To sum up what effective IT security is all about requires just three letters. CIA is the holy trinity of the anti-hackers, which stands for Confidentiality, Integrity, Availability. If you can keep your private information private, if you can trust the accuracy of your data, and if your staff can always gain access to information when they need it then, to quote Kipling, you've got exceedingly good security.
But with CIA comes a problem. If you're a relatively small company, you probably can't afford to employ people specifically to keep your PCs safe from hackers, viruses, porn and all the other associated nasties that afflict modern-day computing. More than likely, the security problem will be dumped on whoever knows most about computers in general.
Without the luxury of a full-time security person you have to prioritise, and this isn't as easy as it sounds. Many companies make the mistake of concentrating too much on availability of information while neglecting to protect confidentiality and integrity. It's easy to understand why this happens, as a loss of data availability means that no one can do any work. But neglect data confidentiality and integrity for too long and it might be the last mistake your company ever makes.
Data confidentiality is crucial to every company. Although your computers are largely filled with unexciting stuff, there are almost certainly a handful of key files without which you could not trade, and which would cause serious problems if your competitors managed to obtain copies. Your customer database, for example, the plans and costings for the products you're launching next year, or even the file of customer complaints. After all, if your competitors know what people don't like about your products they can develop something without those weaknesses. Data integrity, meanwhile, means having confidence that a software bug, a hacker or a virus hasn't altered key information in your files without your knowledge. Not all viruses wipe the entire hard disk of all information, and not all hackers do something as obvious as replacing the entire content of your website with porn. Small changes are often more dangerous than large ones because they can easily go unnoticed.
You can normally recover from major problems by restoring your information from backups. (You do have recent backups, don't you? And you have remembered to keep them somewhere other than the office, just in case the place burns down?) But if a hacker increased just a couple of the prices in your online web catalogue, it's unlikely that you'd ever notice. Well, not until the sales department started to ask why no one was ordering those items anymore.
With so many different threats to your data, is there anything you can do to protect your secrets from the nosey, greedy and malicious? Yes, and it needn't be expensive. The crucial point to remember is not to wade straight in with chequebook. Instead, start with a little risk analysis. Find out where your main vulnerabilities lie. There's no use putting all your budget into protecting the chairman's PC if all the juicy stuff is actually held by the secretary or the HR person.
After the risk analysis, make sure you have an IT security policy so that staff members know what they are and aren't permitted to do with the PC on their desk. Surfing porn sites should be prohibited at all times. Whether you allow game-playing, share-trading and other more leisurely use of the web during office hours is up to you.
Once you know where your weaknesses are, you can set about fixing them. Encryption software is a good idea, especially for laptops. It will scramble the information on the hard disk, and only unscramble it for those who know the password. So if a PC is stolen your data won't end up in the public domain. Without encryption, persuading your insurers to replace lost hardware is the least of your problems.
Next, work on your antivirus software. If it hasn't been updated in the last month it won't be able to detect the latest viruses. If any staff work from home, put antivirus software on those machines too. Your licence may well allow this already, for no extra cost. Microsoft regularly issues security fixes for Windows and for applications such as Office. Over 90 patches have already been issued this year.
Check out www.microsoft.com/security for the must-have patches. Without them your systems will be more vulnerable to attacks from hackers, malicious websites and viruses. If you use the internet a lot, and especially if your server is permanently connected to it, install a firewall if you don't already have one. A firewall is a program which examines all data travelling between your PCs and the internet in both directions. You can specify which type of data to allow, and which to reject, based on the type of data and the route it's taking. So you could use it to allow email from clients but not from employees' friends. Or to prohibit staff from accessing certain websites.
Without a firewall, your server is just as much a part of the internet as any public website, and all your files could be instantly accessible to any competent hacker from anywhere in the world. A firewall will prevent all but the most determined hacker accessing your files this way. The market-leading firewall is Firewall-1, though check out ZoneAlarm for something much cheaper and simpler to install.
Unfortunately, however much you spend on security products, you can never be 100% safe from computer crime. No firewall can protect you from an employee giving copies of your files to a competitor because he's being conned, bribed or blackmailed into doing so. To protect against this requires constant vigilance by all staff and regular training. As one security commentator said recently, good security is not a product but a state of mind.
Jargon buster
CIA: Confidentiality, integrity and accessibility - the three key factors which can keep your vital business data secure.
Firewall: A piece of software designed to stop hackers from getting into your system. It allows your data to leave your computer or network and head out on to the internet, but allows only appropriate information to come into your computers from the net. Hackers: Used to be merely the term for people who programmed computers, but now it is more often used to describe malicious computer users who are intent on stealing information or wreaking havoc on your computer. They target all sorts of users, from big corporations (Microsoft was a recent victim) to individual PCs - especially those that are connected to the internet for long periods.
• Robert Schifreen ( hex@cix.co.uk) is a security consultant
