Some IT professionals tell me that their “boss” came down and said, “Give company such and such access into our network to access our data files so they can provide such and such service.” If the IT professional was brave enough to object to the “order,” they often got shot down.

If your IT professional knows anything about security, they get some pretty sweaty palms when opening up access to other companies. Their nights of restful sleep are probably over at that point too. And so should the executives be terrified!

Please do NOT open up your network for access by third party companies. I run into this at four or five companies a month and it has to stop!  Do you realize that:

• If the other company catches a virus, you probably will too?
• If an employee at the other company wants to steal your data, destroy your information, and even store illegal information at your office, they can?
• If you have a security problem, the other company may come after you for damages you cause on their network?

Indeed, it is feasible to outsource some of your services and functions into the “cloud.” More and more organizations are doing this.

The important part is to connect to the other entity in a responsible way! Allowing them unfettered access into your network is often a reckless choice.

The primary reason we perform vulnerability assessments as parts of security assessments is to generate an inventory of all the computers currently alive on the network and a list of vulnerabilities those computers have.

The challenge is that the human brain loves a “list of what’s wrong.”  Most of the IT professionals at organizations go immediately to work solving the identified problems thereby “killing alligators.”

We always implore executives and IT professionals alike to focus on “draining the swamp” in addition to, and sometimes instead of, “killing alligators.”

In our ongoing effort to help IT professionals and organizations focus on strategic, as well as tactical, plans to take IT to the next level, I sometimes feel like a dentist who hands out new toothbrushes as well as a gift certificate to the local candy store in the same visit.

Vulnerability assessments are wonderful—just remember to focus on the one or two strategic changes that can fix one hundred or more tactical issues.

Before I could catch them, these words spewed out of my mouth: “We need more government regulation of businesses.”  I immediately stopped, appalled at what I had just said, and stood there in disbelief.

The fact is, due to a number of problems in organizations, IT security too often gets pushed to the back burner. Next week’s blog entry will deal with those reasons. Do we need more laws to force companies to be secure? For the responsible companies I work with, I say “No! Enough regulation already!” I know they are taking steps to be more secure. But for those companies that send the rest of us letters notifying us of breaches, I think we all would have been happy if some regulation forced them to be more careful with private information. PCI-DSS standards for companies that accept payment cards is still a regulation—except in Nevada where it is now a law. Minnesota also has laws around the core requirements of PCI-DSS.

I used to be totally against some government regulations, but as I see some organizations being careless with your private data, I wonder if a little regulation might go a long way? Please respond with your comments on this blog.

The theory is that, if the “online banking only” computer is only used for online banking and nothing else, the computer is less likely to be infected with viruses, key loggers, and other malicious software.

Having two computers comes at a huge cost to convenience for the people in your office that need to perform online banking. That means they need to have two computers at their desk. They could use a KVM switch to use their same keyboard, monitor, and mouse to switch back and forth between the computers.

Your IT professional might be willing to set up a virtual machine on the regular machine to use for online banking, but IT will still need to keep that virtual machine current with patches and protected with anti-virus. The end-user may become confused using the virtual machine and reject the idea completely.

Controls would probably need to be put in place to limit access to banking web sites to the single machine so no employees ever “cheat” and use their own workstation to access online banking.

On a positive note, an inexpensive computer would be more than enough to handle the online banking, and there are tools like Microsoft’s Microsoft Steady State and Deep Freeze (http://www.faronics.com/html/deepfreeze.asp) that can help lock the machine down to a single purpose and help protect from infections.

Do you dedicate a single computer for your online banking tasks? What is your response to the ABA’s advice? Please add your comments to the blog.

Executives at companies who have never experienced a breach are the ones who feel they cannot enforce their policies.

After a breach or a lawsuit, I see the executive iron fist slam down and things start happening like:

• Forcing employees to sign an acceptable usage policy that forces them to agree to safe data practices.
• Training for employees on security training.
• Technology protection like web site filtering, data loss prevention, and computers that force users to follow the rules by restricting unauthorized behavior as much as possible.

Isn’t it sad that many companies have to go through the “bad thing happening” before they take action?

The topic of employees working securely from a remote location comes up in almost every IT audit I do with companies. There are many methods for employees to work remotely, and with the potential threat of the Swine Flu looming, now is an important time to be sure your employees can work remotely.

The problem with allowing employees to connect through the VPN to your network from their home computer is that the computer could contain viruses and other malware. One solution many organizations are moving to is Citrix Xen to deploy applications to the home computers in a more secure fashion.

The crucial thing to remember for now is that whether or not the Swine Flu does kill a lot of people, the psychological reaction itself could cause major problems for your business if your employees refuse to come in to the office to work. For other non-IT related tips, check out  http://www.cdc.gov/h1n1flu/

The answer is simple – whichever one your local qualified IT professional recommends. Please note I said “qualified.” I hear so many stories from executives that start out with, “My brother-in-law who knows all about computers told me that I should do such and such and now nothing works right anymore!” Yes, brothers-in-law are often much more fun to work with than an IT professional, so I encourage you to find an IT professional who is both fun to work with and makes his living being successful at IT.  This is your family’s safety you are talking about here.

The important reason to go with the device recommended by your local qualified IT professional is that they are familiar with the device. That way, when your device stops working at some crucial moment and says something less than helpful such as, “error number 64553,” your local IT professional will know exactly what to do. They have seen that issue fifty times before and can fix it in their sleep. Even better, they have anticipated the issue and have already taken steps to ensure you never experience the problem in the first place.

What makes a good firewall good? Several things – and most of the answers are very technical. This blog is dedicated to business professionals who want to know about IT in plain English. Better firewalls examine the actual data being transmitted.

For one thing, to compare your network information to snail mail, better firewalls open up the envelopes and read inside before they decide to let the information travel on your network.

Better firewalls allow you to connect a secure tunnel to your office through a technology called VPN. VPNs can cause a lot of trouble if they are not set up correctly – such as allowing all your home computers to infect your office computers with everything your kids accidentally download. When set up properly, however, they can be a wonderful help in security.

More advanced firewalls can block material from web sites too. Think of parental controls. The better the service, the easier it is for you to configure. Technology can be simple and easy in many cases.

Better firewalls can also give you an experience of your information getting to you faster. In addition, through giving different types of traffic different priorities, you can make the most of your connection to the Internet.  In other words, if your kids are listening to online radio, you can give your connection to the office a higher priority.

Another example is that if your internet service provider is unreliable, you can get two providers, such as DSL and Cable. Then the router will load balance to give you the fastest connection at any moment. If one of the services fails, again, then the router will fail over to the service that is still working. The result is that your network connection experience on your computer stays good.

The bottom line is that you can invest a little bit more in your home router and firewall to gain big benefits.

Do not connect to any networks other than your own. That way you know your IT professional has made your own network as safe as it can be.

However, what if you travel with your laptop and you want to connect? Consider using a wireless broadband solution from AT&T, Sprint, Verizon, or one of the other services.  These cards offer coverage in most populated areas. Most of them will give you a 30-day trial to see how well you like the service. I use multiple companies and it is very rare that I cannot connect with at least one of them. I have four broadband cards with me on the road today in fact. You do not need four cards, just one.

In addition, if you are going to connect at hotels and hotspots, then you are strongly advised to allow your IT professional to provide you with a VPN or some other encryption to protect your information while you are in your hotspot.

See the video http://www.keepmynetworksafe.com/hackingvideo.html that shows how people can monitor your traffic unless you allow your IT professional to protect you.

Any IT professional who has worked with IT security knows the importance of ongoing diligence to keep the network secure. That is why they come to their bosses and managers requesting budget items including centrally managed operating system patches, Internet filtering tools to block malicious code, updated firewalls, robust anti-virus solutions, and other proactive defensive devices. Many executives empower their IT professionals to put these items in place right away. Organizations, after they have suffered a loss, lament about what they “would have, could have, and/or should have” done. Reasons vary greatly.

Budgetary: Some IT professionals explain that they did not even ask their manager to allow them to install a robust firewall since the IT professional felt their manager would refuse the relatively small investment. Some good news is that most security solutions are relatively inexpensive these days – certainly less expensive than a successful attack.

Political: Often, IT professionals do not want to be seen as “the bad guys” restricting users from downloading tools like LimeWire and using instant messenger. This is especially true when IT is outsourced to an IT services company. The outside company wants the users to remain happy so they “keep their job.” This is also true with in-house IT professionals who want to keep their executives and managers happy. I encourage IT professionals to have the courage to speak up, in a kind and gentle way, about how important security is to an organization.

Technology knowledge: Just as you would not go to a brain surgeon to operate on your knee, not all IT professionals are proficient in every area of IT. Be sure your IT professional gets enough IT security training or outsource to someone who can help him or her with the security. The same holds true if your IT professionals will be upgrading you to the latest mail server program. Be sure they are qualified and support them being able to say, “I do not know how to do this and it will cost the company more for me to take time to learn than to outsource this to a local company who will perform the installation for us.” IT is important that your IT professional know they will not lose their job if they know where they are proficient, and where they are not. Could you imagine a hospital firing a cardiologist because the cardiologist refused to deliver babies on weekends too?

Whatever the reason, if you have been putting off your IT security, now is a great time to batten down the hatches.

Click here to view the computer hacking video demonstration

This video demonstrates how someone might watch your traffic while you are in a hotel, coffee shop, hot spot, or even your own office. Check it out and post your comments below!