Due to a range of events—terrorist attacks, downtime as a result of viruses, and data loss from worms—CIOs are now acutely aware of the potential threats to an organization’s technical infrastructure. Whether you’ve got an existing security policy that needs an update or you're just beginning to assess the risks to your company, now is a good time to determine how to protect the integrity of your systems and your information.
In this article, we will take a look at five areas in which you can make significant strides in beefing up your organization’s network security:
- Establishing and maintaining a meaningful and relevant security policy
- Ensuring that your security policy has teeth and is enforced
- Providing tools to help your IT staff implement your security policy
- Closing an increasingly popular network back door
- Plugging security holes in cohosting situations
Start with a security policy
To identify security risks and to establish guidelines for acceptable behavior, you need a security policy that is clear, concise, and relevant to your business, your network, and your employees. These TechRepublic resources can help you tailor your security policy to fit your company:
- "Internet security: Consider the Trojan horse and the Tower of London": Deloitte & Touche security expert William Hugh Murray discusses four common security strategies, some riskier than others. This overview of the importance of network security will help you explain it to those who may be skeptical about the need for a comprehensive security policy.
- Download a sample network security policy from TechRepublic that can help you develop your own policy customized to your organization’s needs. It covers software installs, downloads from the Internet, computer viruses, access codes, physical security, and licensing.
- To take a measure of the “security culture” at your company, Gartner security analyst William Malik suggests that you conduct a simple survey. In “Does your company culture value corporate security?” Malik suggests that you ask three questions about your employees:
1. Would a first person understand that a second person was committing a security violation?
2. Would that first person report the violation?
3. Assuming that the first person would report the incident, would he or she know whom to contact?
Malik believes that if you can answer "yes" to all three questions, you are beginning to create a corporate culture that values security.
- To foster a culture of security, make sure that your security policy is relevant to the employees expected to follow the policy, said John O’Leary, the director of education for the Computer Security Institute. In “Three basic steps to help you create a culture of security,” O’Leary recommends that security training be part of the employee orientation process and that it should include examples of how the policy affects the employee’s day-to-day tasks.
Getting the respect and tools to do the job
According to Malik, one way to make sure that the security policy gets respect—from the CEO to department heads and all the way to the worker with minimal interaction with the network—is to appoint a Chief Information Security Officer or assign those responsibilities to someone who meets with the company president or CEO twice a month to discuss security vulnerabilities. Assuming that the rest of the company is now aware that policy infractions may be a topic of conversation at the highest levels of leadership in the company, compliance should be much easier to attain.
But having a security policy in place is only half of the solution—your IT staff also needs its own set of tools to protect the network. Have your IT managers put together a team that will immediately respond in the event of a virus or worm attack. This team should have a list of antivirus resources that includes Web sites that offer information on viruses and other security concerns, such as SecurityFocus and Church of the Swimming Elephant.
While you may be skeptical of the value of bulletin boards, listservs, and user groups, these forums can provide critical information in the early hours of a new virus or worm attack. If your network administrators have access to these sources, they may be able to solve problems more quickly. If you have denied access to these forums, reconsider this decision and add another tool to your admins’ kit.
To prepare for an attack, make sure your managers have a list of all the software running on your network, including version information. With this list in hand, your staff can quickly identify what programs they need to patch or update.
Two security soft spots
Once you have your security policy in place and your IT staff is monitoring the Internet for signs of new security threats, you need to take a more global view of potential liabilities in your network infrastructure.
Two vulnerable spots that you may not think of are your VPN/telecommuting connections and your cohosting setup.
“You have to remember that anyone who is trying to compromise an organization will always concentrate on the weak link. In the future, you're likely to see more successful attacks that access a company's network through an unsecured remote machine, rather than a direct attack on a corporate firewall,” Malik said.
Although your VPN is a secure connection for telecommuters, you don’t know how secure the remote computer is. “Hinder hackers without hurting telecommuters” offers an overview of this security weakness. For telecommuters with high-speed access like cable or DSL, there are inexpensive and even free hardware and software products to help them secure their machines.
In addition to remote workstation connections to your network, remote server connections to your network can also pose a security risk.
A common practice these days is to locate Web servers or storage farms in colocation centers. You may think that because your equipment is bundled up in a steel cage, it is secure from tampering. That isn’t always the case, according to security services expert Mark Seiden, who discusses colocation in “Colocation facilities: Firms bear the burden of boosting data security.” He recommends building a cage within the facility’s cage to keep your equipment isolated from facility staff or other intruders that might gain access to your company’s cage.
Is your network secure?
There are many potential weak spots in even the best-regulated networks. How do you think your organization’s network security compares with other organizations your size? Do you have your security policy spelled out for all to see? How effective has it been? Send us a note or post a comment in the discussion below.
Budgeting for security in your 2002 plan
Each of these ideas for tightening your network security has its own merits, but it takes coordination and continual monitoring to have an up-to-date, effective security plan. No one wants to think about adding staff members in these uncertain economic times, but hiring or designating a security officer may be a long-term investment that pays off many times over. When you consider the range of known and unknown threats to your network and your data, the thought that someone on your staff is monitoring these risks full-time can offer some degree of assurance that your company won’t be the next one taken down by a virus or crippled by data loss.