02 September 2011
Reports of thefts of computer data and cyber attacks by hackers are a common occurrence these days. Whilst there is no such thing as “perfect” security, organisations can take a number of relatively simple measures to help protect themselves from the disruption, cost and reputational damage that such events can cause.
physical security
Despite the digital age physical security is still important and should not be overlooked. Good physical security not only helps prevent the theft of hardware (as well as the confidential data stored on it), it can also prevent a disgruntled employee causing considerable damage and disruption to your IT heart. At the basic level, is your communications room secure and kept locked? Is access restricted to those that genuinely need access? Do you know who is responsible for looking after the security of individual units or where they are? Is a register kept of the assets in such a way that they can be uniquely identified? If the answer to these any of questions is “no” spending time now taking suitable corrective action may prevent future problems and damage arising.
If something goes wrong and data becomes lost or corrupted businesses need to be able to refer to a back up to restore the position. Regular back ups are therefore essential and should be done automatically and maintained in a separate location from the business. Businesses should not have all their information in one location as, in the event of a disaster, this could have fatal consequences to the business if it has lost all its data. It is very important to test on a regular basis whether the back ups can be properly restored to the system.
protecting against cyber threats
Apart from the physical security aspects businesses need to continually address the hidden and ever changing cyber threats. Again simple measures can be taken. Passwords should be changed on a regular basis and should not be written down or shared. Passwords should avoid being commonly used words and, ideally, they should be a combination of letters, upper and lower case, and numbers. Users should be prompted to change passwords on a regular basis and locked out of the system if they do not do so. A regular review of unauthorised attempts to access the system should be performed and appropriate follow up action taken where such attempts are detected.
remote access security
Remote access of systems is increasingly common but businesses should ensure that providing such access does not compromise the security of their system by allowing viruses through from infected machines. With an ongoing battle between the developers of malicious files and the anti-virus software providers, it is essential that anti-virus software is kept up to date on all machines. An out of date anti-virus program could be the means by which a new virus is able to enter and damage your system.
penetration testing
Penetration testing, also known as a pentest, can be a useful method to test how good your controls and security are in protecting your business against malicious attacks. With a pentest computer security experts evaluate your system’s configuration and actively look for weaknesses and openings which an attacker could exploit and use to penetrate your system. This is a case of getting forewarning so that your business can be forearmed against cyber attack. As with anti-virus software this is a constant battleground and pentests should be undertaken on a regular basis and certainly before going live with system changes as changing systems can be an ideal time to “leave the back door open”.
As seen with recent data losses by the government, considerable data can now be stored on very small devices, such as USB keys. By their very size they can be easily mislaid meaning it is important that such data is always encrypted so that it can only be read by the organisation and not by whoever happens to find the data lying around.
business continuity plans
All businesses should have a business continuity plan (“BCP”) which sets out an approach as to how the business will continue in the event of a disaster – whether that is internal or external to the business. In extreme circumstances such a plan can be the difference between the survival and death of your business. Like other actions mentioned above a BCP should be kept under review in order that it evolves with your business and is kept fit for purpose. Accordingly regular review of the BCP is essential.
A key part of the BCP is likely to be how your IT systems are recovered and support the business through its troubles as for most businesses these days the computerised systems are the main arteries of the business. Businesses should therefore ensure they have prepared a disaster recovery plan (“DRP”) so that in the event of an accident, whether it be fire, flood or a terrorist attack, the business has thought through how it can be up and running as soon as possible. The plan should set out the procedures to be adopted under different circumstances, include up to date relevant contact information as well as being communicated and understood by those that will be key to its successful implementation. A DRP is not a document that should be prepared and then filed - it needs to be kept under review and tested on a regular basis. In the event that a disaster occurs you want your DRP to work so it is essential that a trial run is performed as this will help identify issues which might otherwise be overlooked and make the business better prepared if it ever has to do it for real.
Some businesses may take the precaution of arranging back up facilities to be available in order to be able to replicate their functions at a remote location within, say, 24 or 48 hours. Clearly there is a cost to maintaining this facility but it could be much less than the cost of disruption if it was not maintained.
"cloud" computing
The development of “cloud” computing, whereby businesses rely on remote servers, has impacted some of the issues referred to above. Businesses are still going to be reliant on their IT systems to function but, whilst they have effectively outsourced the day to days tasks, the directors, or equivalent, are still responsible for ensuring that adequate systems and safeguards are in place. Therefore it is very important to review and understand the contractual arrangement with your service provider. Organisations need to consider, for instance, where their data will be stored and controlled from, under what legislation the support contract will be provided, what security safeguards are in place, the methods of back up as well as not forgetting the financial stability of the provider.
An independent review of your system’s operating environment can help highlight risks and potential issues before they cause a critical business failure. Delaying taking any action in this area until a problem emerges may prove to be too late and, in the worst cases, the business may not get a second chance. We therefore strongly recommend that you talk to your normal advisor about your IT protection strategy or contact Simon Bulleyment at haysmacintyre IT Consultants Limited on 020 7969 5500 or sbulleyment@haysmacintyre.com who would be pleased to help you.
newsletter sign up
If you would like to be included on our mailing list to receive regular updates,
please take a few minutes to fill in our newsletter
sign up.