With identity theft, computer hacking, and spy- and spam-ware all at an all-time high (source: The State of Information Assurance Education 2009, October 2009), there has never been a more important time to protect your organization against privacy and security threats. These threats are often perceived to be external threats, such as malicious hackers and spammers, but what most companies don’t realize is that the security threats can be internal, as well.
Let’s first explore external threats to security. Most individuals and companies think that they’re protected because they have purchased some commercial virus software, only to find that most hackers and spammers are far more sophisticated than the average virus protection software. In my company alone, we spend thousands of dollars a year on virus and hacker protections, only to find that just last year we experienced a major external security breach which shut down our website server for days. This had detrimental effects for both us and the client, which creates both a reputation and a financial impact that can have severe and long-term detrimental effects on both current and future business.
Okay, so simply buying commercial protection software won’t protect a company from all external security threats. But, it should at least protect against internal threats, right? Well, not really. Consider this: “Your information security program is only as strong as your weakest link. In the case of many businesses, including financial institutions, that weakest link is your customer or your employee” (source: CyberSecurity Awareness – Rules of the Virtual Road, October 2009). It’s like a homeowner spending thousands of dollars on the most sophisticated home security system, only to have a burglar rob them because they accidentally left the front door open.
So, if the “normal” safeguards clearly won’t suffice, what DOES a company need to do to be considered “protected” against both internal and external privacy and security threats? “To secure a workplace from any potential internet threats or unauthorized use, an organization has to adopt proper internet security policies, utilize best available security tools, and practice strict monitoring measures. With proper planning, technical expertise, and continuous efforts, an organization can restrict most of the threats related to Internet Security” (Tony Lavignino, EDTEC 448 “Surfers” Discussion Board, November 2009).
There are two initial ways to go about accomplishing such internet security. The first would be to implement a standard internet security policy within the organization. This might include items such as:
- All computers have the latest spamware and virus protection software, updated regularly, if not daily;
- All computers are encrypted and/or have a firewall installed;
- All computer operating systems are kept up to date with the latest patches;
- All computers have their internet browser settings set to erase browsing history and passwords immediately, and not to store cookies;
- All users are required to change their username/password every 30-days (ensuring you can never use same combination again) along with web authentication;
- All users must lock their computer desktop with a passkey when they leave their workstation for any reason;
- All users are required to secure all personal belongings in a locked cabinet, and will not leave personal identification information (passwords, etc) out on desks.
(source: EDTEC 448 “Surfers” Discussion Board, November 2009)
(source: CyberSecurity Awareness – Rules of the Virtual Road, October 2009)
The positive impacts of adopting such a policy would be a uniform office approach to internet security, such that any security breaches would be easily identified and stopped. The negative impacts of adopting such a policy would be that employees would feel that they are in “lockdown” and might not freely innovate with new internet products as needed for company business advancement.
The second way to go about accomplishing internet security in an organization, which should realistically be coupled together with the first, is to implement annual training of employees on internet security issues and the common-sense precautions they need to take. A quick tutorial could be designed to fit the company’s needs, or the company could harness and use one of these great ready-made products (source: Carnegie Mellon University’s National Cyber Security Awareness, October 2009):
Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.
Identity Finder software searches your computer to locate and secure potentially dangerous personal identity data that is stored on your computer in places that you might not be able to find, but hackers will.
MERIT Interactive training simulator developed by CERT (which they call MERIT InterActive, or MERITIA) immerses users in a realistic business setting from which they make decisions regarding how to prevent, detect, and respond to insider actions and see the impacts of their decisions in terms of key performance metrics. MERITIA will help managers, information technology, and human resources better understand insider threat risks and the effects of decisions on the promotion or mitigation of that risk.
MySecureCyberspace is the network security portal that gives you security solutions for the way you use the Internet. It gives you a customized profile of your security needs, and tells you what to look out for and how to protect yourself.
In many companies that do such trainings, a negative implication is that the employees often complain that the trainings are useless, or that they don’t pay attention anyway. A great way to overcome this is to use case studies of real-life security stories, and allow employees to collaborate to investigate what went wrong and how to fix it. However, the positive impacts of doing such trainings may far outweigh the negative implications, because the trainings are cheap and easy to implement, and they address the number-one security threat to your organization: You.
No comments:
Post a Comment