Business IT security is incredibly important, but not too hard to achieve. Below is a list of pointers to help you through this potential nightmare. For more info also read the Security Tips page as well.
- Common IT security measures
- Access control ensures that individuals can only access data and services for which they are authorised. This can include:
- • physical control of access to premises and computers• a clean desk policy so that sensitive or confidential information (including passwords) is not left lying around
• individual passwords that randomly mix letters and characters, are regularly changed and are not shared with others
• network restrictions to prevent access to other computer systems and networks
• application controls to ensure individuals are limited in the data or service they can access
• restrictions on what can be copied from the system and stored on pen drives, memory sticks or CDs/DVDs
• limits on the sending and receiving of certain types of email attachments
Modern operating systems and network software will help you to achieve most of this, but you still need to manage the registration of users and user authentication systems – for example, passwords.
- Security software
- Security software can help detect and remove computer viruses and other malware. Without protection, malware can damage your IT system, access confidential data or create further security holes for hackers to exploit.
- Data encryption
- Encryption scrambles data, and is used to protect information that is being held on a computer, stored on external media such as DVDs or transmitted over a network.
- A firewall is a hardware or software security device that filters information passing between internal and external networks. It controls access to the internet by internal users, and prevents outside parties from gaining access to your network.
- Intrusion detection
- These products monitor system and network activity to spot potential security breaches. If a detection system suspects an attack, it can generate an alarm, such as an email alert, based upon the type of activity it has identified.
- Web-based application security
- There is a growing trend to using web-based application software. Applications are set up and run on an in-house web server or managed over the internet by a third-party service provider. Individual users access the data using a web browser – such as Internet Explorer. Although web-based applications can provide a number of benefits they also present potential security problems.
- Hazards and threats
- The four main types of hazard for web application software are:
- • failure of user authentication – allowing unauthorised users to gain access through the web interface• errors in application design – allowing hackers to change data or the application itself
• insecure communications – criminals may intercept confidential information
• poor internal IT security – not applying basic security measures within your
- Security measures
- One of the advantages of web-based applications is that the web browser and the web server, which sends data to the browser, can be located anywhere and can use the internet to communicate with each other. This advantage is also a potential risk, as data could be eavesdropped or read by hackers.The most effective measures for reducing this risk include data encryption and a firewall.Other more technical risks can include vulnerabilities in your web server and applications. To help minimise the risks:
• make sure your web server is correctly installed and configured, and kept up to date
• ask application providers how their software handles security risks – only use
providers with a strong reputation for security
• if web applications are critical to your business, you may want to obtain external consultancy to assess the risk and identify possible solutions Personnel,
training and data security awareness
Personnel are a common source of security breaches. You should apply some basic common-sense controls in order to maintain information security. For example:
• screen new employees, contractors or anyone else who will have access to your business information – ie checking references, gaps in career history, confirmation of academic and other qualifications and an independent check of identity by passport or other official documentation
• insist on confidentiality agreements for people who are given access to sensitive information
• ensure that security controls compliance is built into employment contracts, including the disciplinary consequences of breaching them
• ensure that staff are given training so that they are able to understand and apply the security policy – this can be included in the typical induction process
• define how staff must respond to a security incident
Communicating security policies and procedures to employees, and getting their commitment to adopting such methods, is an important way of lowering the risk of loss or damage to your data and systems.
- Data protection
- It is important to make sure that your staff comply with data protection principles under the Data Protection Act 1998. This includes ensuring that personal data is held securely and not misused. Any member of staff who has access to personal information should receive training in data protection. Staff with duties such as marketing, computer security or database management may need separate training to make them aware of data protection issues relevant to their job.
- Virus identification and recovery
- Viruses and other malware can have a damaging effect on your business. Common signs of a virus include:• your system slowing down
• unexpected activity on your machine or pop-up messages
• your email server becoming overloaded or slowing down
• data files becoming corrupt or going missing
• unexpected changes in the content of your files
These should not be regarded as definitive proof of infection, but as a warning that further checks should be made.
If you suspect you have a virus, use your security software to diagnose the problem. If necessary, contact your software vendor for hands-on advice. If you do have a virus, stay calm and start the recovery process.
- Five steps to recovery after a virus
- If a virus has infected your system, there are five basic steps for recovery:
- • Tell everyone who needs to know. If the virus is spread through email, inform
everyone with an email account on the infected system as quickly as possible. If there is a specific file attachment that contains the malicious virus program, name it.• Quarantine infected machines. As soon as possible, disconnect infected computers from any internal or external networks. Do not reconnect until the virus is cleared.
• Organise a clean-up operation. Use your anti-virus software to scan all computers and files to check whether the virus has spread. If necessary, contact your
software supplier for specific advice.
• Make sure there are no re-infections. Inform everybody what to do and what not to do. Maintain emergency security measures until the clean-up is complete and
additional patches are in place to prevent re-infection.
• Manage outgoing email traffic during the crisis. Use whatever facilities you have to prevent transfer of the virus via email. Consider closing down the outgoing