Is today’s IT security done as an afterthought?

by John Chin, Technology Auditor - Chelsea Technologies - Aug 2008

To protect the sensitive and important business files and data from unauthorized access, we relied on IT security implemented by our IT department.  Common IT security practice includes employing a firewall to restrict external access and server/ computer security with individual user account for internal policing. However these standard practices are publicly known and unfortunately, for people that want to access your company's sensitive files and data; they may not spend their time and effort breaking through those established access points.  Most unauthorized access to confidential or sensitive company information is done not through the front door, but through creative methods such as a back door access or in most case, through inside access.

The acquisition and selling of computer's data is more established than what most people realized.  For companies that want to have a more competitive edge, it is reasonable to invest in learning about their biggest competition or their prospect / clients.  Even more dangerous, the information gathered may be used to perform fraudulent or illegal acts that can damage the company’s reputation.  

In a recent event, retail company TJ Maxx disclosed that 45.7 million of its customer’s credit card numbers were stolen in 2005 and 2006.  Companies that handle credit card transaction are required to adhere to Data Security Standard (DSS).  The DSS like most IT regulations are open to interpretation on how it should be done.  Compounding that with the cost for implementation, newer technology development and undiscovered security holes; threats become ever-changing and defensive measures are difficult and sometimes over looked.   

Today companies spend thousands to safeguard their business information. Prospective employees are screened and for some particular markets, the prospect even goes through a security background check.  We pay for and utilize building security to limit access to the office.  We lock our computer room, password the computer access and secure the network.  But how secure are we in today's environment?

In the office, even though access is restricted to our employees, there are people such as mail couriers, cleaning crew and building maintenance personnel that periodically access the office.  Especially for those leasing and/or sharing an office, restrictive access are difficult to maintain.  Computer and laptop are configured to securely access the company’s information, but with more and more people utilizing mobile computing, there is additional potential for data loss.  Even employees may intentionally or unintentionally spread the company’s information.  As a business owner, one needs to investigate and understand his or her company’s risk and its potential impact to their business.''

 Companies sometimes don’t have the time or resources to understand and clearly define a road map for what it is needed for a secure IT environment.  In creating a secure IT environment, the focus should be developing a practical policies/ procedures with controls to protect business investments that is inline with business objectives.  The secure structure should be able to grow with the company along its single or multi-platform IT environment. 

The secure structure should also ensure adequate protection to “backdoors” and “creative” unauthorized access of sensitive and critical business information.

 Unfortunately as the company becomes more secured, the ease of access becomes more restrictive.  Additional control policies and procedures must be adhered to.  These additional controls can sometimes hinder the effectiveness to do business.  To be successful, one must analyze if the risk and its potential impact warrant the need for the added controls; creating a balance between practical control and best practice that is inline with business objective.