Many businesses think they wear a cloak of invincibility regarding computer security and the chance of their networks being invaded or data stolen. Harm to valuable (and often sensitive) corporate data affects the performance of daily operations, as well as the company’s credibility in the market. No IT manager can be compliant, and “it couldn’t possibly happen to us” is not an acceptable excuse.
There are a few simple yet effective ways to help protect businesses from the virtual and physical IT security threats that exist today.
Know the internal and external risks faced - then turn them into a security policy
A business cannot protect itself unless it has reviewed both the internal and external threats it faces and assigned a level of importance to each. This isn’t a simple task and there is no one-size-fits-all list of risks, as each business has its particular vulnerabilities and priorities.
External threats become more important as the IT network is extended from internal access only, to increasingly being shared with suppliers, customers and partners. This means that network security automatically assumes a high priority as a means of defending against unauthorised access and exposure of network vulnerabilities.
And it is not just hackers who are a threat.
A significant risk resides within a company's four walls. Most companies are unaware of the mismanagement of staff identities, particularly when an employee has left the organisation but is still able to access the network from another location.
These risks should be accurately surveyed and then converted into a security policy that is rolled out across the organisation and understood by all employees.
Get help to find hidden weak points
Searching for the weak spots in a network can be difficult and cumbersome as not all the risks will be immediately obvious. An effective way of identifying risks is having an independent third party conduct an audit of the security systems to find vulnerabilities. This should be arranged before protective hardware or software is purchased. There are also security management products available on the market today, which offer a holistic view of the network – helping to identify specific security vulnerabilities so that preventative action can be taken.
Make fixed assets physically secure
IT theft doesn’t always take place over the Internet. Stealing a hard drive, server or laptop computer is far easier than most companies realise. One prevention option is to buy an inexpensive security kit consisting of a hacksaw-proof cable and padlock, which will stop a computer from being opened or physically removed. Security tags that help police to track down the property's legal owner in the event of recovery are also useful. Some companies place their most valuable IT possessions, such as servers and archived data, in access-controlled rooms as a further theft prevention strategy.
Computer viruses, just like human ones, affect everybody
The notorious Melissa, Sobig and Nachi viruses and worms have caused tens of millions of dollars in damage over the last few years – affecting companies in Australia and across the world. Like most security threats, viruses don’t discriminate against company size and everybody is at risk.
Protecting against these threats is not as simple as deploying a software package and forgetting all about it. Making sure data isn’t lost to a virus means constant review of patches and vulnerability signature updates. This will improve the odds of staying ahead of virus authors who perfect their craft as fast as virus protection specialists can develop solutions.
The best protection includes policy and procedure as much as technology. There are tools readily available that help define and enforce security policies consistently across all aspects of the businesses. Employee training is essential to policy enforcement as they must have a clear understanding of their role – whether regarding the receipt of suspicious e-mails, or what to do in the event of infection.
Don't make it easy for hackers
A little common sense goes a long way. Many hackers target big companies for what they may call ‘ethical’ reasons. But there are those who are not averse to creating a bit of chaos anywhere they can. Common mistakes that companies can avoid include: weak password control (consider how many organisations use the word ‘password’ as their password), incomplete backup procedures and network ports left exposed on the Internet.
In summary, while it is difficult to protect against any possible security threat, it does pay to be prepared. Con Yianakos is Tivoli Security Manager for IBM Australia and New Zealand