If there is one thing about computers that corporate officers and directors must understand, it’s this:
Information security is no longer a single-product solution or policy document. It is a system — and that system is only as strong as the weakest link. The days of placing a firewall at the ingress of your network and being able to forget about security are gone. “When a breach occurs, a lack of security becomes very evident to corporate officers,” says Jeff Foltz, senior vice president of information access security, data security and business continuity management for FirstMerit Bank headquartered in Akron. “Even companies that do it right can still get breached, and they can lose millions of dollars. The companies that don’t do it right or fail to implement strong security countermeasures can face various state and government fines as well as legal fees.”
Smart Business asked Foltz how a company can make its computer system more secure.
What kind of companies should be most concerned about Internet Information security?
Any company that is using anything that connects with an Internet browser or exchanges data over the Internet, right down to the PC level, including PDAs, Blackberrys, Palm Pilots and any other medium that allows easy exchange of data.
Every industry has a very specific target audience that people would like to hack into or compromise. For instance, a virus that will delete all JPEG images wouldn’t have a significant impact on a bank’s operations, but it could cause a lot of damage to a graphic design firm. So you have to inventory your company’s critical assets — including each type of data element like spreadsheets, general ledgers and formulas — and evaluate different solutions.
Typically, what are the chances that a virus or worm from the Internet can invade a corporate computer system?
If you have one of the major anti-virus programs like those made by Symantec and Maxi McAfee — and you’re staying up to date with your virus definitions — you’re reasonably assured that your systems aren’t going to be compromised by a rampant virus.
The minimum that any computer system needs is a firewall, an anti-virus program and spyware or malware scanners.
But because layers provide the best protection, you shouldn’t rely on one solution. For instance, at the front door where your firewalls are, you should have an anti-virus program from one vendor that scans everything that comes into the system. At the server or desktop level, you need to have additional virus protection from a different vendor.
When you deploy a defense-in-depth strategy, you should also analyze costs. You don’t want the cost of solutions to exceed your level of protection. This can become a fine balancing act.
What are security patches, and what is patch management?
Patches are supplementary software updates to security operating systems and firmware software that identify and correct new or potentially new code vulnerabilities, or protect against new viruses, worms or malware. Updates come from vendors in the form of e-mail notifications and downloads.
Patch management pertains to measured, layered security and continual updating of all IT infrastructure including PCs, servers, firewalls, routers and switches. It consists of protecting your entire IT infrastructure from harm, and being timely is super-critical because the time frame has shortened. You can’t wait a month anymore to patch critical vulnerabilities on all systems.
Are ‘business secrets’ — and other information stored electronically — safer than they were 20 years ago? Why or why not?
I would say no. Twenty years ago, a majority of information was fax or microfiche so you had to physically steal the media from inside a company. But today, with laptops, the availability of wireless hot spots and portable USB flash drives, access to critical data and information is much easier.
Companies must take measures to protect themselves and to conduct due diligence with companies that they’re doing business with — especially financial institutions. If you are outsourcing, you should ask what the other company’s security policies and programs are, and they should include biannual security assessments by an unbiased third party.
Where can companies get information on security issues and possible solutions?
Plenty of background information is available, like Secure Computing magazine. Using Google as a search tool, I read product comparisons and research vendors on the Web. Information security symposia — which include topical discussions of threat vectors and ways to minimize those risks — are common in the Cleveland area.
JEFF FOLTZ is senior vice president of information access security, data security and business continuity management for FirstMerit Bank in Cleveland. Reach him at (330) 996-6638 or firstname.lastname@example.org.