Because computer use has become an integral part of modern-day life and work, keeping information technology secure has become a concern for all businesses, from the sole trader to large corporations. Robert Blackman offers ten steps you can take to help safeguard your company’s IT systems from digital destruction.

By using safety measures and good practices to protect your business computers, you can protect your privacy and your commercial information. My tips are offered to help lower any risk associated with data security.

1. Ensure that all servers and workstations are kept up-to-date with anti-virus software

Deloitte PNG’s Robert Blackman

A common method that hackers use to infect your computer is targeting security vulnerabilities in your system. Programs that are targeted include web browsers (Explorer/Firefox), Microsoft Office, Adobe Reader, Adobe Flash, Adobe Shockwave, and Oracle Java. In order to make your computer as secure as possible, you need to make sure these programs are updated when new anti-virus files are released.

Sign up for the automatic updates that install anti-virus files. Hackers are often on the lookout for systems that don’t have the latest safeguards. And look into anti-virus software, again with automatic updates.

2. Ensure that frequent backups are performed

Backups are extra copies of data. You can use them to restore data if your working copy is lost. Store your backups off-site, away from the main copy of your data.

If your critical business data changes frequently, aim to back it up daily. Alternatively, you could just back up only data which has changed, instead of backing up all your data each day (this uses less storage space, and is quicker). Backup software can schedule and manage backups automatically.

Passwords provide the first line of defence against hackers. The stronger your password, the more protected your computer will be from hackers and malicious software.

Story continues after advertisment...

3. Ensure that each user has a unique user name and ID, to assign accountability

Organisations need to be able to confirm who is attempting access to the system, and be able to control what employees are permitted to see or modify, based on their role in the company. The company should have a written policy stating all IDs and credentials are to be used only by the people to whom they are assigned.

4. Ensure that strong passwords are established

Passwords provide the first line of defence against hackers. The stronger your password, the more protected your computer will be from hackers and malicious software.

A strong password is at least eight characters long, does not contain your user name, real name, or company name, does not contain a complete word, is significantly different from previous passwords, and ideally contains characters from each of the following four categories-uppercase, lowercase, numeral, or symbol.

Avoid common passwords
. For example: words found in the dictionary are not strong.

5. Ensure that sensitive data is encrypted

Many technologies are available to encrypt data to ensure its privacy and integrity. Essentially they ensure that data remains confidential, cannot be modified, copied and any lost elements can be detected. Algorithms have become the industry standard to encrypt and decrypt data.

The Secure Sockets Layer (SSL) protocol, developed by Netscape Corporation, is an industry-accepted standard and is supported by all currently available web servers and web browsers.

6. Restrict the use of direct access database tools on your network

The rationale for this control is about knowing and controlling ‘where’ the access to the database is coming from, plus being able to identify who is doing the accessing.

Ensuring that this unwanted data is properly destroyed prevents criminals from getting their hands on it.

7. Ensure that adequate audit logs are enabled for your network

Auditing is the monitoring and recording of databases. If you are auditing to gather information on how particular databases are used, audit only pertinent actions, to save time. After you have collected the required information, archive the audit records of interest and delete the trail. When auditing for suspicious activity, protect the audit trail so that audit information cannot be added, changed, or deleted without being caught.

8. Ensure that unwanted data on hard-drives and other media are properly disposed, through degaussing, shredding, etc.;

While data might no longer be needed by businesses, it might however still contain sensitive company or customer information. Ensuring that this unwanted data is properly destroyed prevents criminals from getting their hands on it.

Many hacker attacks are based on exploiting faults in the computer code of applications and operating systems.

9. Update the operating system and software as often as possible to protect against new bugs and other weaknesses

Despite extensive testing, all operating systems and applications are released with ‘bugs’ (errors in the software) that affect security, performance, and stability. Many hacker attacks are based on exploiting faults in the computer code of applications and operating systems.

Employees may be your biggest point of vulnerability when it comes to fraud, but they are also your first line of defence.

Once a bug is discovered, the software manufacturer often releases a piece of software to correct the bug. This software is often called a patch, hotfix, or service pack. It is critical to install these when you are notified.

10. Educate staff on security matters, fraud, etc…

Employees may be your biggest point of vulnerability when it comes to fraud, but they are also your first line of defence.

Hold regular training sessions on basic security threats and prevention measures–both for new hires and seasoned staff.

Reinforce the training by instituting policies that guide employees on the proper use and handling of company confidential information, including financial data, personnel and customer information.

An IT Audit director, chartered accountant and certified security system specialist, Robert Blackman is Director, Assurance & Advisory Services (IT) at Deloitte Touche Tohmatsu’s Papua New Guinea office.