A Business Guide to IT Security

A security plan deals with combating threats to your ICT systems, in other words, it is a strategy for protecting your business or organisation from human, physical and electronic attack.  Having a robust security strategy is not a sign of paranoia.  It is simply a necessity. 

Research has consistently shown that the single greatest threat to business IT systems comes from within the business itself:  People are the problem.  Human error, malicious attack, theft of valuable information and negligence must all be faced as possible threats. 

Frequently forgotten is how a business would recover its information systems following  a fire or a burglary.  Better known are attacks from outside the organisation:  Electronic fraud and computer viruses. 

Malicious attacks on your web-server can leave your web-site in disarray or worse, corrupt files deep within your network server. 

If you are building a database of on-line clients, the integrity of this information is what makes it valuable.  This needs to be protected.

 
Stage One: Carry Out a Security Audit

When you carry out this study you will know:

• The main points of vulnerability within your system
• The steps you must take to counteract applicable threats

Rules are an important part of your security plan.  Deciding who has access to what data and in what way (database authorisation and permissions for instance) is clearly necessary on a network.  Procedures for backing up data should be written down so that they can be used as a common checklist (everyone knows what they have to do and everyone does the same thing). 

Web transactions are particularly vulnerable to attack.  Encryption, firewalls, digital certificates, password control and public key/private key transaction software are all issues which need to be addressed.  If you are not using the WWW to sell products on-line and if your web-site is hosted remotely, you have significantly fewer problems to worry about.  However, if you communicate by e-mail, you are  likely to want to keep the content of your messages private. 

E-mail is a boon and a danger.  Effective anti-virus software should be installed and procedures for updating it drawn up.  Rules for use of the Internet and the type of files that may or may not  be downloaded are also necessary. 

Another typical source of computer viruses are  diskettes that are brought into the organisation by employees.  It is now common practice to expressly forbid the use of foreign diskettes or software.  (Some organisations even require all visitors and staff to leave any diskettes they may be carrying at reception). 

The recommendations of a security audit need to be implemented in full.  The cost of system failure or loss of important data can be the failure of the business itself.  Avoiding security holes is like building an office with no doors:  90% of the infrastructure is there but it is not complete until it is secure.
 
 

• If you host your website on your own server, put a firewall between it and your network
• Prevention is infinitely better than the cure. Murphy's Law thrives  in IT systems.
• Create and use security checklists.
• Carry out security audits and review your policies and procedures annually.

• People
• Virus Protection
• File Back Up
• Power Supply Protection
• Web Security
• Firewall
• Network Security
• Data Protection
• Data Integrity
• Electronic Transaction Security
• Privacy
• Disaster Recovery
  
• Authorisation and permissions
• Password control
• Policies and procedures
• Risk Management

1. What effect would the loss of your data have on your business/organisation?
2. Do you hold data on your computer system that you must keep from competitors?
3. If your network is accessible via the Internet, are you sure that private data is secure?
4. What would happen your data in case of a fire or a burglary?
5. How would your business/organisation be affected if a staff member defected to a competitor?