Information Security

Whilst information technology enables businesses to achieve more than ever before, it also brings opportunity for the unscrupulous and the malicious. Protecting your business information systems and communications infrastructure from the uninvited is a specialist discipline built into our thinking.

IT Security can be broken down into 4 areas in order of risk:

1          Employees and Users

2          Virus and Malicious Software

3          Network Intrusion

4          Eaves dropping, Line tapping and Sniffing

Employees and Users

By far the greatest cause of security compromise is behaviour, naivety and misuse of systems by users. Training and enforcement are the tools available to the business to educate staff and users to the vulnerabilities they represent to the business.

A short course to the techniques used by the unscrupulous to infiltrate the business to build awareness and good practice. These should be backed up by enforcement through contracts of employment.

It is very important for the business to be aware of some issues that might arise from their employees, workers or external contractors of the harm that can be done to their computer equipment.  Users of computers who have access to the internet or external devices have the ability to access internal information and to access external mediums that could affect your business.  Here are just a few examples:

Employees could access external websites such as social networking sites and blogging sites.  Consequently they could be posting information that is derogatory to the Company and therefore a proper email and internet policy is advisable.

Employees could access external websites and download information from them which may harm your network, for example innocently downloading a virus via an email attachment.  It is therefore important to restrict access to certain sites or to bring to the attention of the user that such access will be a disciplinary offence.  Displaying a policy on this could be kept on the desk top and regular email or memo reminders should be sent to staff.

Use of external devices such as USB memory sticks, CDs etc, must be prohibited or have restricted use.  Again, the use of such devices may mean an employee downloads information from an external device without knowing a virus is attached, or the act may be deliberate.  It is advisable to have an external device checked before it is introduced to the system or have a complete ban.

*From the outset of employment it is important to ensure that restrictions are included in their contracts of employment to prevent staff from stealing company information.  Company information may take the form of electronic data, including confidential proprietary information, supplier and customer lists. Drafting restrictive covenants is not easy, if the restrictions are too tight, then they may not be enforced, meaning you cannot rely on them.  It is advisable to take legal advice in these situations.

Furthermore use of online shopping sites during work hours should also be prohibited or restricted to say 1 hour during the lunch break.

Virus and Malicious Software

Viruses are pieces of active software code designed to modify the business system in some way; many and various. They are carried within or attached to normal legitimate software programs or media. Often they are carried by the innocent email, screen saver or game with the usual enticement of being free.

To combat these is the use and regular update of proprietary antivirus software. In addition, these should be checked and monitored regularly to ensure there good performance.

As many of these forms of attack enter the business network via email, email washing by an external supplier improves security by removing this form of attack before it enters the business network.

Network Intrusion

The business network Internet connection creates this form of vulnerability. The unscrupulous will attack the business network interface to test it defences and attempt to infiltrate and place malicious code inside the network.

The use of good quality correctly set up and maintained firewalls, reduces this risk. In addition, the software used to interact with and carry traffic through the firewall, should be proprietary, tested and approved to ensure these do not carry weaknesses creating open opportunities.

Eaves dropping, Line tapping and Sniffing

This form of security risk involves the unscrupulous listening in upon the business external network traffic and extracting data. For most business this form of security risk can almost be ignored, as most businesses do not transmit information of sufficient value to warrant this from of attack. This is the realm of the well resourced and highly trained IT engineer. However, this form of security vulnerability can be exploited from anywhere in the world.

**Where a risk is considered to exist IP tunnelling and encryption should used.

* The ICT Practice partner Vicky Edwards specialises in Employment Law and Contracts of Employment. If you wish to know more about drafting effective employment contracts please contact us.

**The ICT Practice partner Tirath Rai is accredited to NATO and has experience in testing and probing business network for data transmission vulnerabilities.