Are you suffering from unnecessary headaches?

How would your life be affected if...?

Why not use other Backup Solutions?

Reasons to Outsource Data Protection...

Download Free Trial
Bandwidth Calculator

The enterprise's worst enemies when it comes to information security are usually found within its firewall. They are generally well-meaning employees guilty of neglect or ignorance rather than hackers who are motivated by malice.

Today, in a world that is driven by online information and systems, there are only two kinds of businesses: those that have suffered a loss of important business data and those that are likely to sometime in the future. In the case of the latter, IT managers are convinced that they have taken sufficient steps to protect their business against data loss.

However, putting up a firewall and rolling out some anti-virus software is no longer enough to protect one's information assets. As data moves out of the data centre and out into the environment of distributed computers, notebooks and handheld devices, IT managers are finding themselves robbed of control over information security.

Because internal staff are responsible for the mistakes that leave companies vulnerable to loss of their data, it is critical for IT departments to roll out systems that automate as many crucial security processes as possible. In addition, IT management should also ensure that they have solid disaster recovery plans in place so that they can quickly restore the data and systems the business needs to operate if they should suffer a serious security breach

Here is a quick rundown of how your own people may be your worst enemy in information security:

End-users
End-users are guilty of a number of sins that make the enterprise vulnerable to security breaches. They open unsolicited e-mail attachments or install software downloaded from the Internet without verifying their sources and checking their content. They neglect to install new security patches or update their antivirus software. Many neglect to make and test back-ups, and flout corporate policy by dialling up to the Internet while connected to the local area network.

Senior executives
Senior executives, in terms of new corporate governance guidelines such as the second report from the King Commission, are expected to shoulder ultimate responsibility for risk management issues including business continuity planning and information security.

However, most are still wrestling with the practical implications of these responsibilities. Often, they fail to understand the relationship of information security to their businesses. They understand physical security but do not see the consequences of poor information security because they do not realise just how much a security breach could cost them in bad publicity, brand erosion, loss of faith among customers and business partners or even lawsuits.

The upshot is many directors and managers make mistakes such as assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn to do the job properly. Often, they patch security issues as they arise instead of dealing with the operational problems of security on a day to day basis.

IT staff
IT professionals, perhaps, are their own worst enemies when it comes to information security. To make their own lives easier, IT staff often go against best practice in information security by connecting systems to the Internet before hardening them, connecting test systems to the Internet with default accounts/passwords, or using unencrypted protocols such as Telnet for managing systems, routers, firewalls, and PKI.

Often, the IT department runs services that are unnecessary to the day to day operations of the business - things like ftpd, telnetd, finger, rpc, mail, rservices which create needless vulnerabilities.

One of the most common mistakes they make is to neglect to patch systems and applications when new security holes are uncovered and to fail to regularly update anti-virus software. Another common error is incorrect configuration of security tools - the implementation of firewalls with rules that don't prevent malicious traffic from entering and leaving the network, for example.

And when a security breach takes place that destroys critical data and systems, they cannot initiate a recovery plan because they have failed to maintain and test back-ups.

The bottom line
There is no substitute for a secure, automated back-up system - one that removes the responsibility for back-up from the end-user and returns control to the IT manager or department.

Ian van Reenen: director of technology, Attix5