Information Security: Protecting Your Most Valuable Asset

by Thomas G. Stephens, Jr., CPA, CITP, K2 Enterprises

Information is any organization’s most valuable asset. As proof, consider your response if you entered your office one morning only to find all of your data – in both electronic and manual formats – to be missing or corrupted beyond repair with no ability to recover the data from offsite backups. Sources for such catastrophic losses of data vary widely. We are faced with the daily deluge of viruses, spyware and other forms of malware. People both inside and external to our organizations attempt unauthorized downloads of our data. Unsecured laptops with sensitive data are carried offsite, and the data becomes compromised. Hurricanes, fires, floods and other natural disasters strike and leave us without access to our critical business information. Hard disks in our servers fail, and we are unable to restore data from our tape backups. 

What is the likelihood that you will face such situations? What would be the impact on your organization if you did? Would your organization be able to survive? Consider the following statistics:

• Losses of data cost US-based businesses over $12 billion annually, with hardware failures accounting for 78 percent of the losses; only one percent of the losses were caused by natural disasters. (Source: American Data Recovery)
• 61 percent of companies reported that losses of data continuing beyond 48 hours placed the mere survival of the company at risk. (Source: Ontrack - 2001 Cost of Downtime Survey Results)
• 93 percent of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. (Source: National Archives and Records Administration)
• An unprotected computer will be attacked by viruses and other forms of malware within 15 seconds of being connected to the Internet. (Source: InformationWeek)
• An unpatched computer will become compromised within twenty minutes of being connected to the Internet. (Source: CNET News)

Clearly, information – our most important asset – is at risk on a number of fronts. And, while there is no one-size-fits-all solution to this problem, there are reasonable steps that each and every organization can and should implement to minimize the overall risk to the entity. Some of the more common of these steps are detailed below.

First, the organization’s senior management team working in concert with the information technology (IT) team should develop and implement a set of policies addressing information security. These policies should address such areas as: acceptable uses of the organizations’ IT assets, passwords, remote access procedures and anti-virus guidelines. Employees must be educated on these policies and held accountable for adhering to these standards. While there are a number of good sources for policy templates, one outstanding resource for obtaining template policies focused on technology is The SANS Institute (www.sans.org/resources/policies).

Next, each computer on the network must be protected from outside attack and this protection should be enabled before the computer is attached to the network. Properly protecting an individual workstation includes performing such tasks as: disabling the guest account, disabling simple file sharing and ensuring that all operating system and application patches are installed. For the nine out of ten computers running Microsoft Windows and Microsoft Office, perhaps the easiest way of ensuring that updates are downloaded and applied regularly is through the utilization of Microsoft Update, which may be accessed at no charge from www.microsoft.com.

Anti-virus measures must also be implemented in order to protect against intrusions from viruses. For network-attached computers, it is generally preferable to administer virus-protection from the server; this tends to ensure that virus signatures are updated frequently. However, for laptop computers that may be disconnected from the server from time-to-time, local PC-based protection is also a must. Many good anti-virus programs are available; some of the leading companies in this area include Computer Associates, McAfee and Norton. In addition to anti-virus measures, computers should be protected from spyware and unsolicited e-mail as these can also contribute to security breaches and losses of data.

Backup strategies must also be examined closely. Though many companies believe their data is being backed up to tape on a nightly basis, they are often surprised to find out that the backup job failed and that, in the event of a disaster, they would not be able to restore their data. To minimize this risk, companies are turning increasingly towards Internet-based backup solutions from companies such as Mistral, iBackup and Connected.com. These solutions provide for automatic backup of company data files over the Internet to secure, offsite storage facilities. Often, the cost of implementing such a solution is less than the cost of attempting to continue backups using more traditional means.

For those companies allowing remote access of network resources, it is critical that any remote computer used to access the network maintain the same minimum level of protection as all other computers on the network. Thus, employees accessing the organization’s network from a home PC must implement the same security measures at home as are implemented in the workplace. Otherwise, the organization is at risk from being compromised due to weaknesses found in offsite computers.

Perhaps the most significant measure organizations can implement to reduce their risk is to ensure that employees understand the risk associated with data loss and to educate employees on their role in minimizing such risks. This education includes making employees aware of scams and schemes such as “phishing” and “pharming” attacks and the importance of maintaining strong passwords and never revealing a password to anyone. As new sources of risk seem to appear almost daily, this education should be viewed as an ongoing and continual process to ensure that information security is a priority of all employees.

Because new threats appear constantly and because each and every organization is unique, the steps outlined above represent only the beginning of a plan to minimize the risk associated with data loss, whatever the cause. Nevertheless, implementing the steps outlined above – in addition to those mandated by unique organizational characteristics – provides a solid foundation for information security. Take action now, as the survivability of your business may depend on it.

Thomas G. Stephens Jr. is an associate with K2 Enterprises, the leading provider of technology-focused continuing education courses for accountants in North America. Stephens resides in Woodstock, Ga. and frequently presents CPE courses in Tennessee.