| Tech and Business Videos |
|
|
|
| Focus on security |
November 17, 2008 |
PDF version (1.3MB)
Secure the individual, secure the organization
Rising security threats require diligent and well-trained employees
While technology continues to evolve, improving the ease with which business is conducted, so too does the risk associated with technology’s use. The risks of data theft, the malicious misuse of secure information and the spread of harmful viruses are always present. As a result, defending corporate security, privacy and e-mail systems is extremely important but can be among the most difficult and demanding of all IT tasks.
From the appropriate and safe use of social networking tools to the safeguarding of remote networks and mobile computing devices, to the generation, categorization and storage of private data—the experts in this supplement shed light on the latest and most effective corporate security practices and procedures.
An important shift is taking shape in the corporate world, one which reallocates responsibility for privacy and security from the technology to the person, placing administrators, managers and developers in charge of securing corporate assets and procedures. This trend demands that organizations take responsibility for educating employees in order to stay on top of security advancements.
Fighting back against attackers, technology companies also play a role by continuously releasing innovative network, software and security products and services, which must remain high on the radar of small and large businesses alike.
While some organizations are still opting-out of certain information technologies as a result of a continued uncertainty surrounding their safe use, experts in the field encourage education as opposed to avoidance. With the right amount of awareness and advance planning, no organization need be subject to privacy attacks. Use this supplement as a launching pad to help your company reap the rewards of IT without experiencing any of the potential losses.
Social media still requires security tools
YouTube, Facebook and MySpace can deliver both benefits and vulnerabilities
 There is an evolution occurring in the business world, which involves the increased use of social media platforms such as Facebook, YouTube, MySpace, instant messaging and blogs to help promote improved communications. But, as businesses continue to recognize the internal and external benefits regarding the utilization of these tools, an increased focus on security is necessary.
Within organizations, these networking tools facilitate collaboration and cohesion amongst employees and speed up the innovative process. Externally, advantages include the potential for an advanced market reach and the possible generation of critical feedback on products and services from the consumer ecosystem and other relevant stakeholders. “It is possible to pull from this dialogue a lot of information that can help the business further develop core service offerings as well as implement new and unique ways of using a product or service,” says Malcolm Harkins, General Manager of Information Risk and Security with Intel Corporation.
Though these corporate advantages are being realized by some, many people in the business world continue to assume that allowing the implementation of social media in the workplace poses far too many risks. “I strongly believe that it is too risky not to implement these tools,” says Harkins. “You have to run towards what appears to be risky in order to help shape it not to be so.”
This means that along with realizing the advantages of these tools, companies must simultaneously begin implementing policies that ensure the education of employees and the development of standards in terms of the appropriate use and dissemination of information. “People are the perimeter,” he says. “Employees need to be trained not only on how to use the technology to achieve the results expected but also the risks that can occur with the misuse of the technology. People can be taught to recognize risky behavior and respond to attacks.”
An organization also has to consider the information it is both collecting and offering, and what is being done with it. Simply put, the more information an individual or corporation makes available online, the more opportunity there is for identity theft, the spread of viruses and the misuse or misrepresentation of secure information. “It is essential to consider, then, what you share, how you share it and who has access.”
The same is true for the corporate information flow through the mobile access of data. While some businesses remain threatened by the security risks associated with sharing data through wireless networks, USB devices, laptops and PDAs, Harkins advises that those who resist change as a result of perceived risks often miss the opportunity to prevent risk altogether.
“A company that is afraid of mobility may require that all of its employees use desktop computers and may restrict the free-flow of corporate information,” says Harkins. “But, employees who need to transfer data (in order to work from home or to  collaborate on certain projects) will find alternate solutions such as the emailing and printing of documents in an undoubtedly less secure fashion.”
People are the Perimeter: a strategy implemented by Intel a few years ago which reexamined the way the company viewed data security.
The old paradigm
The perimeter was expressed in castle-and-drawbridge terms. The perimeter was thought of as a wall of technology that isolated and completely protected the workers behind it.
The reality
The outside world is growing exponentially with an increasingly dispersed and transient data load and workforce.
The direction
The responsibility for security needs to shift from the technology itself to the people who manage and use the technology.
Security needs to be implemented not as a wall but as a collective security force that permeates the entire organization.
People, through their actions, have the most significant role in securing the assets and processes of the organization.
Building a security plan
A five-step process to ensure corporate information security
It is rare that you should open a newspaper these days and not read something about a breach of privacy or theft of personal information. With technological advancements and an increased level of online activity, companies are required to implement increasingly higher levels of protection against security threats from both internal and external sources.
“To achieve the most comprehensive and consistent protection against threats to your company’s electronic information, you need a detailed plan, systematically applied and continually updated,” says Stephane Boisvert, President, Bell Enterprise Group.
To understand privacy and its role in the business world one must first understand the definition of private information. “That is any personal information that can identify specifically one individual without any doubt,” explains Boisvert. “This would include an individual’s Social Insurance Number, date of birth, PIN and health records—information that is usually available to the government and an employer but must be kept secure from public access.”
Before an organization can begin to determine how information (in the physical and ICT world) can be protected, it must first be classified. “Begin by dividing all information into four levels of classification from Public to Highly Confidential,” says Boisvert.
For example, the fact that Boisvert is a Bell employee is public information, whereas his personal health information, on the other hand, is highly confidential. He may make that information available to Human Resources but it should not be available to anyone else in the organization or in the public.
Once you have classified all of your information you need to define who has access to which classes, and develop a system that validates the identity of those individuals who are granted access.
“When using the best security practices for Internet usage, for example, you mitigate risk to your company and safeguard critical and confidential information,” says Boisvert. “In the process, you protect your business against the irreparable damage that could arise if confidential information fell into the wrong hands.”
When it comes to managing data in the IT world, the responsibility is on the organization to set up the appropriate infrastructure—also known as identity and access management—which will regulate the flow of sensitive and confidential information.
“This requires the implementation of firewalls, which function like locks, only allowing access to those with a key,” says Boisvert, “as well as Intrusion Prevention Systems (IPS) or Intrusion Detection Systems (IDS), which function like a camera and are able to prevent access to unwanted individuals and viruses.”
Finally, the company is responsible for proving without a doubt that those obtaining access to information are in fact who they say they are. This becomes somewhat more complicated in the online world, explains Boisvert. In order to ensure information is exchanged confidentially and placed in the right hands, companies often use a central agency that plays the role of Trust Agent. “This agency grants certificates to the parties who are sharing information in order to ensure the identity of those involved.”
Security Checklist:
- Determine what is private and what is not
- Categorize information into levels of confidentiality
- Secure safes or firewalls around all private information
- Control who has access to what information
- Prove beyond a doubt that those accessing information are who they say they are
CIA
In security, Boisvert explains, everything is based on this aptly named acronym.
Confidentiality means assurance that information is shared only among authorized persons or organizations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information. Such disclosure can take place by word of mouth, printing, copying, e-mailing or creating documents and other data.
Integrity means assurance that the information is authentic, complete and can be relied upon to be sufficiently accurate for its purpose. Integrity represents one of the primary indicators of security (or lack of it). Making copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and integrity because the data is at risk of change or modification.
 Availability means assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.
For further information visit www.bell.ca/enterprise
Protecting Web-based applications
Web functionality is often the biggest threat to your corporate security
One of the most important, yet overlooked areas of IT security is the protection of web-based applications. “While most customer networks are well secured as far as the network is concerned the areas that attackers are going for now are web-based and client applications,” explains Jason Thompson, Senior Security Consultant with NCI.
With 80 to 90 percent of credit card loss occurring as a result of attacks on web applications and with increasing security standards requirements setout by the Payment Card Industry (PCI), businesses are becoming aware of the need to implement security measures.
“The sorts of attacks you hear about like SQL injection, cross-site scripting, and buffer overflow are just phrases until you see the serious damage they can cause,” explains Thompson. “Not only are these attackers able to harvest credit card and personal data but they can often gain administrative access to the database or web server, using the server as a jumping point to conduct attacks inside the network.”
While these attacks are easy to conduct, prevention is not as difficult as it may seem. “Most attacks are a result of the web server accepting user-input that is not validated, so we work directly with developers and administrators to perform simple security hardening procedures to lock-down applications against attacks,” says Thompson. Most importantly, a company can integrate security measures into its software development lifecycle, ensuring that as they build applications they are testing for possible vulnerabilities.
 “Developers aren’t aware of all the different attacks that are out there. Education and application security checks are essential to protect the information being collected.”
For more information, visit www.nci.ca or call 866.370.8575
Take a layered approach to prevent data breaches
 Stolen and compromised computers are the leading cause of data breaches. According to Absolute Software, the leading provider of firmware-based, patented computer theft recovery data protection and secure IT Asset management solutions, there are three simple ways to prevent a potentially catastrophic data breach.
1. Safely store laptops
Keep notebook computers locked in a secure place when not in use. If for some reason a laptop must be left in a car, make sure it is covered up and locked in the trunk prior to arriving at your destination.
2. Leverage anti-virus software, encryption solutions, anti-spyware and firewalls
Protect valuable information from being compromised by unauthorized access with data encryption software. It is also extremely important to make sure these programs are properly installed and kept up to date.
3. Equip laptops with asset management and recovery software
Laptop recovery tools are highly effective, especially those based in the firmware of computers. In addition, knowing what is on a computer, where it is and who is using it drastically reduces the threat of a data breach.
These easy-to-follow suggestions will greatly tighten data security and keep sensitive files out of the wrong hands.
 For more information, visit www.absolute.com
Supplements Archive
|
|
|
| Gadget of the Week (Canadian) |
|
Apple 13-inch MacBook
Greenest MacBook ever
more Tech Gadgets |
| Top 300 Tech Companies |
 
|
|
