, and you're golden.


    A few more small points.

    The most common way for people to get access to your private data is still by physical intrusion. Actually having access to your computer. If you aren't sure about the physical security of your machine, you may want to address that.

    One way that works quite well is to lock up disks that contain sensitive data. Yes, good old fashioned locks have their place in this high-tech world.

    Another (and more foolproof) way is to encrypt it. The ultimate software for this is PGP. It's free for personal use, and available from

    PGP also has plug-ins that allow it to be used in sending encrypted email that's so tough the NSA supposedly can't break it. Very useful if you think your email is being sniffed, snooped, or otherwise covertly monitored. Or if you just like the idea of personal privacy. (Now who cares about THAT???)

    It's currently illegal for PGP to be exported from the US. That's hardly an issue, since there are versions available that were created outside the US, and which can be found and used legally by almost anyone in the world. (It's still illegal in France. Can you believe that?)

    If you use PGP, it's absolutely critical that you make backups of your public and private keys, and store them someplace safe. And pick a passcode that you will always remember, but which isn't too obvious. NEVER write down your passcode anywhere. If you lose those keys or your passcode, the encrypted files are just random drivel, and will stay that way.


    Watch out for people picking up your passwords by "shoulder surfing." (Watching as you type them in somewhere.)


    Use passwords that are 8 or more characters in length, and which contain both letters and numbers. These are much harder for password crackers to break.


    Don't write your passwords on Post-Its and stick them to your monitor. If you have to write them down, keep the copy somewhere separate from your computer.

    Don't put your passwords all in one file and then call it passwords.txt. (Yes, I've seen this!) Here's a trick for you if you want to keep your passwords in a text file on your computer. Give it an obscure name, with a different extension. I used to keep mine in a text file called logo12.gif in my web graphics directory. There were 11 real logo files there, along with hundreds of other graphics, so this was pretty low risk. This approach is called "security by obscurity."


    Above all, use common sense.

    An example: While I'm a bit of a bug about backups, I could easily get by just backing up my email and a few databases. My work is almost all writing, and that's delivered to clients as soon as it's completed. At that point, backups are a customer service issue, not a security problem.

    Consider the actual needs of your situation when deciding on what measures to employ. Don't create major time and expense protecting Mom's secret prune dumpling recipe, unless it's AWFULLY good.

    In most cases, the bad guys aren't looking for you personally. (This may not be true if you're on a fixed IP system, like a cable modem.) They're looking for any and all systems they can exploit.

    Don't get paranoid.


    Again, this isn't an exhaustive list. You need to look at your own situation and consider your personal needs when coming up with a solid data security strategy.

    It's not the sexiest part of doing business online, but if you neglect it, it WILL come back and bite you at some point.

    Take care of it with a little forethought, and those stories you hear from other people about their disasters will stay with other people. You'll just happily hum along, doing business as usual no matter what comes your way.

    Isn't that a nice thought?

    This article was originally published in TalkBiz News, the newsletter of "Hard Core How-To For Small Business." To subscribe, send any email to You may forward this article to anyone you want, as long as you send them the whole thing. Or, just send them the email address and let them request it themselves. The address to get a copy of this article is

  • SecurityMetrics for PCI Compliance, QSA, IDS, Penetration Testing, Forensics, and Vulnerability Assessment


    Many of the 1000+ articles on Frugal Fun and Frugal Marketing have been gathered into magazines. If you'd like to read more great content on these topics, please click on the name of the magazine you'd like to visit.

    Ethics Articles - Down to Business Magazine - Frugal & Fashionable Living Magazine
    Global Travel Review - Global Arts Review - Peace & Politics Magazine
    Frugal Marketing Tips - Frugal Fun Tips - Principled Profit
    Why The Business Ethics Pledge Campaign
    Clean and Green Marketing

    Our Privacy Policy

    Click here to order Shel's books on cost-effective and ethical marketing

    This site is brought to you by Shel Horowitz,
    Director of Accurate Writing & More--bringing you marketing,
    writing, and career assistance since 1981.
    (413) 586-2388

    For information on reprinting articles from this site, click here.

    You're also invited to visit our sister sites:
    (ethical, cooperative, and profitable business success)
    (How to have more fun and spend a lot less money)
    (marketing, writing, and career services)

    Social networking icons by

    Disclosures of Material Connections:

    Site copyright © 2000-2011 by Shel Horowitz