Security policies: Prevention is better than cure

While hackers get a lot of attention in the media and the business world, companies of all sizes experience employee security breaches, misuse of the Internet and unsafe e-mail practices, according to the Computer Security Institute Spring 2002 report.

Many businesses don`t examine possible security holes until these are exposed by a disastrous breach.

Patrick Evans, regional manager, Symantec

Systems are made vulnerable by worms and other types of malicious code, which are spread as a consequence of inadequate employee education. When a worker unwittingly clicks on an infected attachment, malicious code in disguise can wipe out files and create back doors through which hackers can enter.

Credit card numbers can be stolen, financial data can fall into the wrong hands, and hours of time might have to be spent replacing company information.

Other actions, such as visibly posting passwords, can compromise security. Assets such as laptops are in physical danger when employees don`t lock them properly during travel.

When protecting your system and your hardware, being proactive is the name of the game. Many businesses don`t examine possible security holes until these are exposed by a disastrous breach. Undergoing a vulnerability assessment will allow you to evaluate current practices, policies and the behaviours of you and your employees, so you can make any necessary changes before mayhem strikes.

Planning ahead will help prevent the inconvenience and loss of revenue associated with break-ins or a severe virus outbreak.

A security policy outlines where your business stands on certain security issues and how employees should behave regarding those issues, but if they don`t know what they`re doing wrong, the information isn`t going to do much to help.

If they know why certain methods are important, they are more likely to abide by the rules. You can hold brief training sessions when an employee starts and then every six months or so for the rest of your employees - more often if there is a change in policy. Address the issues with your workers and review the principles. This also gives them a chance to ask any questions they may have.

One of the first steps when creating your security policy is to think about how much security your business needs. If you mostly use your computer network internally, you won`t require the stringent walls of defence needed by institutions that process credit card orders or document extensive research initiatives. Your security policy is meant to protect your environment, not hinder your business.

While your policy should be custom-tailored to your line of business, network requirements and tool usage, there are several topics even the most basic security policy should address.

Your policy should not only educate users as to why these topics are important, but also inform them of how to abide by the rules and what actions will be taken if they don`t.

E-mail is an indispensable tool for the majority of businesses. Yet few businesses institute guidelines and educate employees about safe and proper use thereof. There are several ways that e-mail, if abused, can cause problems for a small business. Many worms, viruses and Trojan horses are spread via e-mail, in most cases because employees are not aware that they are downloading a virus.

Your policy should address such issues as the proper handling of attachments.

Set guidelines for how computers in your office are secured. Make it mandatory that workstations are locked when employees are not seated at them. Windows users can lock their computers by pressing Ctrl+Alt+Delete. Outline how laptops should be kept safe while on the road. A stolen laptop means both lost assets and data - and information might fall into the wrong hands as a result.

Your policy should emphasise the importance of passwords as part of a comprehensive security plan. Advise employees on their creation (for example, an alphanumeric password of at least eight characters) and remind them to change their passwords periodically.

Proper use of the Internet should be outlined, for example what types of site are acceptable, and whether or not it is permissible for employees to surf the Web for personal reasons. For Internet safety, you should create a standard for downloading files that can introduce malicious code and drain resources.

Sending highly sensitive material via e-mail is an unsafe practice, since passwords can be stolen and hackers can intercept information en route. Address the issue of how to transfer sensitive data safely, both internally and externally.

If your company uses telecommuting to stay in touch while on the road, you should establish guidelines for keeping long-distance connections from compromising your server back at the office. You may require users to run personal firewall software and keep virus definitions up-to-date.

Once your policy has been created, it should be distributed to all employees. Set up a meeting to go over its contents and answer questions. If you change or add any elements later on, be sure your workers are informed.

You may find it helpful to set up bi-annual meetings to review security practices particular to your workplace.

Creating a policy and educating employees regarding its guidelines ensure that everyone in your business knows their part in maintaining a secure environment. If you are proactive about the implementation of a security policy before a breach occurs, you can save vital information and hours of lost time.