An advisory checklist for IT departments in small and medium businesses

An advisory checklist for IT departments in small and medium businesses

Introduction:
In recent times there has been an increasing need for IT security in small and medium scale businesses. This is due to the realization that threats from cyber space are indeed genuine and that if they go unchecked they can result in acute damages even in the most fortified of information systems. It is common to hear about electronic attacks on both government and corporate systems. The incidence of hacker attacks on both database systems and websites is constantly on the rise. Without a doubt, IT professionals will realize the negative implications that these attacks have on the day to day running of the entire business. Afflicted business will be prone to disruption of normal services and significant reduction of productivity. Such factors are precursors to negative financial performance.
A survey carried out by The Computer Security Institute revealed that 90% of firms had firewalls and that more than 50% of these firms utilized Intrusion Detection Systems (IDS). Despite these measures, 40% of these firms confirmed that they had had breaches in their security systems. The survey also provided information that suggested frailties in some of the security technologies including the virus scanners. 90% of the firms that were surveyed indicated that they had implemented the use of anti-virus solutions on their servers and workstations but a staggering 85% of these respondents admitted that their systems had been infected by both viruses and worms. These infections had meant substantial financial implications. The basic inference that can be drawn from this survey is that businesses were indeed facing huge threats from cyber space attacks and that the technology solutions available were not wholly effective in curtailing such attacks. From the same survey it was shown that 74% of the respondents attributed the attacks to the fact that they were connected to the Internet. This definitely elicits the point that there is a need to develop effectual information system security solutions that will aid small and medium scale businesses to mitigate the threats posed through the Internet. The survey also established the realization that software and hardware are not the final solutions in as far as tackling these problems is concerned.
There are four key areas in which the IT departments of such firms can reinforce protection. These are four crucial components that ideally capture the avenues that can grant would-be attackers access to the firms’ information security systems. These are the following:

§ The IT infrastructure
§ The accounts
§ The required employee procedures and
§ The security methodologies in the firm’s IT department

Based on these four areas, a checklist for each of these areas will be developed which will assist IT professionals in these firms to be aware of critical issues that they have to streamline in their quest to make their information systems impregnable.

A. The Infrastructure
It is through the information system infrastructure that most Internet oriented attacks are channeled. The IT department should therefore be particularly careful to ensure that none of their infrastructure facilitates the security system breaches. As far as the infrastructure is concerned, there are four main tasks that must be checked against in the to-do checklist. These are:
1. Ensuring that the servers and software are always in anti-breach mode through constant patching.
The various software applications and Operating Systems that are used in business do not enjoy default security. By virtue of this fact attackers are always on the watch for points through which to access your systems with ease. Indeed 90 percent of attacks are conducted through such weak points. It is important that software used for the inventory, and mailing lists etc are always patched to seal such loopholes. The patching should be done as frequently as possible.

Line of action: Ensuring that the software used is regularly updated. You should update a minimum of two times in a year.

2. Be sure to adopt routine back-up practices for your critical systems.

In the unfortunate event that your firm loses important data it will be comforting if you have a backup system. This will be your first line of recovery. The IT department should regularly ensure that the backup systems are in fine working order i.e. that all the data can be fully recovered. It will be prudent to store the backup data in a separate location to avert wholesale loss.

Line of action: The ability to recover data from your backup should be maintained as optimal as possible. It is recommended that the restoration capacities be reviewed at least once annually.

3. Ascertain that your applications, servers, and security gadgets are always logged.

In the modern electronic business environs the ability to keep logs and audits of your information systems is paramount. Through such logging you will be able to confirm the various activities that have transpired on your system. It is through logging that you will be able to assess the damage inflicted by attacks.

Line of action: Ensure that all events whether failed or successful are logged so as to get a clearer picture of the entire situation in the event that attacks materialize.

4. Keep tabs on abnormal activity that may occur in your applications, hosts, and networks.

Security attacks are usually quick and difficult to detect. In the absence of constant monitoring it will be really hard to detect any suspect activity. This may result in unprecedented damage that may have negative implications on the firm’s bottom-line.

Line of action: The IT department should employ both in-house and outsourced security cum monitoring solutions. These will ensure that all attacks are flagged in time.

B. The Accounts

1. Impose the need for the use of strong passwords
In a large number of information security systems the password that is used to access the systems is often the sole line of defense against unwanted intrusion. If the password is composed of simple letters and numbers it implies that the system will be under an increased incidence of attack. The IT department should insist on the use of complex passwords to counter such offenses.

Line of action: To create a strong password one should use a combination of symbols, numbers, and letters. Make the password stronger by using both upper and lower case letters.

2. Introduce standards for your accounts

The company staff should be permitted privileged access that will only suffice to help them execute their jobs. This access should be determined by the management and not by the IT department. The security systems should also be structured in such a manner that default users will not be able to access the same.

Line of action: In designing the account standards it is mandatory that the following aspects are included: Default levels of access, a definition of account owners for ease of maintenance, password standards, and conventions for account naming.

3. Erasure of expired accounts

Expired accounts have been known to serve as easy access routes for breaching system security. They should be deactivated on a regular basis.

Line of action: Once all important details that include both information and tasks have been shifted to active accounts the expired accounts should be deleted.

4. Eliminate all group accounts

It will be counterproductive if the firm allows for multiple persons to log in to systems using identical passwords. This poses a major threat in that it will be nearly impossible to track the source of malicious intrusions. All the employees should therefore be given designated and individualized passwords.

Line of action: As described above, there is an inherent need to issue individual passwords. This will bring about more accountability and it will be easier to track the sources of malicious codes.

C. The procedures required to be followed by firm employees

1. Ensuring that employees are informed about the importance of securing company information

Inasmuch as the employees may be familiar with the use of security solutions there is an inherent need to inculcate the vital role that information security plays in the well-being of the firm. Employees should be given designated tasks that they must accomplish in as far as system security is concerned.

Line of action: Ensuring that employees read and understand the firms’ information security policies.

2. Making sure that all employees are familiar with the use of various information security apparatus.

The IT department should ensure that all firm employees are conversant with the use of firewalls, anti-virus software, and passwords.

Line of action: The IT department must hold regular training sessions that will keep the staff updated and informed about the correct use of virus scanners, passwords, and other security paraphernalia.

3. Enforce a strict procedure for personnel dismissal

The IT Department must be provided with timely information about the dismissal of any employee. This will provide ample time for a reconfiguring of the security system thus preempting the risk that malicious past employees may pose.

Line of action: Make sure that all accesses and controls that had been assigned to past employees are removed.

4. Designing of an incidence plan that will be used whenever threats and attacks are discovered

This sort of master plan will be called into play whenever threats materialize. The plan will detail the roles that various persons will play in mitigating the damage risks of different types of security system breaches.

Line of action: Through the design of such a plan it will be easier for the IT department to coordinate the various attack responses and recovery efforts that may be necessary after information security systems have been breached.



D. All about the firm’s security methodologies

1. The need to make regular reviews on method of authenticating remote users
It is necessary to authenticate how remote users, more so those who use the web, access the firm’s information systems.

Line of action: The authentication system should be based on at least two of these; a thing you know about, a thing you are, or a thing that you have.

2. A need to make a review of the communication network

The IT department should work with the management in detailing the services and applications that will be accessible through the firm’s information security network and the Internet. All other unwanted sites should be blocked using well configured firewalls.

Line of action: It will be the onus of the IT department to ensure that only the approved accesses are made available to staff.

3. The need for classification of firm data

The IT department should embark on an exercise that will categorize data in terms of sensitivity, the risk incidence of theft or loss, and the impact that the data has on the firm’s business.

Line of action: This classification will lay the basis that will serve as a benchmark for how firm data will be protectively stored, utilized, and transmitted.

4. Ensuring that the firm’s security vendors facilitate regular vulnerability assessments

Such assessments will help the firm determine the areas that require most urgent attention in terms of security measures.

Line of action: The IT department should facilitate such assessments (with the aid of qualified IT security consultants) on a regular basis and as such it will be difficult for the firm to be subjected to unprecedented breaches of the information security system