MCPc Blog

IT Security Considerations for Network, Data, Device and Personnel

 Email Article  

Tweet  

  

According to the 2010 Network Forensics Survey of more than 200 security professionals, “35% [of respondents] said they have had a significant security incident within the last 3 years, and 82% said that it's likely they will experience a significant incident within the next 3 years.”

Despite this understanding of risks, findings also showed that few organizations have the processes in place to effectively identify, determine the scope of, and respond to security breaches.

So, how can IT security professionals most cost-effectively secure their environments? By investing first in the areas that pose the biggest potential risk, and determining the proper solutions for their business’ unique needs and user base.

In my opinion, there are four key areas to consider when developing a comprehensive security plan: Network Security, Data Security, Device Security and Personnel Security. Below, I’ve outlined some basic best practices that you can implement easily in each of these areas.

Network Security

• Patch all OS and device firmware regularly as soon as vendors release them.
• Ensure that all the networking devices — including routers, switches, and access points — are protected by strong passwords.
• Ensure that remote access to network devices via Telnet and SNMP are restricted based on the IP address and granted to only authorized IT support personnel.
• Provide log-on banners such as Message of the Day (MOTD) for networking devices like Cisco routers and switches with a legal warning message to any unauthorized users attempting to access the device.
• Encrypt Internet and wireless communications and ensure that encryption keys are regularly changed in a secure fashion to prevent eavesdropping and data-manipulation based attacks.

Data Security

• Review your password policy to ensure that password protection, best-practices adherence, and retention policies reflect current practices. Update requirements for password complexity and password reuse rules if needed.
• Urge users not to open unsolicited attachments, which are a primary vehicle for viruses. Certain attachment types — .exe, .asp and .cmd — are more likely to carry malware than others.
• Never distribute sensitive information, such as payroll or customer lists, via email. It takes just one unwitting employee to forward this information into the wrong hands. Instead, store sensitive information and lists on a server that qualified employees can access securely. SharePoint is a great option.
• Remove, or update and protect, old mailboxes. Your domain may contain a few test accounts or inactive email addresses, which were likely created with simple passwords. Those easy-to-guess passwords can open the door for a savvy hacker to infiltrate your system.

Device Security

• Provide proper end-of-life management and data destruction.
• Develop desktop virtualization and application virtualization proof-of-concept initiatives.
• Implement software, such as the forthcoming Intel Anti-Theft Technology, to enable the IT department to remotely access a stolen company (or employee-owned) laptop and protect it from thieves by blocking the boot process. 
  • “One of 10 corporate laptops will be lost or stolen over their three-year lifetime — along with tens of thousands of dollars of data” (Source: InfoWorld)
  • Interesting fact: Intel combats device theft this by allowing employees to store personal information on company machines, because then the user is more likely to value the device.

Personnel Security

• Provide employee education and training, so that they understand:
  • Company device usage policies (not downloading or installing unapproved software, etc.)
  • How to spot malicious apps, phishing scams, etc.
  • Proper, approved use of cloud systems (MobileMe, Dropbox, etc.)
• Install video surveillance systems.
• Develop proper firing and debriefing procedures to ensure that important data doesn’t leave with departing employees.
• Start an awareness program. Prominently post basic tips — such as attachment vigilance, how to handle strange emails and password-protection steps — to keep employees conscious of the dangers they may encounter in their inboxes.

Lastly, here are a few big-picture things to keep in mind:

Create balanced security policies: Ensure compliance, protect corporate data and ensure the security of your infrastructure, but stop short of policing employees to the point where you may be hindering their abilities to do their jobs. You can always say, “no” when activity becomes inappropriate on a case-by-case basis. (Source: IT World Canada)

If you’re seeking additional budget to put the security you need in place, see this article: Five Security Budget Tips for 2011. It includes tips such as:

• Relate IT security budget needs to these three key drivers: compliance, risk of legal fees and brand damage in case of security breach.
• Discuss importance of risk management
• Find out if your customers are asking about security as a decision-maker

With basic security practices in place, and with security taking a higher profile within the organization, you’ll reap the benefits of a safer technology environment. And, you’ll be better poised to move forward with larger security initiatives if needed.

Your Thoughts?

What are your biggest security concerns? What systems are you putting in place to combat them?

Darin Haines is Group President of MCPc's Advanced Technology Group - Delivery Division and has over 16 years of experience in leading the technology function in mid-sized and enterprise-level organizations. Connect with Darin on LinkedIn.

Image credit: hape_gera

Stay Connected with MCPc: Subscribe to the blog; follow us on Twitter, Facebook or LinkedIn.