August 2009

 

Greetings from “Your IT Department”!

 

Spending to improve network security continues to lead over all investments by small and large companies in network technology. With recent report on hackers who have compromised over 130 million credit cards numbers, it’s no wonder. Likewise, the stimulus spending that is driving significant investments by both large and small health care providers in converting to electronic health records requires increased security standards and technology solutions to protect confidential patient information. However, effective information security policies can do more to protect against confidentially breaches than all the money spent on technology solution to protect your networks. The foundation for a good, stable and healthy network is formed by policies and controls that are in balance with business operations.

OurTech Solutions is dedicated to protecting our companys' networks from data loss and theft. There are a few basic information security policies every company should have at a minimum, whether large or small. Employees need to understand acceptable boundaries to help prevent network compromises. Read our feature articles to discover which basic policies you might be missing and to create secure passwords you can remember. Does your IT service vendor provide your company with effective information security policies and practices? If not, consider coming to OurTech Solutions. Call 778-7999 for a confidential discussion.

 

  

 

 

Tips and Tricks
Get More Out of Vista
 Cindy Troyer, Vice President, OurTech Solutions™

 

Vista Backup
The Business, Home Premium and Ultimate editions of Vista include one of the most critical programs you can find on any computer, an easy-to-use backup for your data. From the Start menu, go to Accessories, then System Tools, then Backup Status and Configuration. The application is very straightforward, with options to back up or restore your PC or even individual files. You can also set up an automated backup system to backup daily, weekly or monthly, or you can choose to back up immediately. You can save to an external hard drive, a NAS or to another network device. The process is so simple that setting it up should be one of the very first things you do—if a disaster happens, you'll be glad you did.

Snipping Tool
Your keyboard's Prt Scrn key has now become obsolete. Vista's Snipping Tool (found in the Accessories folder on the Start menu) allows you to capture a selection of the screen. Just start up the tool, click and drag the mouse until you've outlined the area you want to use, then release the mouse button. Once you've gotten your snip, you can draw on it with a pen tool, copy and paste it into another document, and save it as a graphics file.

System Health Report
Do you want to make sure that your computer is operating efficiently? Use the Reliability and Performance Monitor, which you'll find in the Control Panel. Once in the Control Panel, go to System and Maintenance > Performance Information and Tools > Advanced Tools > Generate a system health report. Windows will check disk drives, drivers, software and hardware configuration, and many other things to give you a complete view of the condition of your workstation. If the Reliability and Performance Monitor finds a problem, a detailed explanation will help you to find out how to resolve it.


Can You Survive A Network Compromise?

A True Story
 Derrald Farnsworth-Livingston, Vice President of Systems, OurTech Solutions™

 

February of 2003 had a dramatic impact on Bob Troyer, (OurTech’s CEO, and former CEO of Data Processors International) and me physically, emotionally, and professionally. By March of that year, I had probably gained 10 pounds, on my way to gaining 30. Bob lost a total of 30 pounds. While Bob may have gained most of that back, I’m still working on losing mine. Emotionally, Bob and I were drained, tired from countless hours of being in the office working day and night for months at a time. Professionally, everything we knew about our business had changed in a matter of seconds. The entire industry shifted under us and left us scrabbling to grab hold of something solid.

So what was the event that had caused such major changes in our lives? Identity Theft. Not just any identity theft, but the largest reported credit card hack up to that time. Over 10 million credit cards had been siphoned out of the Data Processors International servers by the Russians via a Chinese implanted backdoor. The good news? One of the perpetrators was eventually caught, not because of hack itself, but because of a completely unrelated charge.

The scenario I illustrated, while true, does sound like something out of a Hollywood film. The actuality is that important data is often easy to obtain. Many companies lack security believing they are immune – “We don’t have any really sensitive data.”, “No one would ever hack us.” “We are not a financial institution.” What these business owners don’t realize is most hackers attack the easy-to-infiltrate targets. Perhaps you run a dry cleaning business or a restaurant; all companies have some sort of sensitive customer data. In most cases the information is easily obtainable by individuals on the Internet looking to pawn the information for seedy purposes.

 

Best case scenario, if the breech is discovered, most states have laws that require that you disclose that you were hacked, forever muddying your company’s reputation. Worst case, and very common, your business is closed down by the stacks of lawsuits and imposed penalties.

As a result of what Bob and I had endured we resolved to build a company that would help other companies avoid that very scenario. One of the major benefits OurTech’s clients enjoy besides routine maintenance is a monthly report that includes, among other items, important security patch reports and virus removal – two key components in a good defense against infiltrators. Additionally, a yearly report with recommendations is produced to ensure that the network is configured, secures, and operating properly. Third, and perhaps the most important tool is the availability of written policies. These human resource policies mesh well with technical policies that can be implemented and are a key defense in many litigation actions.

With that I will leave one parting thought – no company is completely impenetrable. If a hacker wants something bad enough, there is a way. The key is to not be the easy target – the low-hanging fruit, the companies that the hackers train on to bigger and badder things. By instituting some sound security policies, both in HR and technically, most companies can avoid becoming a headline on tomorrow’s paper.

 

Basic Information
Security Policies Every Business Should Have
 Robert Troyer, CEO, OurTech Solutions™


Policies and controls that are in balance with the business operations are the foundation for a good, stable and healthy network. These policies and controls help define a concise set of behaviors to ensure a secure and enabling environment in which a business may use and manage its information resources to protect against data loss, service disruption, misuse, unauthorized access and the potential for legal proceeding against the company resulting from such loss and misuse.

 

OurTech suggests that these directives and policies should be designed on the basis of “that which is not explicitly allowed is explicitly denied”. Attempts by anyone to access, monitor, use or share information that is not explicitly allowed to them through policies should be considered a security violation. The security of a business’s information should not rely on a single means of protection when multiple means of protection are available.

 

We recently helped one of our clients implement some basic information policies to help protect their systems against unauthorized access and provide their employees with a workable set of policies to help define Acceptable and Unacceptable network computing behavior. It often comes as a surprise to company management that employees actually prefer to know what acceptable boundaries are within their network office environment. Most employees don’t intentionally plan to cause network problems or security concerns, they just don’t know how to avoid creating these situations without the proper education.

 

As you move up into larger corporate environments or if you are in a highly regulated industry, the extent of required Information Security Policies can be overwhelming. For most small businesses, however, the implementation of some very basic policies can go a long way towards improving overall network security and providing the proper guidelines for employee acceptability.

 

So what are these basic policies? At a minimum we recommend every company have these policies: Internet Access and Use Policy, Remote Access Control Policy, Electronic Message - Email Policy and a Customer Privacy Policy.

 

A well defined Internet Access and Use Policy can greatly help protect against malware threats from the Internet. The virus that entered your systems because of uninformed employees can infect every single customer in your email contact list. A severe virus incident can shake your customers' confidence in your company. An Internet Access and Use policy can also help cut down on the amount of time employees spend on non-business related web sites as well.

 

A Remote Access Control Policy explains under what situations employees can access the network externally and under what safe operating conditions. An effective policy can also help employees to understand which methods are most secure and the most effective from accessing externally. There are times when accessing your network connections through a terminal server application is far superior to accessing it using a VPN solution. Understanding the difference cannot only make you more secure but it can also help improve the experience of working remotely. Remote Access Control policies defines the best situation for working remotely.

 

Electronic Message – Email Policy. Are your employees informed of your right as owner to review any emails sent or received through your corporate sponsored email system? If not, they should be to avoid potential litigation. I recently visited a prospective customer’s office where the conversation turned to employee email use. A manager of the company told me they just recently fired an employee for making derogatory statements about other employees using their email systems. I casually mentioned that of course they had an email policy that prohibits such types of behavior. The manager said, oh no, everyone knows you can’t say that kind of stuff using email. Well, of course this is not true. Very likely this employee could have sued for wrongful termination and invasion of personal privacy. Employees need to understand in no uncertain terms that the company maintains the right to review all email sent or received from its offices in order to protect themselves against suits. Here’s another classic example of where the lack of a clear policy leaves a company with the possibility of facing a future law suit.

 

Finally, an On-Line Customer Privacy Policy helps the company protect themselves against the unintended consequence of redirecting customer from a link on its corporate web site to a site that contains a virus or spyware. Your customers should know and be forewarned that you cannot possibly police every web site and that they should use their best judgment when connecting to another website. As identity theft continues to be an ever growing problem in this country, more and more customers are demanding to know what businesses are and are not doing to protect their personal or private corporate information. If you haven’t already given this type of policy serious consideration, start now.

 

Newsletter Archive