 |
|
|
|
|
Information Security: Protecting Your Most Valuable Asset By Thomas G. Stephens, Jr., CPA, CITP  Information is any organization's most valuable asset. As proof, consider your response if you entered your office one morning only to find all of your data – in both electronic and manual formats – to be missing or corrupted beyond repair with no ability to recover the data from offsite backups. Sources for such catastrophic losses of data vary widely. We are faced with the daily deluge of viruses, spyware and other forms of malware. People both inside and outside our organizations attempt unauthorized downloads of our data. Unsecured laptops with sensitive data are carried offsite and the data becomes compromised. Hurricanes, fires, floods and other natural disasters strike and leave us without access to our critical business information. Hard disks in our servers fail and we are unable to restore data from our tape backups.
What is the likelihood that you will face such situations? What would be the impact on your organization if you did? Would your organization be able to survive? Consider the following statistics:
Information security policies First, the organization's senior management team working in concert with the IT team should develop and implement a set of policies addressing information security. These policies should address such areas as acceptable uses of the organizations' IT assets; passwords; remote access procedures and anti-virus guidelines. Employees must be educated on these policies and held accountable for adhering to these standards. While there are a number of good sources for policy templates, one outstanding resource for obtaining template policies focused on technology is The SANS Institute. Software updates Next, each computer on the network must be protected from outside attack and this protection should be enabled before the computer is attached to the network. Properly protecting an individual workstation includes performing such tasks as: disabling the guest account, disabling simple file sharing, and ensuring that all operating system and application patches are installed. For the nine out of ten computers running Microsoft Windows and Microsoft Office, perhaps the easiest way of ensuring that updates are downloaded and applied regularly is to use Microsoft Update. Anti-virus protection Anti-virus measures must also be implemented in order to protect against intrusions from viruses. For network-attached computers, it is generally preferable to administer virus protection from the server; this tends to ensure that virus signatures are updated frequently. However, for laptop computers that may be disconnected from the server from time to time, local PC-based protection is also a must. In addition to anti-virus measures, computers should also be protected from spyware and unsolicited email, as these can contribute to security breaches and losses of data. Backup Backup strategies must also be examined closely. Though many companies believe their data is being backed up to tape each night, they are often surprised to find out that the backup job failed and that, in the event of a disaster, they would not be able to restore their data. To minimize this risk, companies are turning increasingly Internet-based backup solutions from companies such as Mistral, iBackup and Connected.com. These solutions provide for automatic backup of company data files over the Internet to secure, offsite storage facilities. Often, the cost of implementing such a solution is less than the cost of attempting to continue backups using more traditional means. Secure remote access For those companies allowing remote access of network resources, it is critical that any remote computer used to access the network maintain the same minimum level of protection as all other computers on the network. Thus, employees accessing the organization's network from a home PC must implement the same security measures at home as are implemented in the workplace. Otherwise, the organization is at risk from being compromised due to weaknesses found in offsite computers. Employee education Perhaps the most significant measure organizations can implement to reduce their risk is to ensure that employees understand the risk associated with data loss and to educate employees on their role in minimizing such risks. This education includes making employees aware of scams and schemes such as "phishing" and "pharming' attacks, stressing the importance of maintaining strong passwords, and never revealing a password to anyone. As new sources of risk seem to appear almost daily, this education should be viewed as an ongoing and continual process to ensure that information security is a priority of all employees. Because new threats appear constantly and because each and every organization is different, the steps outlined above represent only the beginning of a plan to minimize the risk associated with data loss. Nevertheless, implementing these steps – in addition to those mandated by unique organizational characteristics – provides a solid foundation for information security. Take action now, as you survivability of your business may depend on it. |
|
|
|
1-866-609-6146  |
SAP Business Insights Honored