Security is and will remain an intrinsic element to all business operations. IP is no different and aspects such as phishing, spam and viruses have caused companies to sit up and realise the importance of content filtering, firewalls and other internal and external security precautions. Our customers need to know more about security and what they should be examining to ensure the holistic protection of their business. We answer some of the more common questions below:
Q. What are some of the issues around security at the moment?
Recent security related reports including the Symantec Internet Security Threat Report issued recently highlights a fundamental increase in a.) Attacks against Web Applications b.) Threats to Windows c.) Severe and easy-to-exploit vulnerabilities and d.) Phishing scams as the top offenders for the period 1 July 2004 to 31 December 2004. In addition there is a noticeable increase in Spam, which is impacting organisations, not only from a productivity perspective, but also from a data protection and financial point of view. These results coupled with UUNET`s internal tracking structures highlight and reiterate the importance of approaching security from a multi-tier layered approach.
Q What constitutes general security best practise in a company?
Traditionally, best practice for enterprise security is to work from the top down, emphasis on a more holistic approach to company data protection is needed, whereby organisations are educated on why they need to become more proactive in terms of the management and monitoring of their firewalls. UUNET holds the expertise and network solutions appropriate for this exact approach.
In light of the above some top of line requirements when looking at your security best practice approach should include:
* A full security solution placed at the corporate information gateway, not just anti-spam, but solutions that can filter and control incoming mail more strictly, is required.
* A multi-layered anti-virus solution deployed upstream at the ISP, the gateway and on each individual desktop * with regular updates undertaken
* Security solutions placed on specific servers
* Development and implementation of an internal Internet User Policy
Q. Why should users examine internal policies with regards to company security and Internet User Policies?
An Internet User Policy (IUP) is a solid platform for organisations looking to define the parameters of internal Web use, mail acceptance and security policies that should be taken into consideration during an employee`s day to day operations when using the Internet or e-mail. Not only will it ensure users understand what Web sites can be visited and what type of mail can be accepted and opened, it will also help with internal definitions for Web filtering.
Implementing a broad IUP decreases the levels of spam and virus acceptance within a company, in addition to positively influencing staff productivity levels. If we consider the amount of time spent online, as well as the limited abuse of bandwidth that will take place, then it makes better sense for organisations to take more interest in the utilisation of this business tool.
Employee education is a critical element in an enterprise security strategy, and extends beyond administrator training regarding vulnerabilities and network threats. The majority of security breaches are still caused by internal employees, whether they are disgruntled workers who deliberately sabotage a system or release confidential customer information, or users who unintentionally cause breaches by installing file-sharing software or similar programs.
Each employee therefore needs to understand that he/she is an important link in the security chain at the company. Security policy documents supplied as part of the employee handbook or other required reading resources should define intellectual property, acceptable use of corporate resources, and expected actions in certain events, such as if contacted by a competitor or a member of the media. Failure to comply is in many cases suitable justification for termination of employment.
Q What are some of the critical elements to business protection in terms of security?
One of the most critical elements of business protection structures is that of content security, which should be a flexible tool that enables businesses to manage the security of information sent by e-mail.
The first issue faced by most businesses is that content security has been positioned as a technology for countering threats to the integrity of the corporate network, such as viruses. However, the real issue is that content security is not an information technology (IT) problem, but rather a risk facing the business as a whole. Every business unit is responsible for information management, including identification of sensitive content and how this needs to be controlled within the organisation. IT will merely assist in delivering the technologies that would meet the business strategy objectives within an information security framework.
The initial challenge with implementing content security measures is the cost and initial investment and implementation process of an Internet/e-mail policy that complies with the latest legislation (ECT Act). By hosting the solution within a data centre, this cost of implementing the hardware, software and administration expertise necessary is relieved.
Q What should content security products include?
Content security products should also include the following benefits:
* Multi-layered virus detection and cleaning, which provides protection against infection and data loss from e-mail transported viruses
* Spam blocking, which removes SPAM before it reaches your network with less than 1 in 1 million false positives detected
* Attachment of legal disclaimers, which provides a customised communication that can inform e-mail recipients of legal issues
* Scanning for offensive material, which assists in reducing legal liabilities
* Blocking of specific file types (images, .exe, videos), which assists in reducing network congestion and can increase employee productivity by blocking specific file types
* Detection of sound files (e.g. MP3), which reduces liability from copyright violation
* Text analysis, which scans for confidentiality breaches
* Management and delayed delivery of large messages, which enables the intelligent utilisation of bandwidth
* Blocking files by name, which controls circulation of named documents
* Web based administration and reporting, which intelligently control and manage your e-mail usage
As organisations rely more and more on technology communication processes to conduct business, the need for secure security policies is essential. Although security has only recently been reviewed as a concern by organisations locally, a "wait and see" attitude still dominates the industry. The more time and investment spent initially to secure a business network structure, the better the rewards at the end of the day!
For more information on UUNET SA`s security solutions, please contact Pam Molenaar on (011) 235 6500 or pamm@za.uu.net.
Share
