In fact, many companies plan for it by making laptops accessible for employees on the go. Other companies rely on Blackberrys and other portable digital devices to keep their employees connected to email and the web.

However, Internet access tends to be rather sketchy on the road. Unless you’re able to supply your computers with wireless capabilities through a 3G network or other mobile routing system, it may be difficult for employees to send large files or share information from a remote location.

These days, car companies and airlines are stepping in to provide mobile Internet access. Automobile makers like BMW offer computers as a part of their more luxury vehicles. These computers have in-vehicle Internet access as long as you’re within range of their network. Airlines are also offering onboard Internet access, as long as you’re seated in one of the equipped stations (usually in business or first class) and you pay the appropriate fee.

Like most advances in technology, it’s only a matter of time before these types of services are offered more universally. Although they come at an added expense right now, experts estimate that most people will have more mobile Internet options within the next five years.

If your business is on the cutting edge of technology, it might be worthwhile to invest in these types of “on the road shortcuts” right now. However, if you’re content to wait, you can tap into netbooks and PDAs as a way to provide a little more connectivity until the rest of the technology catches up.

Almost all personal computers and business hardware has anti-virus software as a way to keep viruses and other malware sources at bay. The reason is simple: it’s easy to install, easy to update, and easy to use.

However, in the business world, just installing the anti-virus software isn’t enough. In order to keep your data secure and your client information confidential, you must follow up to ensure that the software is being used to its maximum potential.

• Regularly update all of your software – even ones that aren’t related to information security in any way. Viruses are usually developed to get into operating systems and programs that are outdated or otherwise weak. When a software update is offered, it’s usually because the programmers have found a way to make it more secure (and usually easier to run, too).

• Keep an eye on your employees. Although it isn’t always deliberate, the number one cause of viruses on work computers is employees who accessed unsafe sites or opened an email they shouldn’t have. Whether you need to restrict Internet access, train employees on Internet safety, or instill a new policy into your company manual regarding computer use and viruses, you should always make sure your staff knows the rules regarding viruses and information security.

• Put up protection behind the protection. No matter what business you’re in, anti-virus software simply isn’t enough. Your company’s reputation and your customers’ safety is dependent on your network being a safe, secure place that keeps viruses and other sources away from sensitive information. Sometimes, this means hiring an IT vulnerability manager to help you overhaul your entire network, and other times it means taking steps to improve policy management.

When it comes to viruses and other types of malware, IT solutions don’t always have to be complicated. Sometimes, it’s the small steps (anti-virus software, employee training, limited Internet use) that can have the biggest impact on your information safety measures.

• Monitor and/or update your disaster recovery plan regularly. The business world and the Internet are both like living, breathing organisms – they change and adapt daily. This means that a disaster recovery plan put in place six months ago might very well be obsolete by the time the unthinkable occurs. Whether you rely on automated monitoring, regular back-up data storage, or an actual physical update of your system, it’s a good idea to include regular updates into your planning and your recovery budget.

• Test the system regularly. Although this is technically part of the monitoring step, it’s a step that 9 out of 10 companies fail to do. But if there are weaknesses in your disaster recovery plan, you might actually be worse off than if you had no plan at all. That’s because you and your team will go through your recovery efforts under the assumption that you were safe from the more pressing issues, and you might fail to perform the most basic - and necessary - steps.

• Keep data stored somewhere else. Whether you keep your backed-up data stored physically off-site or you use offshore storage for all your information needs, having the information away from your own system is the most important thing. This back-up data will need to be updated regularly, according to your recovery point objective (or how reliant your business is on having the most recent data possible).

• Protect the hardware that goes home. If you have laptops that employees take home for work use, you need to install the laptops with theft recovery and data delete options. The top-of-the-line options will be able to return all the necessary information to you and still disable the computer so that the thief can’t get access to the same data.

• Consider hiring someone to do the disaster recovery planning for you. Whether you are a small business without an IT department or a large business whose data planning needs span entire departments and cross-country facilities, this is one area where it doesn’t pay to cut corners.

Before you do any disaster recovery planning, it’s important to prioritize what’s important for your business. No two disaster recovery plans are alike, and the only way to minimize your own damages is to act accordingly.

Some of the questions you’ll need to ask yourself include:

• What are the most likely worst-case scenarios? (For example, if you are located in a flood plain, you may need to place a greater focus on keeping physical damages to a minimum. If your company deals with a large amount of personal data, keeping your customer’s information safe might be the most important thing.) How can these be prioritized to streamline the disaster recovery planning stage?

• What do you need to keep the business running in the event of a disaster? Do you need email? Phones? Access to backed-up data on the system? Alternate computers or technology?

• What liabilities might you be facing? If your network is infiltrated by hackers, what are the legal ramifications for your company? How much of an effect will this have on your company reputation and your bottom line?

• How long can your system be down without causing you to go bankrupt? (For example, if you experience a denial of service attack or you simply can’t access your system for a few days, how prepared is your company to “weather the storm?” Do you have access to emergency funds or an alternate way to keep business running?)

• Is your data somewhere safe? Imagine that you’ll never be able to get your system back up and running again. Do you have backed up data located somewhere where it won’t be damaged?

• What sort of information sharing system do you have in place? Employees and administrators will need to be kept appraised of the disaster and its recovery efforts. A way to contact everyone is important in making sure that things continue to run as smoothly as possible.

• How are you going to let your customers know about the situation? Nothing is more irritating to a customer or client than being unable to access your company (either online or in person). If your system is going to be down, or if you need to send out notifications of an information breach, you must have a way to get in contact with all of your customers.

No one likes to think that a disaster can happen to them. However, most businesses will experience some sort of an information emergency during operations. In order to successfully get your company back up and running, it’s important to plan ahead.

Once you decide to start working with an online or local IT consulting firm, you will most likely go through the following steps:

Inventory and Assessment: Not only will your IT consultant assess the strength of your current system from an operating standpoint, but he or she will also inventory the resources you have in the form of hardware, software, bandwidth, and even the employees you can rely on. All of these factors weigh in on the strength and viability of your system.

Monitor and Identify Threats: Using the inventory you currently have (or using new additions based on your consultant’s recommendations), you will begin a monitoring program that finds weaknesses and emerging threats. This may be automated, or it may be part of your consultant’s plan. In either case, you should be able to tell where to put your focus for moving forward.

Move Forward: This includes prioritizing the vulnerabilities, creating a database of solutions based on the prioritization list, and actually implementing the patches. It doesn’t matter whether you immediately apply the patches or if you spread them out over a period of time, this is the point at which you develop a long-term solution to see you and your company through the next few years.

Begin Automation: Making vulnerability patch management a regular part of your business means relaying the appropriate information to administrators and setting up an automated detection patch deployment system. In many cases, this will include training your IT staff on how to read the vulnerability scan results and how to apply solutions before they become liabilities in your business.

However, companies that have an existing vulnerability management plan might not be as protected as they think. Over time, the series of patches used to repair weaknesses or “holes” in the system might burden a network or fail to provide complete safety against penetration. That’s why most IT consultants recommend vulnerability patch management as a way to revitalize an existing system that is either ineffective or that hasn’t been updated in at least a year.

Overall, vulnerability patch management systems work by:

• Providing a core for all other vulnerability tasks. Instead of merely putting patches on top of patches, you’re looking beyond an immediate solution to an entire restructuring of the way your business handles technology. This also creates a concrete plan of action that can gear your entire company toward a more results-oriented approach to technology.

• Bringing administrators, technology experts, and separate department together. For a vulnerability patch management program to work effectively, it must become a company-wide solution that pays attention to the organizational hierarchy. What department has the biggest need for vulnerability protection? Where is it the most cost-effective to start? The answers to these questions can be integrated into policy to become a baseline for future vulnerability patch solutions.

• Eliminating downtime. Whether it’s freeing up a burdened system to run more effectively or freeing up your employees to turn their attention to more pressing tasks, a vulnerability patch management plan is a great way to monitor, revise, and streamline your information system.

Next week, we’ll look at how getting started with vulnerability patch management works and what businesses can expect.

No matter what type of business you’re in, employees remain one of the biggest threats to information security. Enforce these steps, and you’re well on your way to a stronger, more secure network.

1. 1. Differentiate between files that contain confidential data and files that don’t. The ones that must be confidential should be dealt with first (whether that means deleting them or encrypting them).

2. 2. Only save confidential data in a proper storage files. Don’t allow this type of information to be stored on individual PCs or laptops.

3. 3. Keep track of portable storage device use. If a flash drive or portable hard drive contains sensitive information, it needs to be handled properly. Make sure the check out/check in process is formalized and that there is secure storage during non-use.

4. 4. Require employees to log out of all applications (or even their computer) when they walk away. Depending on the type of work he or she does, this may need to be enforced even for short breaks.

5. 5. Don’t allow employees to save non-work-related files to their computers, This includes pictures, music files, movies, or documents – especially those from illegal download sites. It is too difficult to monitor all files for safety.

6. 6. Monitor all software installations. There are many types of free software (such as toolbars, instant messaging applications, and even web browsers) that employees might be tempted to put on their computers. These should only be allowed under your discretion.

7. 7. Enforce email and email attachment rules. These should be a part of company policy and be strictly monitored.

]]> http://blog.guidance-consulting.com/?feed=rss2&p=251 http://blog.guidance-consulting.com/?p=247 http://blog.guidance-consulting.com/?p=247#comments Wed, 09 Sep 2009 11:00:21 +0000 admin http://blog.guidance-consulting.com/?p=247 Company reputation is one of those make-or-break deals in today’s business climate. Companies like Zappos, which thrives on good word-of-mouth, have put the spotlight on the importance of customer service and online image in building a successful business.

However, company reputation isn’t just about good customer service. Company reputation goes beyond making a customer feel good to making sure your customers never realize that you put time, effort, and money into making the entire interaction positive.

For example, few customers think about the amount of capacity planning their financial may or may not have considered before going live with online banking. They don’t care how many other customers are using the billpay system at the same time as them, and they don’t care how much it costs you to create a secure network. What they care about is getting their financial information in real time and not being bothered by an overloaded system.

In this way, information technology is a lot like a building’s foundation. Few people know just how much architectural planning goes into creating the foundation for their home; all they know is that they want the house to remain solid even when earthquakes, mudslides, and regular wear and tear make their mark.

That’s why any negative feedback from consumers on the state of your IT system can be catastrophic to your business. This doesn’t just mean that you have to protect against an attack that threatens your customer data or safety; it also means you have to have a strong infrastructure that is able to make everything appear effortless and easy.

For many companies, this means you need a greater focus on capacity planning and IT vulnerability management. IT planning is, after all, the real scene-behind-the-scenes of any good company that operates online or utilizes a large database of customer information. Whether you need to build a new IT backbone from the ground-up, or you simply want to reassess your foundation and fill in the cracks, you, too, can benefit from a good company reputation.

Vulnerability programs can slow your system down. Your employees and customers need to use your network every day in order to make purchases and get the job done. Vulnerability assessments and security scans can take up some of that precious bandwidth and make your system slow down. A third party IT firm can run their programs during non-office hours without placing a burden on your employees.

When it comes to knowledge, sharing is key. One of the primary benefits of an IT firm is that the professionals have worked with dozens of firms in the same industry as yours. While a reputable firm would never share sensitive information, they may have insight into best practices and new technologies that may or may not have worked for another company.

Distance provides clarity. In the bustle of day-to-day activities, an on-site IT department or professional might prioritize tasks according to a skewed system. After all, your employees have their own to-do lists and tasks to be completed, and they may not have the “bigger picture” in mind. When you work with an outside IT firm, you can create your own list of priorities and act accordingly. This will ensure that the most important (and foundation-building) tasks get done first.

It doesn’t matter whether your company is considering information technology risks for the first time or if you’ve been in the business of IT safety for years; looking for a third party IT provider is a great step. Save time, save money, and save the headache of IT disasters to come by outsourcing all your IT needs.

There are a number of components of a good vulnerability management plan, including everything from finding weaknesses to making sure employee compliance is at its height. Some of the major components include:

• Policies and Procedures: How does your company define rights and responsibilities for employee device use, user identity, and server access? How accessible and enforced is this information?

• Baseline and Assessment: Where are your biggest weaknesses – in the system or in employee use? Have you run a vulnerability assessment, and what are the findings?

• Priorities: Now that you know where your vulnerabilities lie, how important are they? What needs to be addressed immediately, and what can be put off until the budget allows?

• Solutions: Most companies fail the biggest in this category of vulnerability management: follow-through. Knowing where your weaknesses lie will only help you strengthen your infrastructure if you do something about them.

• Regular Maintenance: For financial institutions, this step is key. Information regulations are always changing, and in order to avoid liability and maintain a good name in the industry, you have to put data security at the top of your list.

It doesn’t matter whether you’re in the market for a vulnerability management review or if you’re considering it for the first time - you can benefit from the services of an IT consulting firm that specializes in your industry.