The Internet has become the major driving force behind all growing businesses in the world today. It is very obvious that the method of proliferating information used in the 1990s cannot compete on the same global level as effectively and efficiently as Internet based media does today. As such, corporations of all sizes increasingly rely on Internet based services to handle their day to day business needs. Some companies have become completely virtual storefronts, only existing on the Internet, and the manner in which data is collected, processed and stored becomes increasingly critical to business continuity and effectiveness of the global supply chain. We recently discussed the importance of having some form of disaster recovery plan in place in the event of a failure within critical data systems. That is only half of the equation. With the number of users on the Internet increasing by the minute, the number of threats to companies from outside sources likewise increases. How well is your company prepared for ... the Attack of the CyberVirusMutantTrojanBotWorm?
I know, the name is silly and completely made up. Google did not know the word so it is not real. YET. But guess what, there really are hackers out there. Just this year alone, several very high profile companies have experienced serious breaches of their security potentially affecting more than 100 million people. While these breaches are typically focused efforts by organized groups, there are thousands of other breaches happening around the world that are less visible and largely unnoticed. So what can organizations do to help alleviate the issue? Education and action. A little knowledge and responsibility can go a long way. Let's look at a few basic points that can help keep data safe from inappropriate use.
1. Assign a Point Person. Appoint someone within the organization to be responsible for organizational security. This is a key point. Many smaller companies rely on outside consultants for their hardware and network requirements. Many times the assumption is that these consultants can adequately provide protection from intrusion. The reality is that many times these consultants do not have a significant presence onsite to be able to monitor and maintain proper security. If needed, hire someone to help create a plan that can be turned over and maintained internally. This step is the eye opener for any corporation that has not taken data security seriously.
2. Be Aware of What You Keep. The type of data that you are holding on to and how long it needs to be retained is important. By purging data that is outside corporate parameters in terms of its usefulness lowers the scope of risk in the event an incident does occur. In addition, there are standards within specific industries regarding mandated security measures for specific types of data. For example, any company that stores credit card data should review the Payment Card Industry Data Security Standard (PCI DSS). If data does not need to be retained, then don't keep it. Determine what tools are available in your corporate software to help remove unneeded data. Within the EnterpriseIQ suite, the IQPurge tool can be used to remove data that is no longer necessary to maintain.
3. Password Policies. This is one of the most overlooked areas that really needs addressing. In many organizations, user passwords can be many years old and, in some cases, may still be the default password that was assigned to everyone in the organization when a new account was created. How about that new router you purchased and put in place? Did the administrative console password get changed from the default that was shipped from the manufacturer? Standard policies include requirements to change passwords every 90 to 180 days, impose a minimum character count and include special characters in the password. This may seem like a huge challenge, but setting the standard and helping users to become acquainted with it can alleviate the pain. Corporate software should have any password policies enabled that can help manage user passwords standards. For example, the EnterpriseIQ suite of software has the ability to enforce requirements such as including numbers, minimum length, password life, force password change after user creation, password reuse, failed login attempts and other options.
4. User Guidelines. Make it clear to your users what is acceptable for them to do with their company provided workstations. Employees spend a significant amount of time at work and in front of company work stations. So much so that these systems become comfortable to them and start to feel like their own systems. While employees should be able to customize their work stations to some extent, it is imperative that they remember that they are part of a corporate network and that if they are not careful, their actions could affect the entire corporation. Downloading or bringing in non-sanctioned software can lead to disastrous security issues.
There are many other points that could be discussed and elaborated upon such as physical data security, software update policies, internal auditing of compliance and so on. The goal here is to bring corporate security into view and point to resources that are available for use to help put processes in place. There are many good websites that cover specific aspects regarding security. The SANS Institute is a good starting point. They provide many documents that can be used to craft security policies from. Microsoft has a library of tools and materials available for maintaining secure systems. The National Institute of Standard and Technology (NIST) is the government maintained website for standards and policies. They have recently released a new proposal discussing a framework for increased cybersecurity for online businesses.
If you are interested in seeing the impact of lax security and blatant mistakes, follow this link to see what happened and the resulting impact. Don't get caught making these same mistakes. An ounce of prevention in this case far outweighs the alternative if things go wrong.