Security insecurity: How concerned should you be?

05/28/2008 11:53

Information Security cannot be achieved with just a device or program, but must be embraced as a foundation for building your organization. These days, it’s not only giant multi-national conglomerates that are experiencing security issues with hackers, viruses or breaches. Increasingly, it’s small and medium sized organizations that are being compromised, extorted, and/or breached.

Why? It’s a simple matter of following the path of least resistance. Larger organizations are finally being forced to take notice of information security issues due to increased regulatory rules and oversight. As these larger organizations lock down their internet connections, web sites, and remote access, they become harder and less attractive targets. Statistically, there are a lot more smaller and medium sized organizations, and historically they have been considered low profile targets because their computing base and public profiles were limited. With many smaller organizations, there is a general lack of expertise in the Information Security arena as the skill sets needed to defend against these incursions are highly specialized and technically demanding. All of these factors, as well as the small and medium organizations’ general increase in computing and information assets, leaves previously overlooked organizations, like yours, as the low hanging fruit.

Think of Information Security like fire prevention. Can the threat of fire ever be entirely eliminated? No. All we can do is take reasonable precautions depending on how likely a fire is to break out, how much damage a fire would do, and our level of tolerance for this risk.

As with any prevention, in Information Security there are a few general steps that can be taken to begin mitigating the risks. The following steps go a long way towards keeping your information secure: they are the smoke detectors and sprinkler systems of Information Security.

• Have a security mindset by considering the security and privacy implications of actions, or just as importantly, inactions
• Run modern, updated anti-malware programs on all computers and servers to reduce the risk of infection
• Regularly apply updates to operating systems and other software to apply fixes to recently discovered issues vulnerabilities
• Change the default accounts, passwords, and settings on network devices and servers
• Have a business class firewall that protects your network from external threats

These are a foundation to build upon, but not a complete structure. Just as the fire marshal insists on testing fire prevention and suppression systems, Information Security systems need to be regularly tested as well. The most expensive fire suppression system in the world does no good if it’s not working properly, and that can only be determined through testing.

Keep in mind that it’s not just the systems on your office network, but any externally hosted systems as well. To the outside world, your hosted websites, email filtering services, and public DNS (Domain Name Services) servers are “you” as much as your email server and firewall are.

To ensure information security compliance, most of the new federal, state and industry regulations mandate full formal audits on a regular basis to validate all of these systems as well as to make sure that general best practice guidelines are adhered to. These audits are done by external entities that have no stake in the installation and configuration of the network. They are very thorough and time consuming, as they examine every facet your organization’s Information Technology policies, procedures, and practices. Scans and tests are conducted from both inside and outside your network to test and validate your security’s effectiveness.

-J-

Originally publiished in SAGECare customer newsletter, May 2008 (https://www.heartlandtechnologies.com/Newsletters/Customers/Sage/Security_Insecurity_May08.htm)