Technical Tips
By Tom Snyder Ph.D.

How Small Firms Safeguard Critical Information - PART I

Information security is an issue for every business. The recent rash of viruses such as Code Red and Nimda and disasters such as September 11th remind us that our data is subject to loss or theft. These events also illustrate how much it can cost when information security is not actively managed. But how do businesses, especially smaller ones with fewer resources and possibly minimal technical support begin to manage these risks? You need to prevent 1) unauthorized access to sensitive information and 2) loss of business critical information. In Part I of this two part series, I will show you how to prevent unauthorized access.

Some of the first things you should consider are:

• Using a secure platform such as Windows NT, 2000, XP or a flavor of UNIX rather than 95/98 or ME.
• Taking the time to set up a file access policy and password system that is effective and yet not so complex it falls out of use.
• Installing a virus protection program to prevent hackers from gaining access to information. Please note that the program must be properly configured to perform its intended function!
• Using a firewall to reduce the risk that your computers will be subject to an attack from another computer over the internet. Such attacks can result in your data being stolen or erased.

Users can logon to 95/98/ME computers without a password by selecting "cancel" when asked for one. Windows 2000 and XP can protect files even if your computer is stolen and the thief can work on cracking security measures at their leisure. Irwin Jacobs, CEO of Qualcomm, had his laptop stolen while speaking at a meeting of the Business Editors and Writers. At the time, he remarked that EVERYTHING was on it, including company financials and his personal e-mail. The theft was especially distressing because he was running Windows 98, and therefore all his information was available to the thief. This
situation is quite common as 5% of all laptops are stolen every year.

Non-existent or simple passwords are the most common security problem. On the other hand, complex systems are a problem as well because they result in passwords being written on "post-it" notes - defeating the intended purpose. As a result, a careful balance needs to be struck when creating a password system.

Over 80% of companies I visit for the first time have their anti-virus software improperly installed. Even Microsoft can use improvement in this area. They recently lost some of their source code as a result of improperly configured anti-virus software.

Your e-mail can be intercepted. However, interception requires a wire tap and detailed knowledge of network operations. As a result, e-mail is considered to be as secure as regular mail, faxes and phone conversations by the American Bar Association (ABA). It can be encrypted to provide additional protection, but this tends to be awkward and expensive. A few years from now, some government agencies will require encryption, most notably for
the transmission of medical patient records. Given such future requirements, expect to see friendlier solutions in the next couple of years.

To eliminate the majority of your information security risk due to unauthorized access to sensitive information: use a secure platform, set up a file access policy and password system, install a virus protection program and use a firewall.
=========================
If you have questions or concerns about your particular situation, please e-mail me at
tpsnyder@xantrion.com.
=========================