It’s hard to believe that Americans were once complacent about online security. Here is a management security checklist and a warning about mobile banking.
With good reason, Americans are increasingly concerned about their Internet security. However, in 2004, many Americans were not concerned about online security.
That’s when security issues really began raising their ugly heads when I wrote that technology companies were doing too little to safeguard businesses and consumers.
Then, we mostly just feared viruses.
Now, we increasingly fear a whole lot more — from bugs in web servers to malware and phishing.
In 2004, we first learned about increased security ramifications for business. We learned computer users ignored basic online security measures – even in tech-savvy Seattle.
However, a nationwide study by National Cyber Security Alliance (NCSA) and America Online revealed that 77 percent of computer users believed they were not vulnerable to Internet dangers.
But after dispatching experts to the homes of the responding 329 broadband and dialup users in Seattle and 21 other cities, NCSA study learned some startling facts:
- 49 percent of broadband users didn’t utilize firewalls
- 60 percent of the participants felt secure from hackers
- 88 percent were unaware their computers were infected with spyware
- 67 percent failed to regularly update their computers with anti-malware software
- 19 percent of the group was afflicted with viruses
Not only were they risks to themselves, it was unnerving to note that those computer users were unknowing risks as online customers and as employees in both the public sector and business.
Customer data was also lost as a result of ineffective online security. Citing a 55 percent increase in attacks on government agencies, telecommunication companies and utilities in August of 2006, IBM launched its Global Business Security Index.
The company reported its customers were attacked 100 million times a month and most attacks generally occurred on Saturdays and Sundays.
A widely known pioneer in security and the prevention of identity theft – a premier consultant, Stan Stahl, Ph.D., of Citadel Information Group – warned security was a big issue in 2004.
He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions.
He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.
His philosophy for a successful online security program includes:
- Protect information assets from attack.
- Detect illicit attacks on information assets.
- Quickly recover from attacks, accidents or natural disasters.
- Comply with applicable security and privacy laws, regulations, and policies.
Management security checklist
To protect the assets of both your customers and your company, here is his basic self-assessment management checklist:
1. Does your organization’s computer network contain sensitive or critical information?
2. Do you have an executive responsible for managing the protection of critical information assets, is this person explicitly trained in information security, and have you allocated budget and resources for protection?
3. Does the board or executive management review the organization’s information security posture at least semi-annually?
4. Has your organization documented information security policies consistent with its business needs, organizational structure, legal obligations, insurance policies, and risk management processes?
5. Is all critical and sensitive information explicitly identified as such and restricted to those having a “need to know?”
6. Are all employees and contractors provided regular ongoing information security training, including training in the safe handling of email and in password selection and protection, and are they held accountable for violations of security policy?
7. Have you coordinated your information security posture with customers, suppliers, and other trading partners whose computer systems you access or who access your computer systems?
8. Does your organization have documented recovery procedures to follow should a break-in, malware infestation or other security event occur?
9. Does your organization back up all workstations and servers at least weekly, are multiple back-ups stored offsite, and are back-ups periodically tested to ensure the ability to restore data if necessary?
10. Has your organization’s system architecture been explicitly designed in accordance with network security principles and practices, including the use of firewalls?
11. Is malware protection software on all servers and workstations and is someone explicitly responsible for monitoring malware alerts and ensuring that malware protection is up-to-date?
12. Is someone explicitly responsible for monitoring security patches and alerts, and ensuring hardware and software systems are up-to-date and properly protected?
13. Is access to servers, routers, and other network technology physically restricted to those whose job responsibilities require access?
14. Would you know if someone was illegitimately accessing critical information assets?
15. Has your organization had an independent third-party information security vulnerability assessment or penetration test within the last 12 months?
So, if security is a possible concern, I would follow Dr. Stahl’s advice.
Dr. Stahl’s Web site: www.citadel-information.com.
From the Coach’s Corner, phishing attacks are also possible in mobile services:
“Once again, the opportunity to make money trumps security, Dr. Stahl says. “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”
“It is not just phishing attacks to which they are vulnerable. We can take over cells running Bluetooth. Cell phones (like my iPhone) are often automatically configured to connect to the web using a wireless network over which neither the user nor the bank maintain any control. (I’ve changed this default setting on mine.) And because there have been few cell phone attacks to date, the community has little experience in how buggy the software products are and how responsive the vendors will be in fixing vulnerabilities when they show up.”
For the bottom-line, he advises: “All in all, cell phone online banking is a big NO!!!”
See these resource links:
- Tips to Protect Against Hacking of Your Bluetooth
- 8 Tips to Avoid Being Victimized by Phishing Scams
- 4 Tips to Defend Against Hackers When Traveling Overseas
- Strategies for Retailers to Prevent E-Commerce Fraud
- Small Business Tips to Protect Your Bank Accounts
“We don’t seem to be able to check crime, so why not legalize it and then tax it out of business”