The Five Security 'Musts' You Can't Ignore

Last month I told you about some myths that have grown up around security, but that are not necessarily things you should believe.

This month it’s time for things you really do need to believe in and act upon if you’re to stay out of trouble. Instead of myths, they’re the “musts”: security actions you must take regardless of the size of your enterprise or your network.

But be forewarned, this is not a complete list. These are just the first things you must do. There are plenty of others that depend on your specific needs and infrastructure requirements. But if you start here, you’ll be on your way to having a secure environment, whether you’re on a single computer tied to a DSL line or running an enterprise with thousands of users.

1. Know Your Network

First, you have to learn what sort of protection against intruders exists on your network, both at the site of your ISP and at your own site. Then learn what sort of connections you have to the outside world. Of course, this will include your DSL or cable connection, but it may also include dial-up access available to individual computers. Even if it’s just your home office, knowing that someone can dial out to the Internet over a phone line bypassing your firewall is important when you’re fighting against worms, viruses and intruders.You’ll also need to be familiar with the protective devices and software on your network. Do you have a firewall? Do you know how to use it? Do your computers have personal firewalls? Do you have adequate physical security? Do you have anti-virus, anti-spam and anti-spyware products installed?

2. Know Your Users

Understand that not all users are created equal. Or perhaps we should say, some are more equal than others. There’s no reason why Charlie on the loading dock needs to know what’s in the HR files, and there’s no reason why HR should have access to shipping records or credit card numbers. This means that you need to know who on your network has access to what, and you need to know what they don’t need access to. If you’re the network administrator, you’ll need to sit down with the HR people and decide who needs what, and then you’ll need to keep track of it all.

Besides knowing what your users need, you also need to have some idea what they’re up to. For example, do you know what Sam in sales is doing while he’s on hold? Are you sure he’s not surfing porn sites? You can learn what your users are up to fairly easily. Many firewalls, for example, will keep track of the Web sites users visit and many will let you exclude objectionable sites.

3. Know Where Your Data Lives
Do you actually know where your customer list is on your enterprise? Sure, you know that when you run your CRM software, the customer list pops up, but do you know on which machine the information is located? Do you know where those credit card numbers are located? Do you know who has access to that information? Do you whether there’s some means of controlling access to it?If you don’t know where the sensitive information in your enterprise is located, it’s really hard to protect it. You don’t know where to put internal firewalls, for example. And you don’t know whether it’s sharing a machine that’s otherwise open to the public or the general employee population. And of course, once you do know where your information is, you need to make sure it’s moved to a place where it can be protected.

4. Know Your Update Policy

This is assuming you even have an update policy. If you’re a small operation with just a few computers, this may mean just letting Windows Update run automatically along with allowing the automatic updates to other software such as your security packages. However, even for small offices, there’s more to it than that. Not all security-related software has the ability to do automatic updates, so you’ll need to develop a plan to check for and install as appropriate updates to your non-Microsoft browsers, your office productivity applications, perhaps your Web server software.

And if you’re in a larger operation, you may want to manage the whole process yourself by running your own update servers, your own software distribution, etc. If you have custom applications, or some types of vertical applications, you may also have to delay updates while you test them to make sure they don’t break the applications you need to run your business. To do this, you must first have a policy, and then you must check it regularly to see if it still applies.

5. Train Everybody
The only way for you and your employees to know the things they need to know for the enterprise to be secure is through training. Unless you tell your staff not to open e-mail attachments, for example, they will. And then you may have opened a path for spyware, worms or intruders. And unless you tell them that things like credit card numbers must be protected, some of them won’t know this.Most important, train whoever is in charge of your security. Yes, it will cost money, but in the long run, it’ll save money because you’ll still be in business when otherwise you might not have been. It’s hard to make money when you’re shut down because of a worm invasion, or worse, because the Feds have taken your computers while they investigate violations of the many new laws requiring information be kept protected. And once you’ve trained all of these people, you need to audit them to make sure that the practices they were trained to use are actually being used. And then you need to train them some more.

The Key Is Knowledge

No doubt you can see that there are a lot of gaps on this short list. I haven’t told you that you have to have a firewall, for example. And I haven’t told you which anti-virus software to use. Actually, I haven’t told you a lot of things. The reason is that until you know what you’re doing, there’s no point. The most important ‘musts’ for security all involve knowledge. And without knowledge, you’re wasting your time and your company’s money.