RSM Resources

From "botnets," networked armies of virus-laden computers, to "zombie PCs," mindless drone computers that indiscriminately spread electronic terror and destruction, the latest information technology (IT) threats sound more like bad science-fiction film plots than everyday corporate concerns. But experts warn that the risk to midsized companies is real and growing, and those who close their eyes to the lurking dangers have the most to fear.

IT security threats come in many forms. A 2004 report by the technology research company IDC confirmed that corporate security No. 1 threat comes from "malicious code," such as computer worms and viruses; the second-biggest threat comes from unintentional employee error. Whether intentional or unintentional, security breaches cost companies billions of dollars each year in lost data, damaged systems, employee downtime, legal fees, fraud and theft. Additionally, these breaches put companies at risk of being sued by customers whose information has been compromised.

California is the only state that allows customers to pursue civil action against companies that deliberately or accidentally leak their information, but several bills allowing such suits in other states are in the works. Experts predict it’s only a matter of time before the rest of the country follows California’s lead, making security lapses potentially catastrophic for midsized companies.

However, taking some basic planning and preventive steps to safeguard your company can go a long way toward mitigating risks,stopping security hazards before they become a problem or quickly neutralizing any problems that arise. The following information can help you better understand the dangers and includes six simple tips to help protect yourself and your business.

Danger in the computer age
Information theft and fraud are nothing new, but as technology becomes increasingly sophisticated, so do the mechanisms for committing these crimes on a large scale. The proliferation of PCs, standardization of systems and software, and advent of the Internet make it easier than ever to infiltrate companies electronically to steal information,sabotage systems or defraud the public. Even without malicious intent, the chance of accidentally damaging your systems and your business has never been greater.

Dangers to look for include:

Viruses. Self-replicating programs or pieces of computer code, viruses attach themselves to programs or files and spread from one computer to another, "infecting" software and systems with sometimes destructive results.

Worms. Like viruses, worms spread from computer to computer, infecting software and systems. Unlike viruses, worms are self-contained and do not need to be part of other programs to spread.

Trojan horses. Named for the infamous Trojan horse of Greek mythology,today’s version is a destructive software program that masquerades as a harmless one. For example, one kind of Trojan horse comes in the guise of a program that claims to rid your computer of viruses but instead unleashes an army of viruses to infect your system.

Phishing. Phishing is sending bogus e-mails to individuals falsely claiming to be a legitimate organization. Phishers aim to scam individuals into surrendering private information such as passwords, bank-account information and credit-card numbers.

Pharming. Similar to phishing but even more insidious, pharming scams use a false Internet-address ruse called "domain spoofing" to entice users to hand over private and financial data. For example, perpetrators of a pharming scam may duplicate a credit-card company’s Web site, then hijack the target company's domain server to misdirect customers to the dummy site where they can collect credit-card numbers and other data entered by unwitting customers.

Protect yourself
Although the frequency of malicious attacks has skyrocketed in recent years, and technological evildoers are finding increasingly sophisticated ways to attack systems and data, you don’t need a master’s degree to protect yourself. The following six tips can help you guard against IT security breaches:

1. Keep your software current. You may think you’re saving money by failing to upgrade your business’ operating systems or software, but think again. The Microsoft Windows 95, Windows 98, Windows ME and, to a lesser extent, Windows NT operating systems all were developed when security measures were limited or even omitted. Maintenance plans may be costly, but not nearly as costly as failing to patch the security holes in your systems. Licensed users should take advantage of vendors’ free offers to update software, typically via the Internet. For every remedy to a security threat, many more threats are lurking around the corner. Be sure to download all updates quickly to avoid or minimize system downtime and damage.

2. Draft a security policy. And enforce it. You don’t need to become Big Brother to ensure your employees don’t inadvertently introduce security hazards into the workplace. Make sure your security policy addresses risks such as personal Internet use and the downloading of files, music and software. Back up your written policy with regular training to promote common-sense security practices such as deleting suspicious e-mail messages without opening them. Finally, be sure to enforce your policies at all levels of the organization.

3. Educate yourself. Copious information is available on both general security guidelines and specific security threats. Visit your vendors’ Web sites regularly to read their latest product-specific security research. Additionally, the CIA, the National Security Agency and the SANS Institute, a security research organization, all offer white papers and other resources to help you understand threats and protect yourself.

4. Shore up your defenses. From virus protection software to specialized firewalls, a full spectrum of tools is available to protect your business and its assets. Conduct a risk assessment to identify what systems are at the greatest risk and which tools would provide increased protection.

5. Test, test, test. The only way to ensure your defenses are ready is to test them rigorously and often. Whether you conduct the tests in-house or hire a specialized consulting firm, a comprehensive approach should include identifying threats from both inside and outside your company, and evaluating your employees’ ability to recognize and address potential threats or problems.

6. Create an incident response plan. Despite your best efforts, don’t overlook the possibility that your company’s security may be breached. What if a phishing or pharming scam targets your customers? What if one of your employees accidentally releases private information? Create a detailed response plan that includes which law enforcement agencies to contact, which employees will oversee the crisis response 24/7, and how you might warn customers of a threat or reassure them their information is safe. How your company reacts during such a worst-case scenario could mean the difference between life and death for your business.