It doesnâ€™t matter how big or small your business is — sooner or later someone will attempt a security attack against you. What can you do about it? Plenty.
The issue of security, from physical infrastructure to information, has been thrust to the forefront in response to the 9/11 terrorist acts. As a manager, you recognize that IT security is important and likely understand that your company’s level of vulnerability is rising with the increased dependence on the Internet.
The IT security research and data is compelling. The FBI formed the National Infrastructure Protection Center in 1998 in recognition of the problem’s growing significance and reported to Congress that cyber crime is a "significant threat to U.S. national and economic security." A study by Carnegie Mellon found that companies average $256,000 a year in losses due to Internet theft. Virus attacks cost businesses $12 billion in 1999 alone, according to the Department of Justice.
And cyber crime isn’t limited to big business: Gartner predicts that 50 percent of small and medium sized businesses will experience an Internet attack in the next year, and the majority of those organizations will be unaware of the breach. David Schatsky of Jupiter Media Metrix comments, "There is a fundamental lack of understanding out there when it comes to the gravity of security breaches." This article provides an overview of IT security to help business managers understand the most critical issues and how to respond.
Breaches for Any Reason, From Anywhere
People commit online crime for the same reason they commit other illicit activities: malicious sabotage, greed, recognition, power, and ideology. Their targets can vary widely: theft or deletion of corporate data such as client, financial, or strategic documents; defacement of a Web site; and/or denial of service.
The perpetrators of Internet attacks could be just about anyone. The short list includes current and former employees, competitors, and random hackers. In an FBI survey of nearly 200 companies, 55 percent reported malicious activities by people inside their organizations.
Types of Attacks
IT attacks come in a variety of forms. Virus is the broad category used to include high-profile attacks such as The Love Bug and Code Red, as well as lesser-known Trojan Horses and the like. By definition, a virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses also typically replicate themselves.
Other, less pervasive forms of attack include:
* Denial of service — hackers occupy enough resources on a server to inhibit legitimate service
* Spoofing — hackers gain access to a computer, assume an identity, and are capable of wreaking havoc
* Traditional — copying information to a disk or CD, or digging through trash to acquire sensitive information
* Social engineering — hackers pose as network administrators to gain key access information from unsuspecting employees.
Given the ever-increasing number of Internet users and Web sites, the best IT security programs address both online and offline protection measures in concert.
Prevention is the Best Medicine
Companies are increasingly seeking expert outside advice and tools to help safeguard their data, in response to findings such as Symantec Corporation’s identification of over 40,000 distinct viruses in existence today. Indeed, in a study released a week after the attacks on America, IDC forecast the IT security services market to grow at 25 percent per annum to a $21 billion market by 2005. Best-practice companies work to prevent IT security breaches using two approaches: tools and policies/procedures.
The most popular security tools are authentication, firewalls, and encryption. The most common method of authentication is username/password pairs that can be used in a variety of ways. Firewalls protect the perimeter of a network and restrict access. (Small and medium sized businesses, which typically use ISPs to host Web sites, can have additional complexities when using firewalls.) Encryption techniques involve encoding a message or text with a key for decoding. Encryption is often used to protect online transactions and the transmission of sensitive data such as credit card information.
Have a Plan
Security tools, while highly effective, can only do so much. Formal security policies and procedure — for both the IT staff and corporate users – underpin information protection. A comprehensive program begins with an IT security audit, which identifies organizational points of exposure and measures to be taken for baseline compliance. Regular ongoing support of the program is critical to ensuring IT security.
Finally, disaster recovery plans are invaluable when catastrophic events, acts of God, or other forms of data loss occur. It is extraordinary that we’ve heard so little in the news regarding the effects of the data losses of the dozens of Fortune 1000 companies housed in the World Trade Centers. The reason? Their disaster recovery plans — including data backup and restoration – were generally very effective. However, in a recent study by The Standish Group, only 4 percent of respondents said their disaster recovery plans covered all their major applications and were up-to-date.
Know When You’re Hacked
Security experts agree that it’s impossible to provide 100 percent guarantee against IT security breaches. If you’re connected to the Internet via a Web site, you can be hacked. Monitoring tools such as Tripwire and BlackIce alert administrators of system breaches as well as provide critical information to fix network vulnerabilities.
Three Security Tenets
When thinking about IT security, there are three underlying issues to consider:
1. Confidentiality — ensuring that corporate information is accessible only to authorized users
2. Integrity — maintaining the quality and accuracy of corporate information
3. Availability — to be useful, information must be available when and where it is needed.
How to Respond
As with insurance, you can spend as much or as little as you want on IT security. Below is a list of baseline security measures that should be in place at any organization.
1. Use strong passwords. Choose passwords that are difficult or impossible to guess. Choose unique passwords for all accounts. Effective passwords should include both numbers and letters.
2. Make regular backups of critical data, and store the information offsite. Backups must be made at least once each day. Larger organizations should perform a full backup weekly and incremental backups every day. At least once a month the backup media should be verified.
3. Use virus protection software. That means three things: having it on your computer in the first place, checking daily for new virus signature updates, and then regularly scanning all the files on your computer.
4. Use a firewall as a gatekeeper between your computer and the Internet.
5. Do not keep computers logged on or online when not in use. Either shut them off or physically disconnect them from Internet connection.
6. Do not open e-mail attachments from strangers, regardless of how enticing the subject line or attachment may be. Be suspicious of any unexpected e-mail attachment from someone you do know because it may have been sent without that person’s knowledge from an infected machine.
7. Regularly download security patches from software vendors.
8. Raise security awareness. Regularly communicate security measures and guidelines to workers.
Bill Smeltzer is Vice President at HighSpeed Communications, a technology firm specializing in voice, data, video and security solutions. He can be reached at [email protected]