Bug Watch: New Year Resolutions

With the New Year upon us, Matt Tomlinson, business development director at IT security expert MIS Corporate Defence Solutions, outlines some New Year resolutions businesses can achieve in 2001 to help prevent security problems.

Looking back at 2000 it is fair to reflect that this was the year when IT security stories really grabbed the headlines. What with the Love Bug virus causing havoc across the world, employees being sacked for 'inappropriate email use' and hacks of household names, including IT giant Microsoft, an almost everyday occurrence, the media has had a veritable who's who of big companies to report on.

As the internet continues to revolutionise business practice and models, the importance of IT security to businesses, as highlighted by the previous year's media coverage, will become increasingly invaluable if businesses are to succeed and build consumer confidence.

Businesses need to remember that IT security is often relatively simple and unquestionably available to everyone, making practically all of last year's breaches avoidable. Combining the lessons learnt in 2000 with the knowledge gained by experts working within IT security on a daily basis, it is possible to suggest some essential IT security New Year resolutions that will help to make 2001 a safer and sounder security year.

IT budgets set for the year 2000 regarding IT security were, on the whole, not embracing enough, concentrating solely on one or two disciplines, such as antivirus updates or firewalling. The key to successful IT security is in its policy. The right policy should encompass more than just the products, which account for a mere 10 per cent of the secure infrastructure.

Many companies hit by a security breach believed that no one would have wanted to compromise their infrastructure. However, the facts show that a vast majority of companies that are hacked, are done so because they could be; not because of who they are or what they do, but simply because they had a vulnerability that a hacker/cracker could exploit. By raising awareness throughout a company to these issues, IT security can be placed at the top of the budget agenda.

The year 2000 saw companies vying to join the ecommerce rollercoaster, often considering security issues as an afterthought, relying on their internet service provider (ISP) to provide an acceptable level of security. Companies need to look specifically into what IT security their chosen ISP provides: preferably provision will be through a third party, to help decide which security measures need to be added.

Improving staff awareness through education of the issues is essential if security is to start at home. For example, teaching employees not to double click on email attachments can reduce the risk of a security breach from an outside source and prevent viruses entering a network. Just as fire and safety procedures are in place in every working environment, so should an ISD (Information Security Drill) be in place to teach and reiterate secure computing practice.

A vast depth of knowledge is available in the marketplace. Find an educated, reliable source that you and your company has researched, with whom you are happy to place your trust. IT security is very much a 24x7 job and companies need to have access to a dedicated source dealing with the issues. This is not to say that everyone needs to have a 24x7 security measure in place, simply that all should consider having access to that knowledge.

Operational software should not be relied upon to provide the essential securities. For example, default passwords need to be changed and vulnerabilities relevant to the company's system should be monitored, with patches implemented as soon as they are available.

A key factor to remember is that IT security is affordable and not out of reach to smaller businesses - the growth of security take-up by SME's is testament to this, proving that IT security is within financial constraints. For example, Virtual Private Networks (VPNs) are affordable, relatively easy to implement and offer high levels of encryption and security.

Learning from others' mistakes will go a long way to ensuring that the foundations of IT security policies in 2001 will provide essential, secure measures in the fast paced world of the internet tornado within which we work.

Have a happy and secure New Year!