Monday, September 24, 2007

Top IT Security Threats &
10 Practical Counter-Measures

Here are the top IT security threats that your organization faces:
  • Your people. The "inside job" has always been and remains the biggest security threat you face. While innocent mistakes more frequent than deliberate malfeasance, the results are often the same.
  • Your equipment.
    • When your equipment fails (when, not if) you may be out of business. It may be for only an hour or a day or a week or forever if you lose all your accounting and customer data.
    • Portable devices are especially prone to failure, and they are easily lost or stolen.
  • Your software. Remember the Y2K bug? You know how Microsoft is constantly releasing security patches and upgrades to its products? If you don't keep up with patches and upgrades, you may be visited with viruses and/or potential attacks from hackers. If you do apply patches and upgrades, one of them may interfere with your normal operations in an unforeseen fashion. (The iPhone's recent patches issued by Apple disabled many 3rd party applications.)
  • Email.
    • Emails are almost never encrypted, and they are being "read" and stored at various points en route. The government, your Internet Service Provider, your email service provider and others are able to monitor your message traffic.
      • Dissidents were jailed after Yahoo! turned over email correspondence to the Chinese government.
    • After your messages reach their intended recipients, there is nothing technologically to prevent any message from being forwarded to other people, friends or foes.
  • Web surfing. Web technologies have advanced in recent years. Many web sites now provide personalized content from many different sources for users (mash-ups). News, entertainment, data analysis, advertising, games, etc. are commonly brought together by web sites today. Black-hat hackers are using these new web technologies in clever ways, exploiting browser capabilities/holes to execute scripts, and infecting user machines with viruses, adware and spyware.
  • Human nature presents a host of security problems.
    • Some people/organizations expect to buy a product that they can install that will solve all their IT security concerns. If/when they don't have the latest and greatest products, they may suffer excessive fear. If/when they do have the latest and greatest products, they probably have a false sense of security.
    • Some people/organizations are happy to hide their heads in the sand when it comes to IT security. Bad things happen to other people, not them. Nothing's going to happen if they don't do their backups one day.
    • Using SPAM, phishing, and other high- and low-tech schemes, hackers exploit human nature in a variety of ways to get them to reveal valuable information like usernames and passwords, account numbers, customer data, trade secrets, etc.

Here are the 10 practical security measures that I recommend you take to deal with security threats:
  1. Articulate policies and procedures related to the appropriate use of information technology (data, hardware, software, the local network, email and the Internet).
  2. Educate employees regarding IT and their responsibilities. Monitor employee compliance with policies and procedures. Reward compliance and/or punish non-compliance.
  3. Provide continuing education/training to employees to keep pace with changing technology and changing policies and procedures.
  4. Replace older systems (hardware and software) with newer systems. Anything over 5 years old should be replaced because systems that old are likely to fail soon.
  5. Re-engineer business processes to apply new information technologies to enhance security and improve your product/service quality.
  6. Establish the business case for providing portable equipment to an employee. Require strong passwords and disk encryption on portable computers, in case they are lost or stolen.
  7. Develop and implement an automated process for backing up your systems and data.
  8. Apply patches and upgrades as they become available on all non-mission-critical systems. Test patches and upgrades prior to applying them to mission-critical systems.
  9. Develop contingency plans to deal with various possible scenarios (server failure, employee terminated, power blackout, snowstorm, fire, pandemic, etc.). Run tests to validate plans. Update plans as circumstances change.
  10. Every organization beyond a certain size needs to have a Chief Information Officer reporting to the President or other top executive with the mandate to make IT security a top priority for the organization. Otherwise, the President and other top executives may not have the technical knowledge they need to make good IT decisions.

No comments: