Five steps for keeping hackers at bay

The vice president of security products for Tivoli Software at IBM says the biggest threat to your company's security is the thought that "it won't happen to me"--because it will.

COMMENTARY--Many businesses seem to think they have an invisible cloak of invincibility when it comes to computer security.

But saying "It won't happen to me" is simply not enough. Harm to your systems and data can be a fatal blow at the heart of your company, affecting your daily operations and your credibility with customers and the public. It is not just large companies that need protection against security breaches. Every business needs a strategy for keeping hackers at bay.

Even if you think you're safe enough with measures you have already taken, consider these recent survey results. Hacker attacks were up 32% during the first half of 2002, which averages out to 32 attacks per company each week. Even more troubling is the finding that most companies are not even aware that they have been hacked.

While the Internet has undoubtedly revolutionized business, it has also added vulnerabilities all its own. Eighty-five percent of companies now report security breaches, and 64 percent report financial losses due to these attacks -- amounting to $120 million annually.

Here is a five-step guide to protect your business against hackers.

1. Know the internal and external risks you face and turn them into a security policy.
You cannot protect yourself unless you have thought about what internal and external threats you face and how serious they are. There is no one-size-fits-all list of risks. Every business has individual vulnerabilities and priorities.

External threats become more important as your network extends to suppliers, customers and partners. This automatically means network security must be given high priority. External threats include unauthorized users like hackers, saboteurs and thieves, as well as network users who leave their computer badly protected, providing opportunities for unauthorized users.

A major internal risk most companies are not aware of is mismanaged identities from employees who have left the organization, but are still able to access the network. Typically, 20 percent of user accounts belong to employees who haven't worked for the organization for five years or longer.

Your security policy should also include risks associated with equipment malfunctions and natural disasters like fires, floods and accidental damage.

2. Get help to find hidden weak points.
Sometimes, searching for the weak spots can be like looking for a needle in the haystack. Not all the risks you face will be obvious, especially if you do not have a full-time information technology expert in-house. One way to identify risks is by having an independent third party conduct an audit of your security systems to find vulnerabilities before you purchase protective hardware or software.

Many security management products on the market today offer a holistic, "dashboard"-style view of entire systems. The ability to view the entire system dashboard-style allows administrators to identity and correlate specific security vulnerabilities and then take proper action to resolve them.

3. Make fixed assets physically secure.
Your building's alarm system will put off thieves from outside but that does not stop anyone inside opening a machine and stealing memory or a processor. You can buy an inexpensive security kit that consists of a hacksaw proof cable and padlock, which will prevent a computer being opened or physically removed. You should consider security tags which will help police to track down the property's legal owner in the event of recovery.

Put your most valuable material, like servers and archived data, in an access-controlled room rather than leaving it distributed around your premises.

4. Computer viruses, like human ones, affect everybody.
The "Melissa," "Bill Clinton" and "I Love You" viruses have caused tens of millions of dollars in damage in the last couple of years. Like most security threats, they hit smaller companies as much as large ones.

Protecting against threats is not as simple as deploying a software package and forgetting all about it. Making sure you do not lose data to a virus means constant reviews, patches and vulnerability signature updates. This will do no more than improve the odds of staying ahead of virus authors, who are perfecting their craft as fast as virus protection specialists can develop solutions.

Your best protection comes down to policy and procedure as much as technology. Employees must have rigorous instructions concerning receipt of suspicious emails and what to do in the event of infection. Furthermore, there are tools available that help define and enforce security and privacy policies so organizations can ensure consistency across all aspects of their business.

5. Don't make it easy for hackers: a little common sense goes a long way.
Lots of hackers target big companies for "ethical" reasons. But they are not averse to creating a bit of chaos anywhere they can. And they probably know more about your computers than you do.

The Federal Bureau of Investigation (FBI) lists the following as the most common mistakes companies and their employees make which leave their data vulnerable:
* Default installation of operating systems and applications
* Weak passwords - some 40 percent of us use "password"
* Incomplete back-up of data
* Unneeded ports left open
* Data packets not filtered for correct incoming and outgoing addresses

There are precautions you can take to increase your security, especially from internal threats:
* Use password management software to help employees choose strong passwords. Have password expiration
* Create stronger authentication by combining passwords with biometrics.

While you cannot protect against everything, you can be prepared. These security steps will help to protect your business the next time hackers come knocking at your door.

Dr. Arvind Krishna is the vice president of security products for Tivoli Software at IBM. Previously, he was the director of Internet infrastructure and computing utilities research at IBM's Thomas J. Watson Research Center. Krishna joined IBM in 1990, and since then has held executive, technical management, and research positions in the areas of Web infrastructure, network and computer security, wireless networks and distributed computing.