From Security Expert Kroll, 10 Ideas for Battening Down the HatchesBy John McCormick | Posted 2007-10-02 Email Print
An expert says you should start by monitoring wireless networks and paying attention to Microsoft's Tuesday patch notifications.
The theft of, loss or, or attacks on information continues to be a major concern for corporations. A new report from security firm Kroll finds that 20% of corporate executives feel highly vulnerable when it comes to their critical data and 30% believe the complexity of today's information technology increases their fraud risks.
Kroll's Global Fraud Report was based on a survey of 900 senior executives that was conducted by the Economist Intelligence Unit, a leading research company.
A big problem, according to Alan Brill, a senior managing director at Kroll who specializes in communication security and technology crime response, is the complex nature of today's information systems.
For instance, he says, companies— including retailers, travel companies and financial firms—continually add features to their systems that allow their customers to interact, primarily through the Internet, with their back-end databases. This creates an extremely high volume of transactions against those data stores. And these systems, he says, "are not always developed with the security required for that level of sophistication."
In an interview, Brill offered 10 recommendations for CIOs and other business technology leaders to alleviate the risk:
1. Make sure your systems are properly patched. When Microsoft says it's releasing vital patches, he says, they usually are. And the software fixes should be performed. Granted, handling patches can be tedious, but there are patch management software packages that can automate.
2. Likewise, encrypt important data. There are no excuses not to, since doing so is no longer a big deal.
3. Enforce configuration management standards. If you have 500 systems—400 desktops, 50 laptops and 50 servers—do you want to worry about 500 configurations? Have a standard configuration for each platform. That way you're dealing a handful off configurations, not a profusion.
4. Monitor wireless networks. In some organizations, it's easy for employees to install wireless access points—and the employees may have good reasons for doing so. Beware: Those access points can be unprotected. Companies should do regular sweeps to see if there are wireless access points that they don't know about.
5. Keep current with attacks that are happening. You can then simulate those attacks against your own systems to see what, if any, vulnerabilities you have.
6. Minimize data. Collect only the data you need to do business—and then only keep that data for as long as it's necessary. Old, outdated data has zero value to the company, but it has the same risk as any other information you gather and store.
7. Know the legal systems of the countries in which you do business. If you do a lot of overseas outsourcing, for instance, you need to know what the privacy and security rules are.
8. Perform background checks on people who have access to data. "At Kroll," Brill said, "we have seen a growth in resume inflation." Make sure people are who they say they are.
9. Involve everyone in security, including consultants and others working for you. Perform background checks with contract employees. Depending on the material they're working with, you may also want them to sign non-disclosure agreements.
10. Educate employees about scams. Social engineering—including the phenomenon of hackers tricking employees into giving up passwords and other confidential information—remains a problem. Teaching employees about cons and other schemes is a must.
Feedback on this story: firstname.lastname@example.org