Entities are investing loads of money to keep their systems updated with their current business needs. This approach is highly recommended as it shows a sense of maturity by these entities not to allow systems to dictate how business practices are carried. Systems administrators involved in such process tend to ensure that data in such systems is protected. Simple mechanisms such as data back up on a frequent basis and user authentication with access policies are typically found in requirements lists when an entity is requesting a new system. Security measures like these must be operated by the entity, but in most cases of data theft, it has been found that such measures were operated properly but the culprit was difficult to identify.
When considering information security, one must not just look at implementing security measures which by today’s standards are considered to be poor and with no means of shining some light to what caused such issue. We must learn from our ancestors who fortified our island against our enemies. Such fortifications resisted the test of time simply because the security of the island was part of a plan and not some feature that was introduced at a later stage. From such lesson, security of information should be part of a plan which is regularly tested against old and new threats. This is the only way to ensure that such security measures will provide the necessary information when your entity is under attack. It is of most importance to train and test your employees to identify social engineering attacks. Social engineering uses social skills such as telephone calls, fear and the knowledge of the unknown factor to extract sensitive information out of your employees. This technique, master minded by Kevin Mitnick, tends to be very successful in giving away your intellectual property when operated with skill. Very recently some people managed to steal servers from an airport which is not being mentioned for security reasons, by making believe everyone that they are going to take the server to a work shop for further attention. This is a clear example of social engineering into play. The only way to protect yourself against such threat is to test people on frequent bases and to ensure that your employees are checking what they are being told with the right person.
Many invest heavily in protecting their information from outside attacks. These types of attacks are normally carried out by hackers, who either for fun or for benefit will try to obtain your sensitive information. Unfortunately, many do not protect themselves against internal threats that are carried out by employees intentionally or not. The use of a proper audit system on top of your business solution is the feature not featured in many requests. The trust in employees is in most cases exaggerated. A proper audit log can be used to identify bad intentions from a particular employee who has been trusted with your sensitive data. If some legal action has been carried out by an employee, a proper audit log can be used to certify or dump the employee’s comments. In extreme cases, the audit log can be passed over to the police or lawyers, should legal action be taken against the employee. It is therefore of most importance that the audit log be constructed in such a way that it shows all of the actions carried by the employee and itself be protected.
The importance of building a secure system from day one is never over stressed. When doing so, we are protecting not just over investment, but also the livelihood of our employees and ourselves