| ||
|
|
|
Posted: Wed, February 15, 2006
IT Security - What every business needs to knowby Sali Earls
The eCrime dilemma faced by every company and individual will be unique to their particular circumstances, but there are some effective tools and methods that can be adopted by all to alleviate the risks.
With initiatives such as E-Crime Wales and Get Safe Online, greater awareness of security issues is created, but many companies still do not consider themselves to be at risk. What would you tell small businesses to ensure that they take the threat of eCrime seriously? With small businesses the risk tolerance is generally much higher than with a larger business so they generally do not perceive security issues as being such a high-risk. This together with less time and money means that small businesses typically do not address the security issues as quickly as a larger business would, making the small business a good target for eCrime as they are generally not as well protected and do not have the in-house IT skills to defend themselves adequately. Unfortunately statistics show that for a small business a single major security incident could mean the loss of reputation or customers which could have severe consequences for the future of the business. This should be a message to all small businesses to take eCrime seriously. Do you think companies are at greater risk from internal or external threats? How should small business approach security to deal with the internal and external threats? Of course each business has its' own set of risks that should be assessed individually, but in general a business should take time to understand the risks it faces both from external and internal threats and then develop a plan to address them. Most external threats can be reduced to an acceptable level by implementing good security controls such as firewalls, intrusion detection, anti-virus and anti-spyware scanning. Internal threats can be more difficult to deal with as most businesses trust their employees not to use company systems for criminal or illegitimate purposes, but in some cases do not implement any controls to enforce this, to deal with the internal threats as a minimum measure all small businesses should create and enforce a set of policies for it's employees, outlining exactly what is acceptable and what is not within their business. What should MDs be asking their systems administrators to ensure that they are doing their job properly where security is concerned? Security is not just a job for systems administrators it should be implemented from the top down. Firstly managing directors need to ensure that their business has up-to-date security policies and procedures in place - the policy should state clearly why security measures are to be deployed and the procedures give instructions to the managers and systems administrators on how they are to be implemented and managed. Next managing directors should ensure that the systems administrators receive adequate training for the equipment and software used within the business to minimise risk of misconfiguration and human error. Finally managing directors should ask for regular briefings where the systems administrators can provide up-to-date statistics on the effectiveness of the security controls and highlight any new threats that need to be assessed. I would recommend that all businesses carry out a security audit at least once a year to ensure that the security policy and procedures are being followed. What simple steps can micro businesses, where there may only be one or two staff, take to protect themselves from eCrime? Managing security in a micro business can be just as hard as in a larger business as they face the same security threats although on a smaller scale. I recommend the focus should be on securing the internet connection and desktop PCs and taking regular backups of data. This means using a firewall on the internet connection and PCs, installing anti-virus and anti-spyware software and keeping the operating systems and software up-to-date with the latest service packs and patches. Data backup for micro businesses can be achieved easily by backing up regularly to CD/DVD and storing a copy off site in case of an emergency. With many well publicised security breaches and hacks of software, how would you advise companies when selecting technology? When selecting new hardware or software for use in your business you must evaluate how adopting this new technology will affect your overall security status and whether it will bring additional unwanted risks. If you are adding a piece of technology to mitigate security risks such as a firewall or anti-virus software then make sure these products carry industry standard accreditations such as ICSA Certification to show they have been tested to an acceptable level. If you are adding other technology then make sure the vendor regularly releases updates to fix security vulnerabilities quickly and my advice would be do not use free downloadable software from the internet unless you are absolutely sure it does not contain any spyware or other malware. Sometimes moving away from software known to have many vulnerabilities can improve your general security, for example it is generally regarded that the Mozilla Firefox web browser is more secure than Microsoft Internet Explorer and Linux/Unix is not as prone to spyware or viruses as Microsoft Windows, but in all cases before deciding to switch you must evaluate whether it will be right for your business to do so. All companies should have a security policy, but how should small businesses approach this without it becoming an unwieldy undertaking? My advice is always start small and build up, start with a simple one page policy that lists what risks the business faces and then list what the business regards as the best way of dealing with these risks, use this as the foundation of a larger more detailed policy, keep reviewing the policy regularly to make sure it remains up-to-date. Bringing in a consultant early-on can help businesses understand the risks they face and also assist with the overall development of the policy but it is not always necessary depending on the knowledge of in-house staff. What do you think the greatest eCrime threat is today for small businesses? The continuing threat of Viruses, Worms, Trojans and Spyware is still the most widely reported type of eCrime and it is the type that everyone sees at one time or another due to the widespread nature of the attack. But this type of crime may not necessarily be the most damaging to your business, depending on your business type, so it is important that you understand and address the specific threats that are applicable to your business type and not just to protect against the most widely reported eCrime issues. If you could give SMEs in Wales one piece of advice to secure against eCrime, what would it be? My advice is this - make sure everyone in the business understands the eCrime problem and knows what to do in the event of an incident. Promote websites such as Get Safe Online, the DTI, and the National High Tech Crime Unit, and encourage staff to take time to read the information on offer. The more knowledgeable staff are about security issues, the more secure and safer your business will be. Exclusive itwales.com offer: Clive Harper is offering itwales.com readers based in Wales the opportunity to have a free one-hour consultancy session. To take advantage of this offer please email editor@itwales.com with you full contact details. Useful links: Send a comment about this article to editor@itwales.com. © Copyright ITWales 2006 |
These days, no business can afford to be apathetic when it
comes to security. With high profile security breaches at an all time high, and the problem of eCrime costing Wales at least £160m in 2004,
all companies, regardless of size and resources need to address this issue.
Clive Harper is the director and principal consultant of Swansea based Securion
Technology, an independent consultancy specialising in network and information security. Sali Earls spoke to him to
find out what every business in Wales needs to know about eCrime prevention.|
|
Subscribe to ITWales Updates Click Here! |