How long does it take before you discover a data breach? And by that time, is it too late? What are the measures you put in place to identify the issue and ensure that it doesn’t happen again?
I would be bold and say that the majority of breaches are never discovered. If a network system is vulnerable to breach, there probably aren’t any tools in place to detect penetration. And I see this a lot in installed networks. I think most data shows that data breaches happen very quickly, after access is obtained, so yes, it is usually too late.
In the words of a great football coach, your best offense is a solid defense.
But thankfully, there are a great deal of tools out there to secure your network and most of the things you can do, you can do without paying a company or consultant to do it. The extent to which you should secure your network is limited only by the value of whatever you are protecting. Most small businesses should be fine using open source tools and some of the tips below. If you have found your business has grown beyond the small label, you should take your network security much more seriously and hire a reputable security firm to assess your security and recommend and implement ways to harden it.
A solid access-list firewall is a must. If you have publicly available websites or applications on your network, a DMZ architecture to separate them requires an extra firewall device. Closing unused ports is something I see a lot that can be done easily. Or an open service port that could be locked down with an ACL matching it’s usage. A very large percentage of attacks are coming from IP ranges that can be easily excluded from accessing your network. And many service ports might only need to be accessed by one static Ip address.
Any size organization can install host-based intrusion detection and intrusion prevention systems at very low cost. There are linux, open source solutions that literally cost nothing except the hardware you put them on, and that can often be a spare workstation or server. Installing it and getting them working though, does take time and knowledge. Look at Ubuntu Server and OSSEC HIDS and/or Snort to watch for, report and block suspicious activity and Squid to filter traffic.
At the client level, use No Script or NotScripts to filter every webpage and allow components as needed. This is one of the best defenses, costs nothing, and very few users actually use it. Never open emails from unknown senders and even those you do know, only open them if you were expecting it. The days of simply relying on antivirus are gone. Now we need a full suite of products or a fully integrated product like AVG Internet Security 2011 or Symantec Endpoint Protection, because we aren’t just defending against viruses anymore.
Once you get it all installed, decrypting some of the warning messages can be another part of the learning curve, separating expected response from nefarious activity. But, google is your friend and a lot has been documented to help you out.
If you do have in-house IT or at least a technically oriented employee, the above should be done at the very least.