Five Steps to Better IT Security

When the Georgia Tech Information Security Center (GTISC) released its list of emerging cyber threats for 2009, the news wasn’t good for companies that use computers in the course of business. Sophistication of threats continues to rise, says the GTISC, as do the number of cyber criminals who are seeking not only data and information, but also profitability from their activities.

In its report, the GTISC outlines the top cyber security areas where threats are expected to increase and evolve in the next 12 months. At the top of the list is malware (a program or file that is designed to specifically damage or disrupt a system); followed by botnets (networks of “zombie” computers controlled by a single entity); and cyber warfare (including targets on the U.S. economy and infrastructure).

The bad news is that these cyber threats can hit companies of all sizes that do business online, whether they’re

selling products and services, purchasing raw goods, banking on the Web, or all of the above. The good news is that there are steps that companies can take to ward off and/or minimize the damage inflicted by online crooks:

Evaluate Your Vulnerabilities
No matter how big or small your company is, know that there are indeed risks to doing business online. While a small accounting firm may not possess a huge database of customer credit card numbers, be assured that its IT system contains something of value to hackers. “Figure out what you need to protect,” advises Michelle Drolet, CEO at Towerwall, a Framingham, Mass.-based security consultancy. Key areas to consider include intellectual property, employee data and company financials — all of which could be of value to cyber-crooks looking to make money online.

Establish Best Practices
Once you’ve figured out what would be of most value to a criminal, you’ll

want to use tools such as firewalls, software patch updates, employee education, and strong company policies to protect the data, information, and systems associated with those particular areas. For some companies, best practices could mean implementing a firewall, adding an intrusion detection system, and keeping both updated, while other firms may need a more sophisticated approach to IT security, Drolet says. As you establish these practices, realize that computer users tend to be the weakest link in any security program, with their propensity to open e-mail messages from unknown sources and utilize overly simple passwords. “Put together a user awareness program that takes into account not only the protection of company systems via frequent scans for malware and botnets, but that also addresses issues like document shredding and protection of customer data,” Drolet says.

Make Security a Priority
Yes, we know you have a 100 other things on your to-do list,

but adding online security to that list is a must do for all companies right now, says Steve Hurst, product director for AT&T Managed Security Services in Bedminster, New Jersey. Start by viewing security not as an afterthought, but as part of your company’s overall business operations. Understand that threats can be both internal (employees leaving behind laptops on airline security belts, for example) and external (from outside hackers attempting to harvest valuable information). “By making security a company-wide initiative, Hurst says firms can lessen their security risks and save both time and money required to deal with such threats.

Put Someone in Charge
Smaller firms tend to spread responsibility for IT security around the entire organization, but Hurst says a better approach is to put someone in charge of the initiative. To create an even stronger fortress, he advises firms to assign a backup person to handle the initiative, just in case. By assigning responsibility to these reliable individuals, companies will have just a couple of go-to people to maintain a proactive stance against possible threats — and to deal with any that do affect the company. “The idea is to create layers between the users of the information and the information itself,” Hurst says.

Be Vigilant About Security
It’s not enough to just install a firewall and hope for the best anymore. Today’s sophisticated criminals can sniff out vulnerabilities like bloodhounds. “What’s safe today could turn into a target tomorrow,” says Drolet, who cautions firms against resting on their security laurels — even those that haven’t felt the impact of a security threat. “It’s all about vigilance in today’s IT environment, since you never really know where the next threat is going to come from.”

Web Resources:

Microsoft’s Small Business Security Guidance Center

NIST Computer Security Resource Center