Web Threats: If You Build It, They Can't Come

Data and information security is a whole new ball game in 2008: Threats to your information systems are changing all the time, and it is crucial that you keep your vital information — be it client contact lists, employee records and performance appraisals, or key information for sales strategies — protected at all times. It’s not just about installing your basic firewalls and antivirus programs anymore: As information systems get more sophisticated, so do hackers, and ensuring the completeness and confidentiality of this data is of the utmost importance to anyone who is ultimately responsible for the IT systems and the security solutions that protect them. Here’s what you need to know now.

The Risks (Updated)

As businesses continue to accrue more data — roughly 25% per year for the average small business — the amount of data that needs to be protected grows as well. For the first time in years, the major risks to business have shifted from virus infections to loss of laptops containing confidential information. Unfortunately, the information lost is almost always more valuable than the actual laptop. For example, consider the cost of a lost or stolen laptop with an Excel spreadsheet full of client Social Security numbers. The value of the client information far exceeds the $1,500 price tag of the laptop.

Do a Vulnerability Assessment

The first step in protecting your data is to understand where your company’s risks are. This can be accomplished with a vulnerability assessment which will identify potential security weaknesses in your system.

Vulnerability assessments should be conducted by an information security professional with experience conducting these types of assessments. Even if your company has the internal resources to conduct the assessment, an external, impartial third party should be used to ensure unbiased results. Depending on the number of computers in your network and office locations, these assessments start at a few thousand dollars and can run upwards of $10,000.

In addition to scanning your network from the outside, you may also want a security professional to scan your network from the inside. Internal assessments require a longer engagement and will cost more than an external vulnerability assessment. Internal assessments should be conducted at least once a year. External assessments should be conducted more often, preferably every quarter or more often if you have made substantial changes to your network equipment or servers. In either case, the findings from a security assessment or audit should be used as a tool to help prioritize what needs the most immediate attention. Your company can then develop a strategy for using these results to patch systems, modify firewall configurations, better document controls, etc.

Training and Educating Your Staff

Focusing on the hottest trends and the newest technology to thwart hackers or viruses can lead to bolstering security with a solutions-only approach. This approach takes the responsibility out of the end users’ hands and places it all on technology solutions. By doing so, businesses are missing the most important component of information security: their people. Financial fraud and lost hardware/data are rooted in malicious or inadvertent human error. Employees don’t care about information security for two reasons: First, they have never been informed that it’s part of their job, and second, they haven’t been educated as to what they need to do to fulfill their responsibility.

But before you even think about training your employees, take a good, hard look at your written IT policies. Policies should be reviewed and updated at least once a year. For example, your organization’s policy on laptops and portable computers should accommodate the increased risk of laptop theft and include a standard for disk encryption. While your company should have IT policies that cover everything from password strength to remote access, at the very least you should spend time on establishing — or, if you have one, reviewing — your data classification policy. A data classification policy is a formal way of rating your company’s data in terms of value and sensitivity. For example, client credit card information is certainly more valuable and sensitive than information you may have publicly posted on your website and thus should be subject to more stringent controls. Recently, the Payment Card Industry Data Security standards (“PCI DSS”) 1.1 have been published.