Poor security in computer systems can be catastrophic for any business, no matter how small – Helen Bradley explains how to assess vulnerability and what you can do to protect your precious data.
Don’t take the ostrich approach. The issue of securing your computer networks will not go away by ignoring it. If anything, security issues will increase, and taking a proactive approach gives you the best possible chance of dealing with problems rather than being dealt with, sometimes disastrously, by them.
To properly plan your business security it's important to understand what you have that needs protection, what the potential weaknesses in your system might be, and what you can do to fix them. Even if you think you don't have much of value on your computer systems, this is probably not the case. At the very least you'll have details of your company finances, including customer and supplier lists and histories, as well as a wealth of information about your business and its processes that would be costly to lose.
Many businesses will simply go out of business if the data on their computer networks is lost or compromised. And so it's vital to do regular backups of your data, test the backups to ensure they work, and store them off site for security.
When considering the data you need to secure, include the data stored on your office computer systems, data in transit (for example, email messages travelling in and out of the business), and data travelling around on your employees’ laptop computers. If this data is sensitive, consider encrypting it, particularly in transit via email.
Companies are sometimes reticent about admitting breaches and subsequent losses. No business wants to go public about this because of the potential threat to customer and shareholder confidence. So, just because you don't hear about such losses don't imagine they’re not happening.
Multiple Threats
Gone are the days when simply installing a virus checking program was all a company needed to do. Nowadays, with the proliferation of attacks against computers, many more issues need to be addressed. One of these is still antivirus software to protect against viruses, particularly in email messages. Coupled with this is anti-adware and spyware software which protects against programs tracking internet use or monitoring keystrokes to gather data such as passwords.
Over the years hackers have received a lot of press for breaking into computer systems and causing havoc. The internet helps hackers by offering an easy way to get into your computers, and so installing intrusion detection software to alert you to someone accessing your system without authorisation is important.
Don't overlook threats posed by employees. As Martin Kaldor, national chair of Information Security Interest Group, explains, "Australian research is showing growing losses incurred by business through information vulnerabilities, many of them internal." Clearly good systems and protections against damage, accidental or deliberate by employees, are required.
Hand-in-hand with these solutions is a firewall to maintain a secure interface between your company’s computers and public networks. David Friedlander, senior analyst for Forrester Research, cautions: "The idea that desktops don’t need personal firewalls because they don’t leave the network is no longer valid. Desktop computers become vulnerable to malicious code the second a remote machine plugs back into the corporate network."
One of the little understood threats to your business is via known flaws in the software and hardware you already use every day. Many threats can be averted if you update your software regularly and ensure security patches for all software is installed and all default passwords have been reset. "Patch and vulnerability management is a fast-emerging IT security issue, as companies are increasingly exposed to spyware, malware, viruses and worms that exploit software vulnerabilities," advises PatchLink's vice president and managing director for the Asia Pacific Region, Neal Gemassmer.
"With devices such as laptops and handheld computers required to attach and detach from a company's central network, there is major potential for infectious code to spread quickly through the entire environment, impacting the bottom line and the reputation of the organisation. Automated, cross-platform, patch and vulnerability management technologies can drastically strengthen network security," Gemassmer adds.
Laptops also pose a problem where they are connected to the internet using wireless technology, as security for these can be weak. It is important to ensure correct wireless protocols are in force so the data on mobile computers is as secure as the data on your business computers.
Managing Spam
Another issue is spam, or unsolicited email. The sheer volume of spam your employees receive takes time for them to shift through and eradicate. In addition, there is a risk someone will misunderstand the difference between a real email and one fishing for data, and this mistake can compromise security. Centralised spam-managing software can help control the problem but it's as important to trap the harmful emails as it is to let through those that are not.
"Keeping up with today's new and emerging email threats, as well as the latest compliance requirements, demands continuous investment in hardware, software and internal resources for SMEs," says Andy Lake, director of partners, MessageLabs Asia Pacific. "With spam accounting for 73 percent of email in 2004, SMEs face the same email security challenges as much larger businesses, yet they often don’t have the resources or money to confidently select, effectively implement, properly administer and fully utilise the right security infrastructure.
"SMEs are increasingly outsourcing their email systems to managed email security service providers as a way of keeping email-borne threats, viruses, pornography and spam outside their networks. This enables them to get on with their core day-to-day jobs, rather than spending considerable time and effort tackling these issues."
At the heart of any security system is a belief that it could happen to you. "Your own and your staff’s awareness about not opening every mail attachment, shutting down un-needed software, and basic security precautions, can protect against disruption or loss of computer data and services," Kaldor explains. Begin with the premise that your system is vulnerable, and you'll be ready to investigate potential problems and set up systems to address them.
Sven Radavics, sales director for WatchGuard Technologies, says the time to test your infrastructure is not during an emergency but well before it happens. He recommends a hands-on approach by non-technical CEOs—ask questions, poke around, be interested and learn more.
It's also vital to develop a consciousness throughout your business of the need for security and an understanding of what could happen if everyone is not vigilant in their approach to security issues. This is a consciousness that must permeate from the top down, and so it is critical that you, as business owner, take the lead.
Security is not a problem that will go away any time soon and business owners must know where their systems are vulnerable so those problems can be addressed.
* Helen Bradley is a frequent contributor to DSB and other international computer publications.
