Mobile devices present new network security risks.
The threat of proprietary information being stolen is very real, and any business that uses computers and the Internet is susceptible to theft.
To keep information safe, businesses need to first change the way they approach information technology and security, says Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT company.
“Traditionally, IT security was based on detection solutions, such as antivirus, but those systems are geared toward determining that a problem exists and then stopping or cleaning it,” he says. “They are more perimeter-based. But with the advent of mobile devices and web-based apps, perimeter security is no longer valid because mobile devices get past firewalls onto the server where data exists. The old types of security are still good to have, but businesses need proactive, preventive solutions, as opposed to reactive solutions.”
Tools of the trade
Sometimes called the next antivirus, vulnerability scanners are a solution that every business should have, Irvine says. They scan the network to determine if a problem exists and identify situations in which problems may occur. The tool also scans applications, going through code line by line to see if there are vulnerabilities a hacker or malicious application could exploit.
In addition, data loss prevention systems prevent proprietary data loss by restricting access to those who need to utilize the information for their job functions. These systems employ a user ID and password function to ensure that only those who need to access the files can.
Businesses also need to regularly manage their IT systems. This includes conducting penetrative tests to identify vulnerabilities in the system, and tracking and recording changes and upgrades to the system.
While some of these tools can be managed internally, Irvine recommends utilizing a third-party IT service, which can provide peace of mind through checks and balances.
Setting up and managing your IT network
Many businesses make the mistake of thinking that anyone can set up their network, Irvine says. Businesses large and small often take advantage of a tech-savvy employee by having that person fulfill an IT role, in addition to regular duties. However, if this person hasn’t been formally trained in IT or security, or doesn’t have the time necessary to devote to it, your proprietary data is at risk.
In a similar vein, individual departments should not be allowed to select and install hardware or software without the involvement of an IT professional. Downloading and installing programs and providing access to third-party devices can cause data conflicts and security breaches.
Businesses also need to implement policies and standards that define IT processes and expectations. For example, Microsoft releases a system upgrade patch the second Tuesday of every month. Many people view these updates as a nuisance and don’t bother to install them, leaving the network at risk of attack. Having a policy in place that requires users to download and install these regular updates decreases that risk.
The challenge of mobile devices
Mobile devices have been a game changer in IT security in the last few years because they bypass a business’s perimeter defense systems and are not regulated. Companies that have a bring-your-own-device (BYOD) policy do not know what is on these personal devices or understand how they could potentially affect the network, making proprietary information susceptible.
“Businesses can’t prevent BYOD users from accessing inappropriate locations containing viruses and adware and then connecting to the internal network,” Irvine says. “And, in fact, BYOD does not save companies money; it costs more money because companies invest more time to support any data loss.”
Irvine recommends businesses ask employees to register their devices so the business can monitor and limit their access to the corporate network and even wipe or delete the device in the event it is lost or stolen. Creating a separate, encrypted drive on the device for work data prevents viruses from the personal drive from corrupting data on the work drive and allows for deletion of only the work data.
To create a more controlled mobile device environment work, businesses need to implement a policy signed by employees that gives the company permission to monitor, manage and delete information on the device.
Be careful with data on multifunction devices
Printers, scanners, faxes and copiers often have hard drives that store the data your employees send to them. These devices are connected to your network and often have no antivirus software to protect them, making them susceptible to an attack.
Businesses should install these devices on a virtual LAN that is separate from the main network and regularly attach hard drives that can conduct antivirus scans, Irvine says.
“Contact a certified data destruction company, which will wipe the drives or destroy them before you resell or throw away the device,” Irvine says. “This goes for cell phones, too.”
As technology constantly evolves, it is important that IT security plans evolve with it. Mobile and multifunction devices present new challenges to protecting proprietary data, so it is imperative business leaders have qualified personnel in place to analyze new threats and take appropriate countermeasures.
