This page contains a Flash digital edition of a book.
[ Spotlight: IT security ]


to this, a lot of spam contains malicious code that, if a user is tricked into running it, could install programs that can harvest information from the computer or carry out more destructive tasks. If you have your mail hosted with your internet service


provider (ISP), they tend to offer this service as part of the hosting. However, for companies that run their own email server, such as Microsoft Exchange, you will need to have a spam filter running which intercepts all your mail before it reaches your server. There are some free spam filters for business, but they


tend to lack the level of support a paid-for service offers. One form of spam that has had a fair amount of press is


‘phishing’. The basic premise here is that an email pretends to be a reputable source, such as a bank or government department. You then think you are dealing with someone you trust and you provide information that is valuable for others to exploit, such as your bank account details. The good news here is that most of the main internet browsers, such as Internet Explorer and Firefox, have filters you can turn on, so you should always do so. That said, some phishing email will still get through so care should still be taken. This is one area where user education is essential, as once users know what to look for they can self help.


Encryption Not many weeks seem to pass by without another story of a major company or government department losing some confidential data. This can lead to large fines, loss of reputation or loss of business, so this area is not one to overlook. The rule of thumb is that any device or laptop that


leaves the company should be encrypted. The encryption of laptops is becoming easier, with Windows 7 now having its own built-in solution called BitLocker – but only if you purchase the Ultimate edition. There are of course other commercial solutions that are


chargeable, but for those on a budget there are free versions – although they do require some technical ability to set up. One such product is TrueCrypt, which is what we use within the ECA for all laptops. Once you have encrypted all your laptop estate, you


should then look at what devices leave the premises and decide if they should be encrypted. The primary example of this will be USB sticks, which now come in very large capacities, capable of storing just about any file or data repository. So, as for laptops, if they contain business sensitive or client-based data you should always encrypt them. Depending on how many devices and users you have,


you may wish to consider a centralised system that monitors all such devices. You can then create policies to use throughout your organisation. The final area of encryption to consider is Wi-Fi. If you


have a wireless network running in your offices you should ensure that it is always encrypted. The reason for this is that anyone could use your internet connection to carry out dubious activities, which could then be linked back to you and for which you may be liable. Also if other people are using your Wi-Fi it will be slower for your company, as they are, in effect, stealing bandwidth.


Just about all wireless routers will come with the ability


to encrypt the transmission, so there is no real reason not to do so.


There are some free spam filters for business, but they tend to lack the level of support a paid- for service offers


Password policies All computers have the ability to use passwords to log in users, so this feature should always be used and enforced where possible. Once you have enforcement in place, create a policy so that passwords are changed periodically and ensure that they are of sufficient strength – for instance, they must all be more than six characters. You should also ensure passwords are not shared and are never written down. This may sound sensible and obvious, but is often overlooked, and you would not believe how often the post-it note next to a computer is the password!


Acceptable use policies (AUP) Another area that is not in itself a security technology, but it is a valuable ally. Essentially the point of acceptable use policies (AUPs) is to make it clear to staff what they can and cannot do in regard to various areas, such as the internet and the email system. If put across to staff in the right manner it should not smack of ‘Big Brother’, as some of the policies are there to protect staff. Example email and internet policies are available from


the ECA website to assist member companies, and these can be found in the downloads area.


Conclusion IT Security can seem to be daunting if you do not have an IT resource to call upon, but if taken a bit at a time you can build a secure environment for your business and staff to operate in. As mentioned before, one key element to creating a good


policy is to always involve your staff. If they feel they have helped shape the policy they will also feel more inclined to keep it enforced and provide feedback. Hopefully this whistle-stop tour has made you think


about your own infrastructure, if so the objective has been achieved. Should you have any further questions please do not hesitate to contact the ECA.


The importance of contingency planning and operational risk planning


Whilst not a security product in itself, contingency planning and operational risk planning can be key to securing the future of a business if a major incident were to happen.


There are numerous statistics quoted in the media about how many companies


fail after a disaster. And your business will undoubtedly suffer if you have not thought through how you would react if you could no longer use your existing offices. A few of the main questions to think about are where your workers would go,


how would you recover your IT and voice systems, and how you would contact your customers and suppliers to let them know you are still trading. Ensure you always do backups of your data, and test they have worked by carrying out a restore. In addition, always keep a copy of your backup offsite in case your office goes up in flames. This area is a whole topic for an article in itself, but it should not be overlooked when thinking about data security.


March 2011 ECA Today 59


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72