|
Everyone’s Problem: Computer and Data Security
We all are responsible for ensuring that data is kept secure and confidential.
By John R. Mallery
Our lives are digital. This is an unarguable fact. From business transactions to personal communications, everything we do is recorded electronically. Even if you do not own a computer, your personal information is stored on multiple computers in multiple locations.
If you have ever been to a doctor, filed an insurance claim, registered to vote, possessed a drivers license, purchased products with a credit card, or been in the military, your life has been documented electronically. If you think that you cannot be the victim of Internet fraud because you don’t own a computer and don’t shop online, you are mistaken.
Because data is stored and transmitted electronically by nearly everyone, it is everyone’s responsibility to ensure that data is kept secure and confidential. Data security is no longer just the province of IT professionals; it is everyone’s concern. But making informed decisions requires some understanding of the issues around data security.
Common Misconceptions
Here are some of the common misconceptions many business people have about data security and some ways to address them.
“No one is interested in our data or systems.” Attackers do not necessarily care who owns a particular system. All they are looking for is a poorly protected, active connection to the Internet. If they find an active connection they can do several things:
Break in and look around
Break in, look around and modify data
Break in, look around and steal data
Break in, look around and store stolen data, such as stolen credit card numbers and child pornography on your systems
Break in and use your systems to mount an attack on someone else (for which you will be held liable)
This applies to businesses as well as to home users that have “always on” DSL or cable modem connections to the Internet. In fact, one of the biggest threats to businesses are telecommuters who connect to the corporate network using unprotected home computers. It is imperative that you have a firewall installed to protect your systems and your data.
If you have a direct connection to the Internet and do not have a firewall, your systems have already been compromised. If you reply, “No, they haven’t,” ask yourself, “How would I know?”
There are many commercially available firewall products that can protect businesses of any size, as well as home users. A popular personal firewall is ZoneAlarm, which can be found at www.zonelabs.com. This discussion of firewalls leads to the next misconception.
“We don’t need to worry because we have a firewall.” Firewalls are not the “be all and end all” data security solution. They are simply one part a comprehensive data security defense. It is important to note that nearly all commercially available firewalls have vulnerabilities themselves. If they are not installed and configured properly, your systems will still be vulnerable.
The second issue is that firewalls are not “standalone” tools. You cannot just install them and walk away. They need to be constantly monitored to verify they are still effective. Who will monitor these devices? Are they qualified? Are they able to identify an “attack?”
When firewalls are configured and monitored properly, they are an excellent defense from external attacks. But what about internal attacks?
“We know our employees.” Many (most?) companies believe that they hire only “good people” and, therefore, their own employees could not possibly be a threat. But, disgruntled and frustrated employees are one of the biggest threats to corporate data and information.
Here is a real world example:
An insurance company hired a claims processor. This claims processor was caught embezzling funds, and as part of the investigation, a background check was performed on the claims processor. The result? The claims processor was found to have had two felony convictions for doing the same thing at two other insurance companies.
Regardless of how well people present themselves, you never know what is on their minds or in their past. Perform pre-employment background checks, including credit checks on those people who have access to financial information.
“The IT staff can handle it.” Most IT professionals do not have specialized computer security training, and although they are perfectly capable of keeping a network “up and running,” they are not prepared to address security issues. Those that monitor your systems and network should receive specialized security training.
Additional Precautions
Hopefully, dispelling some of the above-mentioned misconceptions will help you make informed decisions about how to protect your business’s data.
In addition to some of the steps outlined, consider also taking the following steps:
Install anti-virus software and keep it updated.
Shred your trash.
Have a third party perform a physical security assessment of your facility. Having electronic solutions in place is often useless if people can get physical access to your computers and systems.
Create policies addressing computer security issues, and enforce them.
Include all departments in computer security planning sessions.
By implementing some of these solutions, you will take the right steps toward securing your data and information. Since addressing data security is a dynamic process, you may find these Web sites helpful:
Internet Security Alliance Common Sense Guide for Home and Individual Users—
http://www.isalliance.org/resources/papers/ISAhomeuser.pdf
SANS Institute—provider of information security training
http://www.sans.org
Center for Internet Security—source for operating system benchmarking tools
http://www.cisecurity.org
National Infrastructure Protection Center—
http://www.nipc.gov
John R. Mallery, CNE, GSEC is chief technology officer with Clarence M. Kelley and Associates, Inc. He can be reached at (816) 756-2458 ext. 338 or online at www.cmka.com.
|
