Following a breach of security at well established and professionally run Spry.com the other day (http://blog.spry.com/2007/11/14/security-breach/), it brings a question - how do YOU protect your client's data?

What measures do you take to make sure your office computers are protected from malware/spyware that can open doors to unathorized visitors?

It will be interesting seeing what methods are used. Very good question Artashes. Generally where clients data is handled we use PGP whole disk encryption and encrypted backups. If a laptop or PC is stolen then the data is safe and we would only have to worry about forking out cash for a new PC. It would suck if a clients personal details were not encrypted and stolen... bye bye job.

On the software side we encrypt emails that contain personal/confidential information and use hardware firewalls to prevent intrusion. We also have regular scans, security audits and other procedures in place to keep the network tight.

My guess is that not many companies follow the standards, because very few usually presume they will ever be a victim of security attack.

You hit the nail right on the head there. I guess too that a lot of companies seem to act after the problem rather then prevent the problem in the first place.

Interesting question Art,

With regards to site encryption, everything critical like the billing screens, control panels etc are protected by SSL. The database's are secured making injections extremely difficult. Client passwords are encrypted and cannot be changed by anyone other than the client or an admin.

On the data security side, servers are protected 24/7 by armed guards, biometric scanners, hardware firewalls, software firewalls, redundant this, that and the other.

I know of a few companies who don't really bother about data security, sure they have SSL encryption but that's about it. Hacking technologies are changing pretty much every day. If you are not properly protected then you wont last for long.

What security measures are in place on HD?

We have a rule that no sensitive client data is to be stored on a employees workstation. All credit card info and other sensitive data is stored in our data center on a server. Employees have to log in to the client management software or collaboration software with their username and password to access this data. All workstations are scanned for viruses daily and are firewall protected.

The physical security of the server is taken care of by the data center (24/7 armed security, swipe cards and biometric protection, motion activated video surveillance, ect). We do use SSL to encrypt data being transmitted and the server has a firewall and extensive security hardening.

Rob, you mention a lot of the techniques to protect the server (and most of these things are only affordable to big companies with deep investment/funding pockets), but can they protect themselves from receiving a spyware/malware that would compromise security on local office PCs?
It is my understanding that you can prevent security breach if you "host" all of the sensitive information through a third-party application on the site, which you can protect. However, most companies wouldn't rely on just one data source to keep all that information on and would prefer a local copy as well. THAT's where it gets tricky! Even if they choose to use external hard drives to store that information, when they connect them to PCs that were invaded with security-compromising viruses/spyware, it becomes irrelevant...

HostingDiscussion.com does not have paid clients, so we do not collect sensitive information about anyone. Altogether we rely on the security of vBulletin application and the security setup of our hosting provider to prevent loss of data.

So per my point above, are you satisfied with relying on a single point of data storage? Virus is one things, but there are numerous spyware/malware that can track keyboard activity, and still gain access.

Of course a company can only go that far to protect itself, and I am glad you guys are trying to keep your customer information protected (both server and local PC wise), but in todays environment it seems like there is no such things as an "ideal security".

The data is a single source, but it is backed up daily offsite to another data center in New York (the main dc is in Las Vegas). This way if the server fails or there is a natural disaster we can log into the back up server, get the information and get back on track.