By Pete Simpson

Summary: The online attacks directed at and earlier this year—as well as the Y2K bug threat and imbedded viruses from last year—have businesses large and small concerned with breaches of their information systems and data security. But it’s often the things you do to protect against the small things that will offer you the most peace of mind.

Information technology, or IT, is a broad concept. Breach of IT security can result in unauthorized access of resources, intrusion of viruses, theft of data and loss of competitive advantage.

Media exposure leads the public to believe that most security violations are the results of hackers or “outsiders.” However, many unauthorized acts—including malicious acts—are carried out by disgruntled employees or “insiders.” This illustrates the importance of securing computer-based resources from both “outsiders” and “insiders.”

Who is affected?
Technology has become so prevalent that it affects almost every aspect of daily life. Computers are at the core of most businesses, ranging from accounting to credit checking. Computers are responsible for maintaining bank accounts, medical records, Department of Motor Vehicles reports and personal and business credit history. Clearly, everyone who has a credit card or uses an automated teller machine must be concerned with the accuracy and privacy of their personal information and, therefore, must be concerned with IT security.

Why is there concern?
Home users and businesses are finding online shopping, or e-commerce, appealing because of the convenience, simplicity and robustness (not to mention the often lack of sales taxes required). This widespread availability and acceptance of computers has dramatically increased the number of people with the ability to compromise data.

As prices continue to drop and people become more comfortable with technology, the reliance on computer-based resources will continue to increase. As this dependence develops, security exposures may lead to disastrous results with possible financial and legal ramifications. At a minimum, a security breach will result in lost time and decreased productivity while a “clean up” effort occurs. More than likely, however, the results will be much worse. Financial loss as well as non-monetary effects will occur. For example, if a water conditioning dealership’s customer information was stolen, it would lose credibility, no longer be able to attract clients and have their valuable information sold to the highest bidder.

Security objectives
Make information unavailable to those who are unauthorized to access it. Strict controls are a must to ensure that only those persons who need access to certain information have that access. The “need-to-know” works well as the key. The concept of allowing access to information or resources only to those who need it is called access control.

Passwords are the most common form of access control and the most common form of security breach is the compromising of these passwords. Requiring strong passwords is the first step in preventing unauthorized individuals from accessing sensitive information. Protecting these passwords is one of the most fundamental principles of computer security.

Imagine your business as a typical suburban house. A password can be likened to a front door key. No one can enter the house without the key, but it can easily be lost, misplaced or stolen. Implementing a strong password policy is inexpensive, doesn’t require technical skills and should be taken extremely seriously. Businesses should create and implement computer security policy that educates employees on good password selection, use duration and confidentiality.

Poorly chosen user passwords constitute the most common threat to computerized data.

There are several recent, dangerous security vulnerabilities that have been highlighted in national news—but nothing matches the threat and ubiquity of poorly chosen passwords. In fact, you could probably combine all the current buffer overflows, input-validation attacks and data-driven attacks and still not match the menace of easily guessed passwords.

There are certain policies that can be instituted (see Figure 1) to make things more difficult for those that would try to compromise your internal security. There’s no easy way to enforce these guidelines, but their importance has to be impressed on employees at all levels. For instance, company policy should dictate that users change their passwords immediately to something more difficult to guess.

Feel nervous about imposing strict password policies and guidelines? The alternative is easily hack-able systems. And for those managers and owners who can’t understand why data processing staffs have to make such demands, imagine your salary, stock options and personal and corporate emails in the hands of the wrong person. Then reconsider this “inconvenience.” Are your systems vulnerable?

Access control
Limit resources available to an employee once they have been authenticated into the computer network or computer. For example, the entire human resources department might need access to employee information such as addresses and birthdays, but only certain individuals within the department need access to compensation information. Access control can be paralleled in our model house as well. The maid has the front door key so she can come in and clean, but that key does not unlock the door to your home office or the safe in the bedroom that contains your important documents.

Integrity ensures that information cannot be modified in unexpected ways. Loss of integrity could result from human error, intentional tampering or even catastrophic events. The consequences of using inaccurate information can be disastrous. Efforts must be made to ensure the accuracy and soundness of data at all times.

When the validity of information is critical, it’s often helpful to design controls and checks to ensure accuracy such as batch balancing and control logs.

As individuals and businesses increase information sharing and communication via the Internet, vulnerability to attack or intrusion rises. Authorization, access controls, confidentiality requirements and education are some examples of the technological components available in multi-layered IT security policy. In the world of technological evolution, everyone is a target of electronic crime and needs to be concerned about security.

About the author
Pete Simpson is general manager of UNCO Data Systems of Minneapolis, Minn. His master’s degree in business administration and information sciences is from Pepperdine University, and he’s with UNCO since 1994. UNCO has been in business since 1969 and specializes in information technology for the water conditioning and bottled water industries.



Comments are closed.