Win the battle: Internet and Email Security |
About the Author
Stephen Pritchard has been a journalist since 1990, and specialises in business, technology and finance. He has become one of the UK's foremost journalists on IT issues, and writes for a range of national and international publications, including the Financial Times, the Independent on Sunday and Information Age.
|
The struggle for secure internet access is nothing short of a battle. On the one side are companies and their battalions of security equipment, on the other are increasingly ingenious hackers, tempted by either profit or sheer malicious intent. Online security is simply a necessary overhead, but in this, the third in our series on security for medium-sized companies, Stephen Pritchard says a strategic approach will be both cost-effective and easy to use.
"Safe surfing"
According to industry estimates, around 80 per cent of global email traffic is spam. The number of viruses and worms detected "in the wild" continues to grow and a growing percentage of traffic is aimed directly at carrying out electronic crime, from identity theft to corporate espionage.
Unsurprisingly, IT spending on security is a priority. A survey of medium-sized companies by Gartner, the industry analysts, found that IT directors will focus their attention in 2006 on desktop security – including anti-virus, anti-spam and anti-spyware technologies – and on intrusion detection.
The same survey found that 85 per cent of medium-sized companies use anti-spam technology, 62 per cent personal firewalls and 76 per cent anti-virus technology on the network gateway. Researchers found that, for small and medium-sized companies, the spam problem appears to have been bought under control. But the threat to PCs, laptops and increasingly, mobile devices from malicious code is a real issue.
Controlling such threats inevitably means striking a balance between security and productivity. If protection measures are too intrusive, they will waste staff time or employees will be tempted to circumvent them. If they are not rigorous enough, company data will be at risk.
Protecting the desktop – protecting the user
Good Internet and email security achieves this balance in two ways:
| • | By preventing malware from reaching employees' work environment in the first place. |
| • | By linking technical security measures to company policy on safeguarding data. |
The increasingly sophisticated nature of much spam and virus traffic means that simply securing the business' perimeter is not enough. At the very least, companies need to deploy security technology on their desktops and servers. They might also deploy security in the network, or even around specific software applications that are most critical.
As well as building a secure structure, ongoing protection means keeping application and operating system software patches up to date. Several independent studies have shown that PCs and servers with properly patched and maintained software are far less vulnerable to attack than unpatched systems. By the same token, some companies are still falling victim to attacks based on well-known vulnerabilities, because they have failed to apply patches or update their security software.
|  But businesses that build security in layers - from the internet to the network to the desktop - will be relatively well protected.  | |
|
But businesses that build security in layers - from the internet to the network to the desktop - will be relatively well protected. Even if one system fails, or is bypassed by hackers, other defences will still stand a good chance of thwarting an attack.
"There are two main levels of protection: network-based security and security on the desktop," says Neil McDonald, a vice-president and distinguished analyst specialising in security at Gartner. "But the quality of defence relies very much on its depth."
In practice this means that companies still need to maintain strong perimeter security including in-line intrusion detection, virus scanning and spam filtering. In the case of both virus detection and anti-spam technologies, a growing number of medium-sized companies are turning to their Internet service provider to provide at least the first line of defence.
Such measures work alongside local firewalls, on the network and on the computers themselves, plus desktop and server-based virus protection. McDonald points out that many companies are supplementing these basics with additional security software to block spyware and adware.
Businesses should also consider content filtering as part of their desktop security line up. Not only does content filtering prevent employees from visiting inappropriate websites - the most common reason for installing it - but it can also provide an effective, additional line of defence against phishing and other attacks that work by conning computer users into visiting fake websites.
Content filtering companies are quick to add the web addresses of such sites to their banned lists, so even if an employee does fall victim to a phishing mail, the content filtering system should stop them reaching many criminals' sites.
As you can see, a realistic defence strategy works in two ways: a layered approach from the outside in (from the wider internet through to the desktop) and through hardware and software designed to manage specific threats (spyware, spam).
Use multiple layers of security, rather than one: use firewalls and intrusion detection in the network but also run anti-virus software on local computers. Evaluate hosted security systems, for example from Internet service providers, as a first line of defence.
|
Establish and enforce a rigorous policy for updating operating systems and critical applications, including web browsers. Larger companies should look at centralised patch management systems. |
Keep firewall and anti-virus software up to date; monitor the effectiveness of anti-spam software and its settings, as well as content filtering. |
Use network-based technology to check machines' configurations against security policies. Such policy engines need not be expensive: many now run on a modest PC or server. |
Keep security policies up to date, and educate staff about secure Internet use and its importance. |
Don't overlook mobile devices, either your own or visitors'. |
People-friendly security
| Businesses also need to think about how they educate their staff in both the use of security technology, and in the wider issue of safe use of the Internet. | |
|
But for these technologies to be effective, businesses also need to think about how they educate their staff in both the use of security technology, and in the wider issue of safe use of the Internet.
"Much of this is about making users aware of acceptable usage policies, so they know what can and cannot be done," says Andy Beard, a director in the security practice at PriceWaterhouse Coopers, the professional services firm.
Some measures, such as educating staff to be cautious when opening attachments, and explaining how to use the security measures in Internet browsers and email programmes, are both simple and effective - and fundamentally cost free.
Others might be harder to enforce, but this is always easier if staff understand the thinking behind the policy, says Beard. Some companies turn off USB ports on computers; others rely on user education to control the use of memory keys, MP3 players and other devices that could carry malware.
The strictness of the policy will depend on the value of the data, and the level of risk faced by both the user and the company. This has to be determined by policies, not by technology.
"Some security measures can be impractical," says Andy Beard. "You have to make a balanced risk assessment. The only truly safe computer is one that is never plugged in, but that would not be a very productive business tool. In between there is a set of precautions that balance practicality and risk."
