|
|
  |
 |
|
What are you doing about security?Without getting into the nitty-gritty of security, there are some things that you, as an executive, should make sure are happening. Pundits have referred to the Internet as the 21st century version of the Wild West. I prefer to think it's even worse than that. Let's say it's more like "Pirates of the Carribean," but without the cute Animatronic figures. There are cutthroats and blackguards roaming the Internet seas. You must batten down the hatches, sharpen your cutlasses, feed the parrot, and prepare to repel boarders. The Wild West was tame compared to the Internet in 2000. Here are some questions that you should ask yourself or your staff to make sure your company is reasonably secure. It's important to point out, however, that you don't have to get psychotic about it. There is the law of diminishing returns. So if you can't answer all of these questions adequately, don't worry. But you must answer the first one with an unambiguous YES. Otherwise, you're in deep kimchee. The first and most important question is: has your company carefully evaluated its risks and developed reasonable, practical and economical safeguards against them? Your exposure might be minimal. But if you haven't even evaluated your risks, how do you know you have nothing to worry about? Here are some other questions: Are your technical people staying up to date on the latest virus and CERT advisories? There are a variety of newsletters and Web sites that provide detailed information and recommendations to make sure you know how to make your systems secure. Do you have someone on your staff who has security as part of their job description? This shouldn't be in addition to other pre-existing responsibilities they have. It should be an assignment that they have time to do, and they should have the full and complete support of management. If you have full-time access to the Internet, do you have a robust and properly configured firewall in place? Do you have a demilitarized zone set up to further insulate your internal network, your email and Web servers from the stormy seas of the Internet? Are all of your operating systems, firewalls, routers, database and business applications, email, PIM's, virus protection and office automation packages at the latest patch and update levels? How often does your technical staff update these systems? Is there a formal schedule in place? Does your staff subscribe to email newsletters to stay informed on new updates? How often do you force your staff to change passwords? This should be done at least quarterly, if not more frequently. What is the minimum length for your passwords? They should be at least seven characters in length and should not be words that can be found in the dictionary. They should contain at least one punctuation mark or other nonsense character. Do your people have their
passwords written on sticky notes attached to their monitors? Remembering
passwords is difficult, particularly when you require frequent changes
or nonsense characters in the password. Writing them down is OK;
however, the record should not be someplace where the wrong person could
easily find it. Recording them in an un-encrypted Word file on your
computer called "passwords" isn't a good idea.
Brief your staff on the potential for "social engineering." They should NEVER give their password to anyone over the phone, even an apparently authorized person. This is more of a problem in larger, more anonymous organizations. In smaller companies, where everyone generally knows everyone else, it's less of an issue. Also, if your offices have lots of people (even fellow employees) wandering through, you should make sure your workstations are secure whenever an individual leaves their desk. Simply closing the laptop or turning off the monitor may be more than enough to discourage casual curiosity. If you're more paranoid, there are security products available that will allow you to lock down PC's pretty effectively. And about the screen saver password? It's not very good protection against a knowledgeable person with a few minutes of access to the computer. How many people know the system passwords? Don't forget outside contractors and support personnel who also have administrative rights. They may even have their own ID's you don't know about. Look into restricting these rights and frequently changing passwords. Do you have a Web site? How secure is it? Do you have it backed up frequently so that if there is any damage, you can easily restore it? What is your ISP doing to prevent it from being hacked or defaced? If you have ecommerce in place, how are you protecting your data and your customers' data? In this article, we've just taken a shot or two at that pirate's ship lurking on the horizon. There are many more things to worry about. But we've given you a few things you can do to make your operation a less inviting target. Remember, your risks increase as you go from a small, unconnected company to a big, visible, highly networked firm. But regardless of your size and fame, you DO have risks. Going through a review process at least to determine your risks is the first step toward protection your doubloons.
|
|
|
Copyright MMXIV The Gadwall Group,
Ltd. All Rights Reserved |
