PROBLEM
|
SOLUTION
|
Risk
assessment
|
|
1. On thinking about IT and
computer security, you don’t even know where to begin.
|
Conduct risk management and compile a list of
all your electronic resources. We call ours our Intellectual Capital Register. Decide which resources,
departments or other areas most deserve protection or require immediate
attention. Inspired by this, improve your IP Strategy. The security of your transaction or
customer relationship management database is vital, especially if it contains
customer credit card details and personal information.
|
2. Nobody can remember when
data and IT security measures in your organisation were last reviewed and
updated.
|
The pace of change in IT
is self-evident. Regular monitoring and review are essential. Do them to plan
for survival in the event of IT department staff losses, fire, flood, theft
and other calamities. Make a person or department responsible for routine
monitoring.
|
3. You don’t know the level
of risk or cost consequences of potential data or IT security breaches.
|
Refer to your IT,
business systems, insurance and legal advisers. A useful risk-assessment tool
is an online calculator run here
by Darwin Professional Underwriters.
|
4. Your IT system has previously
been penetrated and you want to be ready to act quickly next time.
|
Obtain technical advice
on how to monitor your firewall logs regularly. They generally contain
details such as the source of each IP address, the destination IP address and
port, times and dates and other technical information. Ensure they are backed
up and archived for long enough to be useful.
|
5. Computer viruses cause damage,
ranging from annoying to catastrophic problems.
|
Ensure all anti-virus software
is up to date. The range of other pests include Trojans, malware and worms. Never
plug a computer into a network until it is properly patched and has had
anti-virus software installed.
|
6. Software versions are
out of date. Could this cause a problem?
|
Yes. Keep software up to
date as appropriate. Check key software providers’ websites regularly for
updates or news on security patches and updates.
|
7. Your data requires very
high levels of protection and it’s in a high risk environment which could
benefit from vulnerability testing.
|
Employ hacker
“penetration testing”. IT professionals will test systems to see if they can
“hack in”. To gain from the test results, ensure the parameters of the tests
are clear.
|
Email and
online communication
|
|
8. Embarrassingly, staff
have copied and emailed documents which have document metadata identifying
the name of another client.
|
Educate staff to check,
change or delete metadata as a routine activity before transfer of documents
or files to others where it is not meant to be viewed by others outside your
organisation. For example, a Microsoft Word or Excel document contains
properties that reveal information such as the creator’s name and the date of
creation. Failure to realise this has affected individuals in the highest
offices in business (Microsoft) and government (members of the Bush
Administration).
|
9. Staff habitually email
personal attachments from their home computers to distribute via the office.
|
Consider staff training
on the dangers of attachments. Email attachments are among the most common
carriers of viruses. Tell staff “Don't download anything unless you trust the sender — and the file.”
|
10. People are involved in
personal disputes over email.
|
Again, common sense is
needed for personal communication. Emails “leak”. A copy may be present on
every computer an email travels through. Also, a recipient may be accidentally
added. Someone may for whatever reason forward an email that was intended as
a private or personal communication. All this can result in legal issues.
Include rules and guidance in policy
manuals.
|
11. Spam has gone through
the roof!
|
Even the best spam
blocking programs provide only a partial solution. People additionally need
simple actionable rules and guidance on recognising phishing and other common
scams, as a general rule not replying to spam (it only helps email harvesters), and using
non-company email addresses (eg Hotmail, Gmail or Yahoo!) for their purely
private emails.
|
Legal
compliance and legal action
|
|
12. Some industries are
affected by sector-specific strict liability obligations under legislation.
|
Obtain and act on legal advice relevant to your
specific industry or sector, eg privacy
law has a specific impact for the health and financial sectors. See Office of the Privacy Commissioner.
|
13. You don’t know if your
organisation keeps electronic records or copies of emails for a legally
sufficient time.
|
Several dozen separate
laws apply in Australia
to the question of how long records must be kept. They range from business
records to tax returns. Contact us and we will email to you a Document Retention Guide - see Records Management Association of Australia.
|
14. Employees are concerned
about monitoring of their “personal” email.
|
You should take
appropriate steps to ensure compliance with the law before monitoring
employees, their emails, other communications and movements. Our Employment Contracts and Employment Law Documentation incorporate
such compliance.
|
15. You think a
standards-based approach would sit well with your “best practice” reputation,
but are unsure what it means for IT and data security.
|
Seek professional advice
on available information standards, including for project management, contract and document management and legal knowledge management. Useful
Australian and overseas “official” standards, industry codes and reference
standards are available to manage many topics including risk, human
resources, projects, record keeping, knowledge, compliance, disaster recovery and business continuity. See SAI Global,
International
Organization for Standardization, BSI
British Standards.
|
16. An employee has used pirate
software and files, exposing your organisation to legal liability to the
software provider, and media ridicule.
|
Organisation policies
should state a no tolerance policy against pirate software and data files.
Companies are regularly raided by the Business
Software Alliance with court orders permitting seizure of pirate software. Your Asset Register should include all
computer hardware and IT devices. You might also keep records there for identification of licences for all software. Consider
rationalising your software
licensing practices for such record keeping.
|
17. Your organisation’s
privacy policy is so general as to provide no practical guidance.
|
Develop an in-house
expanded privacy policy which sets
out guidelines for staff on activities involving personal and private
information, eg of customers and employees. The guidelines are need for many types of transactions involving dealing with such information, eg sale of your business or licensing rights to others.
|
18. In worst case scenarios
legal action is necessary. Are your documents and records in a proper state
ready for delivery for court or police action?
|
Be proactive, prepare
for success in legal action by implementing processes, record keeping and
contracts to ensure you can rely on the armour of civil and criminal law. Contact us for
practical advice guides, eg Document Retention Guide, How to prepare a file note, and Legal Knowledge Management Guide.
|
19. A laptop taken home by a
senior finance department executive has been stolen. It had client credit
card details in a database file in it.
|
In your core policies, eg your policy and procedure manual, you should
have clear rules for laptop use outside the office and data on the laptops.
If practical, implement a check-in and check-out procedure to ensure all
laptops are accounted for. A recent illustration of risks is the UK case
involving Nationwide Building Society. It was fined £980,000 under the Financial
Services and Markets Act 2000 stemming from failure to take “reasonable care”
to protect information contained in an employee's laptop which was stolen. The
laptop contained details of around 11 million account holders, although
corresponding PIN codes and passwords were not included.
|
Passwords
|
|
20. Computer, program or
Website passwords are misplaced, forgotten or lost as personnel change.
|
Obtain technical advice.
Consider preparing a register of passwords. Obviously this requires the
utmost care and consideration and very secure storage.
|
21. Employees are selecting passwords
that are obvious, they can be easily guessed or hacked.
|
Distribute information
on what makes passwords harder to hack, eg dtg#$840 - a password that
combines letters, numbers and symbols. Also in your IT security policy consider setting guidelines
for administrator levels and for setting and resetting passwords.
|
22. Some computers or data
require higher than usual levels of protection.
|
Obtain technical advice.
Consider setting variable levels of computer and data protection depending on
defined criteria, eg the value of the data or the level of risk. Consider
classification of data from a security, value or risk perspective. Consider
setting up automated email notification on access by anyone of certain files.
Monitor for exceptional patterns in access to such files (eg level or frequency of access, or access where
there’s no current need/project).
|
Policies,
auditing and record keeping
|
|
23. Employees do not seem to
adequately follow, or are not aware of, IT use policies.
|
First, consider
conducting staff training as discussed below. Second, integrate adherence to
your IT use policy into employment
and contractor agreements and documents. For example, ensure employment
contracts refer to the policy and even incorporate the terms of the policy
into the agreements.
|
24. Employees are not aware
of practical and legal obligations which apply to their use of IT and email
communication.
|
Prepare an Information Security Policy (focused on concise
and relevant “Dos” and “Don’ts) or include all that in a broader Communications Policy which also covers use
of email and other means for correspondence or communication. It is useful to
ensure all staff sign a copy of the policy document or a register
acknowledging they have read it.
|
25. Pirated MP3 music files
and illegal content are being stored on your computers.
|
Conduct periodic IT
network audits or random sampling to check downloads on computers. Notify staff
of this possibility in organisation policies.
|
26. IT audits have found employees
are looking up pornographic, inappropriate or illegal material on computers.
|
Include in your policy manual rules for staff use of
the Internet. There are now regular reports on court action against Internet
abuse by staff at all levels. It causes potential legal liability, negative
publicity, business disruption and loss of staff morale. Web browsers, like
Internet Explorer and Firefox, can be “cleaned” (eg deleting history caches
or files) and configured to reduce the level of information gathered by third
parties in the background during Web browsing. Also note there are programs
such as Anonymizer.
|
Training
|
|
27. Staff have poor computer
skills and poor appreciation of security issues and threats.
|
As human error is the
most common cause of security breaches, IT security requires an attitude and framework more
so than a product. Enforce legally
binding contracts, introduce a proper or integrated human resources management system and then
build on this with technical and other advice by conducting regular training of your staff to raise
awareness about security issues. Also consider broadcasting to staff the occasional email on the topic of security.
|
28. Improper written communication
is harming your business. It’s not just poorly worded emails, it also
involves Excel and Word files being sent without sufficient editing or "legal
labelling" (eg IP notices and disclaimers).
|
Run staff training to
improve business writing skills and business communication generally and
understanding of business communication protocols. Introduce or improve your House Style Manuals. Educate staff to use IP Notices, eg warning statements
on trade marks, copyright, and confidential information. See our articles - 10
habits for better business writing and Email
Abuse.
|
29. Staff use email
inappropriately. They often write a short email saying “Agreed” to business
proposals even before they review the full financial terms and legal conditions
that apply.
|
Consider running our workshops in-house on business writing and business deal making process and contracting. Educate
staff to not make spam-like broadcasts. Educate staff on good procedures to
follow when attaching files, eg checking that the wrong file has not been
accidentally attached. Consider obtaining our advice on use of IP Notices, which covers disclaimers and notices for copyright, trade mark and
confidential information.
|
30. Whilst everyone has a
basic understanding, you still rely far too heavily on IT people.
|
Engage IT consultants to
provide IT and software skills training and educate all staff, including senior
management levels or specific high risk departments.
|
Backup
and archiving procedure
|
|
31. Regular or routine backup
procedures do not exist.
|
Obtain technical advice
on what suits your situation. Carefully identify the files and programs that
need to be backed up and ensure it is done regularly.
|
32. If the backup itself
fails, is destroyed or lost, you can be in big trouble.
|
Store backups,
preferably off-site. Test backups to ensure restoration is possible. Businesses in New Orleans that did both these things survived the Hurricane Katrina flood in August 2005.
|
Premises
and network security
|
|
33. A server “crash” has
caused loss of a full day’s work.
|
Work out how many hours or days of data your organisation can afford to loose in a server crash. Then obtain technical advice to cover such a period. If necessary or appropriate, arrange for a period of uninterrupted power for
servers to ensure graceful shutdown in the event of server failure.
|
34. Police report that
stolen laptops and mobile phones are rarely recovered.
|
Engrave or attach
non-removable labels to all your hardware as a deterrent to thieves.
|
35. Hackers are regularly
breaking through your firewalls.
|
Obtain technical advice
to properly configure your firewall. Regularly examine firewall logs to
monitor for unusual activity. If your Website or Internet connections have
slowed that could be a sign of a hacker present.
|
36. You wish to completely
stamp out staff use of certain materials online.
|
You may wish to use
programs which can block staff from accessing some Websites or content, eg peer
to peer file sharing sites. (The music industry has taken legal action
against several universities which they say are not doing enough to block P2P
file sharing.) If your Internet connections have slowed it could be a sign
that there is a “bandwidth hog” present, eg unwanted files from file sharing
services.
|
37. There has been
unauthorised copying of sensitive client data while wireless networks were
used.
|
If your network is
wireless, ensure proper encryption is set up to prevent unauthorised access.
Obtain technical advice.
|
38. Employees install
software on computers that lead to problems.
|
Take technical steps to restrict
unauthorised installation of programs through different administrative access
profiles. This way, only an administrator can install software.
|
39. You installed a new
software program which seems incompatible with your existing system.
|
Experts warn against
using the first version of software, especially any new operating system.
Read reviews, obtain technical advice or wait until the software is stable
and others find the bugs.
|
Website
security
|
|
40. Your business has become
heavily dependant on its Website. Does this form part of IT security?
|
Yes. Websites are the
number one target for hackers. Apply equal rigour for Website security as you
do for your computer systems. It is not unusual to hear of Websites and sometimes
their related businesses closing due to a catastrophic loss of all data, none
or little of which had been backed up or archived. Backup your website
content regularly – including SQL database tables, PHP/ASP script files and
HTML documents. Ensure proper content management records are kept and
archived.
|
41. Employees and clients
want an intranet or extranet for remote access but you fear exposure to more
IT security problems.
|
Obtain technical advice
on use of HTTP authentication for restricted areas of Websites, eg “client
access” zones.
|
Software
licensing
|
|
42. Depending on the size of
your organisation there can be many different copies of software and
accompanying licences to manage.
|
Include in your policy manual a rule that software
may be installed only by one person or department to centralise tracking of
all appropriate licences.
|
43. Non-genuine software can
cause problems with things such as enforcement of warranties.
|
Only buy software from
authorised software resellers.
|
44. Prior versions of
software and beta versions can cause issues with licensing.
|
Delete all prior
versions of software when upgrading.
|
Intellectual
property protection
|
|
45. Your organisation’s
domain name has been taken after someone forgot to renew the domain
registration.
|
Take domain name legal infringement action. Keep an Intellectual Property Register. One section
of our template Register lists detailed records on domain names and is a useful place to keep domain name
renewal dates and contact details. It helps to prompt measures to reduce cybersquatting, typosquatting and URL
hijacking resulting from misspelling, typing errors, and using the wrong
domains (eg .com not .com.au).
|
46. Confidential information
and files have been stolen or copied.
|
Use confidential information procedures, IP Notices (eg warning
statements on trade marks, copyright, or confidential information), and documents and contracts. Consider
installing software that will prevent removal of data by typical methods such
as USB or ftp transfer. Similar considerations apply to use of PDAs, smart
phones and other mobile devices.
|
47. Staff are making
comments in online forums, newsgroups, chat rooms and on blogs using their
office email addresses or website reference.
|
While generally not an
issue, common sense is needed. Comments might reveal confidential
information, expose an employee to threats from angry outsiders, and affect
your organisation’s brand. Use search engines to monitor what is said, and by
who, involving your organisation.
|
48. Financial bid
information has leaked from a major top secret tender proposal prepared for a
client.
|
Use password protection
and encryption techniques where appropriate, ie if you transfer highly
confidential files between offices or to clients.
|
49. People have infiltrated
your system from within, by installing software on your machines or attaching
devices in your building.
|
Ensure your server is
physically secure as well as your premises. Check security measures near your
reception desk. Further in, keys, separate passwords, security cards, or
locks might be appropriate, including for individual offices, filing cabinets
and any server room. Keep records of all these measures, for a court the
measures can indicate the data is confidential and has value, and hence a court will more readily make orders to protect the data.
|
50. A confidential webpage
or intranet page is appearing in search engine search results.
|
Sometimes, search
engines can add confidential pages to their search results. This can be
avoided by keeping confidential material off your Web server, through to use
of a robots.txt file to control information search engines add to their
index.
|
51. Data has been lost or stolen,
you think you know by who, but you have no list to check the loss with
precision.
|
If you don’t know what you have or had, it is difficult or
impossible to prove to a court what you lost or what was taken. We provide
advice on knowledge management (see our Commercialisation & Knowledge Management services), it is
especially useful for businesses built on intellectual property. See also The
Australian Business Excellence Framework. If you don’t have a
working definition in the context of your organisation about the meaning of “knowledge
management” and “information architecture”, then you need to find out before
you can educate employees, contractors and others with whom your company
collaborates.
|