 nt> There is a saying in IT that the only truly secure computer is one that's turned off. Because this isn't practical or feasible, data security becomes yet another unavoidable part of doing business in today's wired world. Simply put, data security is the protection of data from unauthorized, accidental, or deliberate modification, destruction, or disclosure.
Because security is a process, not a product, it is principally an individual responsibility. No amount of regulation can ensure security without individual cooperation. Organizations today must not only protect their data from internal harm, but from harm within the myriad networks to which it is connected. The scope of those networks has resulted in the largest number of potential security holes to date. They include threats to wired and wireless networks via attacks by hackers and by new virus types.
 Wireless Worries
Establishing a wireless network adds unequaled convenience and functionality. "However, if users who are 300 feet from the access point can connect to the network, so can the people sitting in the parking lot 200 feet in the other direction. It's like having a radio station and trying to hand-pick which individuals get to listen—it's hard to control access once you unleash the data into the air," says Tony Bradley, CISSP, author of the About.com Internet/Network Security site.
One key mistake made by companies implementing a wireless network is assuming it will be secure directly out of the box. Unfortunately, default security settings are often set at a lower-than-adequate threshold to protect an internal network from compromise. This is the manufacturer's way of ensuring its product's compatibility with existing software and hardware systems during installation.
"After a successful install, it is essential that administrators raise security settings to meet the organization's individual needs. Measures such as strong encryption and virus protection tend not to be imposed as readily in wireless networks as in wired networks and are just as critical, if not more," says Guardian Digital CEO Dave Wreski. In an effort to meet this type of security demand, Guardian Digital developed its Internet Productivity Suite. IPS includes a secure wireless capability designed for the small to midsized organization, and the fact that little maintenance is necessary to maintain that security capability makes it an attractive option.
Outsourcing Obstacle
Outsourcing has a number of benefits in terms of cost savings for an organization, including letting it offload tasks that aren't a core part of its business so that it may focus on what it does best. It is important, though, for companies to exhibit due diligence and ask the right questions.
Organizations have every right to know exactly how their data will be handled and protected. If the outsourcing provider has other customers, can it guarantee that its other clients won't be able to access your data? Does it allow remote access to its networks from third parties? Does it have a wireless network that might provide a means for compromising its network, and hence your data? Doing your homework to pick the right outsourcing provider might seem like more work than it would be to do the work yourself, but in the end your organization will benefit.
Additionally, be sure that the integrity and confidentiality of your data are guaranteed in writing in your contract or service level agreement. A reputable provider will have no qualms about meeting this request.
According to K. K. Mookhey, founder and CTO of Network Intelligence India, there is often a disconnect between an outsourcing vendor and its client regarding the sensitivity of information. "We've seen this with the application source code that is developed by software service companies," Mookhey says. "[A] client may wish to treat it as confidential, whereas the vendor may end up classifying it as internal, which means that code developed for one client can be put into a general knowledge base and shared with developers working on code for another client. So if explicit data classification guidelines are not in place, you could have serious security vulnerabilities creep in."
An important consideration when looking to outsource security is the level of certification provided by the outsourced vendor. For example, the British Standard 7799 (BS7799) is an extremely thorough, risk-assessment-based security standard. Boasting BS7799 enables an organization to prove the integrity of its security provisions. "If the outsourced vendor can be certified to a standard such as BS7799 or HIPAA, the level of assurance rises considerably. Again, the company must ensure that [its] SLA with the vendor allows [it] to carry out security audits of the vendor's infrastructure as part of their business relationship," says Mookhey.
Worm Holes
As we all know, the biggest threats to security, in addition to insider attacks, arise from code with deliberately malicious intent. Maintaining current antivirus software helps in the fight against the sort of code that deletes files, opens back doors for intruders, or otherwise breaches or violates your computer or network.
With offsite employees becoming more commonplace, maintaining security becomes more challenging, but nonetheless necessary. Remote users who fail to properly secure remote computers with personal firewalls and up-to-date antivirus software pose a great threat to corporate networks. Experts advise businesses to carry out regular and thorough risk assessment to address the security threats posed by home workers. System administrators must ensure that all notebook and desktop computers used by home workers are using firewalls and up-to-date virus protection, as viruses and worms can easily rely on these devices to enter your business.
In The End
Anything short of keeping a computer locked in a room with no network connection represents a security risk. From the moment the device is plugged in and connected to a network, you begin to trade security for functionality. It's always a balancing act, and one that requires you to determine how much functionality you are willing to sacrifice for increased security or vice versa. "Wireless, remote access and outsourcing solutions present many key barriers to security and, if not managed correctly, can expose a corporate network to unlawful intrusion. These threats, however, can be avoided if the proper precautions are taken," says Wreski.  by Douglas Schweitzer
Data Security
Security experts preach that hackers, malicious code, and other security threats can never be eliminated entirely. Viruses, worms, and other assorted collections of malicious code continue to mutate into new and ever-increasing threats. Hence, security threats cannot be fully defeated because those threats cannot be eliminated. However, you can minimize threats to data and privacy by following a few basic principles.
•Know how to handle sensitive, proprietary, or Privacy Act information.
•Understand and comply with a "need to know" policy. Example: Do not discuss sensitive information with the media, in forums, etc.
•Protect against accidental erasures.
•Protect from fire and water.
•Ensure availability, integrity, authorization, confidentiality, and nonrepudiation.
•Save data on a file server, if available, where it will be backed up regularly.
•For individual PCs, perform regular backups of sensitive information.
•Scrutinize mail attachments (paying particular attention to file extensions), as some have been associated with virus incidents, especially from unknown senders.
•Educate users on how to protect their computers from viruses. For instance, urge them to use antivirus software and keep it updated. |
Data Security & Privacy Basics
According to Ian White, CISSP, CLAS, and principal consultant at Betrusted, "It is very easy to get carried away about the potential threats that might exist . . . . For most SMEs, I think the main thing is not to panic—unless they have information that [they identify as] a particularly high-risk target for attack." To help keep information assets secure, White says that there are some standard security controls that all businesses should implement as part of management best practices.
•If there are external communications links to your IT systems, install a firewall.
•Antivirus software should be used (and maintained!), as should regular patch-management.
•Provide staff with basic training on security awareness, which should include help on password management.
•Finally, the use of link encryption techniques, such as SSL, should be seen as standard for any link where confidentiality is important (such as personal information or credit card details). |
|
