Recent IT security breaches have increased corporate management’s awareness of the need for a comprehensive approach toward information management security practices. Organizations without an effective IT security plan as part of their overall enterprise information strategy run the risk of:
- Increased system support costs due to cyberhackers.
- Reduced revenues as a result of system downtime.
- Decreases in employee productivity levels.
- Opportunity costs associated with lost business revenue.
- Lost market share and brand erosion due to negative PR.
- Potential exposure to litigation by various stakeholders such as clients.
A recent poll of more than 500 computer security professionals conducted by the Computer Security Institute (CSI) indicated that 90 percent of respondents had encountered computer breaches during the past 12 months. More than 60 percent of respondents had also suffered combined financial losses in excess of $300 million as a result of hackers breaking into their systems.
Basic elements of information security
Every organization utilizing information technologies should ensure the following key elements are part of an effective information security management plan:
- Updated documentation of various IT components ranging from hardware and software to IT and data management policies and procedures.— An updated systems document will not only enable better security management but will also result in reduced overall risk exposure for the organization.
- Properly implemented and monitored network security infrastructure.— Most managers do not realize the extent of devices used in enabling today’s computer communications. Given the wide range of routers, switches, and bridges used, it is imperative to have an ongoing equipment assessment and monitoring regimen in place.
- Latest version of enterprise virus protection software installed on all machines. ---With the increasing number of cyberthreats, it is very important to have a solution in place that is capable of responding to the latest viruses and threats in a short time period.
- Disk and e-mail encryption technologies utilized on all devices to reduce information piracy. —Corporate data is a valuable digital asset which is being stored everywhere and, as such, is easy to lose or be stolen.
- Updated and routinely validated Disaster Recovery (DR) and Business Continuity (BC) plans.—DR is the IT component of a BCP plan and, like any plan, DR and BC need to be updated, validated, and tested at least once a year.
- Protected passwords, scripts, and any other system access information.— Regimented password policies are unpopular, but this practice drastically reduces unauthorized system access risks.
- User accounts of employees no longer affiliated with the organization promptly disabled.— It is just a good business practice.
- All devices protected by tools such as key locks for theft prevention.— IT equipment really does walk when it is not secured.
- Use of access control software restricting the use of devices to authorized and authenticated users. —There have been many recent and exciting developments in this arena.
- Ongoing education of employees on IT security policies and procedures.
—Continuous employee education has proven to provide the highest ROI for IT risk reduction.
With the proliferation of emerging technologies such as the Web, wireless, and social computing, your organization must be disciplined in its information security practices. Many organizations have even designated a chief security officer (CSO) who stays updated with latest industry practices and acts as an advocate for such practices throughout the organization.
In summary, all organizations will experience an increase in IT risks as their reliance on information technologies grows and as IT systems are becoming more interconnected. There is not a single approach that will fit the bill for all organizations; an effective approach depends on each organization’s unique needs, capabilities, and priorities. Lack of a systematic approach to this issue can result in substantial branding, financial, and productivity losses. The good news is that such scenarios can be easily avoided through proper implementation of widely available and proven solutions.
Sassan S. Hejazi can be reached at Email or 215.441.4600.
Related: