Organizations that have reached a high level of IT security can safely reduce spending between 3 percent and 4 percent of the IT budget by 2008, according to research firm Gartner Inc. By contrast, organizations that are inefficient or have historically underinvested in security may spend 8 percent or more of their IT budget on security. This means many organizations will still be investing aggressively for the next few years.
The rate at which technology is advancing is rapid. Some may argue that the only things that are moving faster are hackers. There are now solutions to most information security problems. It’s just a matter of implementing the technology efficiently and effectively so resources can be focused on new threats, says Larry Kucera, senior consulting executive of Premier Technologies.
Smart Business magazine spoke with Kucera about steps companies can take to ensure security and what systems are typically overlooked.
How can business owners guarantee security before an intrusion takes place?
Putting up a firewall or using virus-scan security software is not going to keep hackers out. Business owners fail to think about things that can happen within their company. Systems need to be evaluated from the inside out and the outside in.
There is risk associated with processing any type of data. You need security assessments from the network perspective as well as the application, the database and finally internal physical security.
Vulnerability assessment and a penetration test need to be run on systems. It is important to look at policies and procedures that model ISO 17799 security standards. Also look at data movement, how secure that data is, who needs to see the data, and how often it is being off loaded to a portable device.
What steps can executives take to ensure security?
- Identify applications which prove to be key to your business and generate a significant amount of data used in the organization.
- Lockdown access rights to data. Access needs to be granted on a must-have basis. The use of a thin client, which has no external drives, therefore ensures that information cannot be removed from the workstation, provides security.
- Limit the number of wireless devices being used. These devices can be compared to telephone party lines used years ago. Today, someone can be transmitting information through a wireless connection and someone else can intercept the information unless it is encrypted.
- Outsourcing needs to be monitored. Executives need to make sure outsourcing companies use the same types of operating procedures and security guidelines that your company uses. Demand that your outsourcer is SAS 70 certified.
- Executives should review protocols and infrastructures to ensure both on-site employees and remote workers are following the same guidelines. Remote workers require intrusion-detection devices that notify the executive if someone is trying to access the information line.
- The use of numerous office locations requires that all systems are up to date. If they are not updated regularly, there is great threat for intrusion.
What are systems that are commonly overlooked when it comes to security?
Laptop computers provide a major risk. Wireless connections provided in public areas can be accessed by numerous people who, in turn, can access the information that you are sending on the Web. Some companies are outlawing wireless networks because of lack of security.
Wireless networks can radiate out in much broader areas than are known. This becomes a concern for companies using Web casts to hold large meetings or conferences from many different company locations in the U.S.
How can a company keep systems updated without spending a fortune?
Today data is the most important asset a company possesses. From a business perspective, security ensures customers. If there is an intrusion, it is likely customers will no longer use that company, so company reputation may suffer.
Organized crime has entered the business of hacking. There is money to be made from selling data by hacking systems. Testing is required to find where security gaps may develop as a company grows and changes.
Testing should be done once a quarter because it is so dynamic. Automated software can be used to update systems. These tests and updates can be provided by a technology company.
What should a technology company be able to provide a company?
To provide the best security for your programs, you would want a company that can tell you where there are gaps and what needs to be updated and then help provide you with the resources to provide that type of security.
LARRY KUCERA is a senior sales consultant and domain expert in business continuity planning for Premier Technologies. Reach him at (412) 788-8080 or [email protected].