It is also important to have adequate ventilation and fans to circulate the air through the servers so that the temperature inside the computer chassis remains cool as well.

Additionally, it is useful to put monitors in the server room so that if the air conditioning fails at night or over a weekend, alerts will be automatically generated to notify appropriate personnel who can come in to fix the problem before the servers are damaged.

While you are at it, lock your server rooms to prevent intrusion, monitor for floods if that is an issue in your building, and use appropriate power filtering to prevent electrical surges and spikes from damaging your servers.

Please post your comments on this blog.

Let’s see—the only way I can think of is to never share any client data with your employees—ever. Even without computers, if an employee is privy to client data, they may “steal” that and use it for other purposes.

The goal is to protect private client data—and you may choose to never enter that into a computer system your employees can access—or never enter it into a computer at all.

If your employees do want to access client data, and you just do not want the employees to be able to easily take large amounts of information, the challenges increase dramatically. Even so, the possibilities are closer than you may realize. Thanks to application delivery and virtualization technologies, you can allow employees to work from home, or the office, without having information stay resident on their computer. You can also restrict them from being able to:

• Save to a local drive
• Print information
• Copy and paste outside your protected space
• Or otherwise retain any information

However, there is little to stop an e-savvy employee from using a digital camera to take a screenshot, or using a yellow sticky note to write down someone’s credit card information or social security number. At least these kinds of activities take “time,” so you are restricting the speed of stealing data.

For what technology cannot solve, your corporate legal advisors can step in. They can help you with non-disclosure agreements, acceptable usage policies, and other agreements for your workers to sign. The key point here is that these do not necessarily prevent the theft, but they do provide you some recourse if the employee is ever caught.

There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know someone who does offer IT security insurance.

In some organizations, prevention is crucial. Once the data gets out, the organization may be damaged beyond repair.

To prevent an employee from e-mailing themselves a client list, there are Data Loss Prevention DLP tools available in the world. They watch for suspicious behavior and can quarantine such messages before sending them out. That delay gives the responsible person in your organization the opportunity to stop the data before it leaves.

There are other strategies as well:

• Provide people with only the information they need to know. A good book full of these examples is Blind Man’s Bluff: The Untold Story of American Submarine Espionage by Sherry Sontag and Christopher Drew.
• Rotate employees through specific duties so their time to do harm is limited.
• Force employees to take mandatory vacations during which time illegal behaviors may be detected.
• Have a separation of duties such that it would be difficult for one employee to commit fraud all by themselves.

While “total protection” may result in your employees not being able to function, there are strategies that can provide you with both productivity and security.

Please post your comments on the blog.

IT security is frustrating and gets in the way of productivity. IT security can be expensive—but less now thanks to all of the competition in the marketplace for IT security products and services. Heck—lots of IT security is built into the Microsoft Server operating systems—and even Windows 7 for that matter. One just has to “turn it on.”

To me, the key concept relating IT security and productivity is to get away from the “either, or” way of thinking. In other words, you CAN have BOTH security and productivity! If you feel you have to give up productivity to be secure, I feel confident there is a solution that will let you have lots of both.

Granted, almost always, there will be some compromise. You may have to choose between being:

• 90% secure and 100% productive, or
• 100% secure and 90% productive

The choice is up to whoever will be held responsible for a data breach—probably the owner, CEO, board etc for the organization. I generally lean to the first option in many cases.

Key point: This decision is NOT and I repeat NOT up to IT. I feel it is IT’s responsibility to alert executives to any such trade-offs so that the executives can make an informed decision since they have to live with the consequences of their choices.

I wonder just how much money in the purchase price of a new car has to do with the door locks and the key used to start the car? How much added frustration do we experience in our lifetimes due to having to lock, unlock, and start our cars with a key throughout our lives? Yet, our vehicles are productive and secure without having major conflicts between those two attributes.

On a tangent: If users could “see” someone stealing their data or borrowing their computer the way they could see someone borrowing their car, users would be more attentive to IT security.

Please post your comments on the blog.

This is a concern for identity theft and also a source for other private information falling into the wrong hands. Organizations that fall under HIPAA compliance, Gramm-Leach-Bliley Act, PCI-DSS, and other regulations are sometimes more sure of the risk.

Earlier this month while I was performing an audit on a client’s network, he explained that he refuses to allow his staff to “outsource” making copies even to their CPA firm. He does this in order to “isolate” the area he needs to protect. He has a strict policy that documents can only be copied using copy machines in their office.

One of my readers is in contact with an organization that processes used copiers and they make sure to erase the hard drives before the copiers go to new owners.

If any of you are specifically seeking a copy machine security specialist, the CBS video interviews John Juntunen and it appears his web site is www.copiersecurity.com. The phone number on the web site is 530-672-9300 if you want to explore his services. The web site shows they offer a service that will remove your copier’s hard drive, destroy the drive, and replace the destroyed drive with a new drive formatted for use with that copier. They also offer anti-tampering kits to help you monitor your copiers to at least know if someone has accessed the data on the hard drives.

One point he made in the interview is how many companies do not seem to care about security until they have a breach—and then it is too late. I’ve felt the same frustration in the past. Security, be it in your computers, servers, or copy machines, is an important issue!

Please post any of your experiences or additional ideas about copy machine security here on this blog.

Spouses and children tend to engage in online behavior that can lead to infections on your home computer. They visit many web sites, participate in instant messaging and social media, and may even share files with “friends.” Spouses and children may sometimes ignore important system messages and also sometimes “fall for” bogus system messages designed to allow a virus, worm, or Trojan to infect your computer.

Then, when you sit down to do your online banking, your account may be compromised.

Maybe now is a good time to treat yourself, or your family, to a separate computer. Here are 7 quick tips to perform on any new computer to help keep it safe: http://www.fosterinstitute.com/blog/7-quick-tips/

A strategy that keeps gaining ground is the concept of “white listing” applications. In plain English, this means your computers have a list of programs that are on the “approved” list to run, such as Word, Firefox, Acrobat, Excel, etc.

Then, any other program cannot run. Period. That means virus 1, virus 2, virus 999, etc. is not allowed to run. This solves the whole problem of needing anti-virus. In theory, even if a virus does come into your network through e-mail, web site drive by download, or Ernie in shipping carrying in an infected memory stick, it doesn’t matter. The virus cannot run anyway!

The challenge lies in your IT department being able to keep an organized white list of “approved” programs. When an update to a program arrives, the new update has to be listed too or it will not run.

Many providers are offering solutions including Bit9 Parity and Lumension Application Control and there are constant advancements in making administration even easier.

Yes, some day anti-virus may be old news and never used again.

You can watch the short video on this story. Keep in mind that more and more social media tools are offering a service, sometimes turned on by default without your knowledge, to broadcast your GPS position.

Choose your friends online wisely. Watch two videos that demonstrate this principle:

• Facebook Identity Theft: Office Romance Goes Wrong When Facebook Profile is Hacked
• Car Wreck Car Crash and Social Internet Safety

For suggestions on how to be safe online using social media, visit www.learntobesafeonline.com

Without getting into the technical details, robust virtualization technology exists today that allows your operating systems and applications to be easily portable from one computer to the next, and even delivered to a machine quickly through the Internet.

This means that if a disaster strikes your main office—even a power failure that exceeds the capabilities of your standby power generator—your servers can basically migrate themselves to servers operating in one of your other offices or a safe data center of your choosing.  Keeping this in plain English: your users will still be able to get their work done as if nothing happened.

In the past, this kind of protection was very expensive, and now the prices are spiraling down. Some of the technologies you put in to save money on servers today, like server virtualization, come with this DRP advantage as a “side benefit” if you use it.  As you add technology to support remote users or simplify the IT management in your organization, like Terminal Services or Citrix Xen, also add the possibility for robust DRP.

As you upgrade your systems—be sure to get advice from a qualified professional about getting your Disaster Recovery Plan in order!

First of all, read this short blog post about full disk encryption:
http://www.fosterinstitute.com/blog/laptop-data.html.

Next, if you haven’t already, notify at least one of these agencies:

• Equifax www.equifax.com 1-800-685-1111
• Experian www.experian.com 1-888-397-3742
• TransUnion www.transunion.com 1-800-916-8800

I’d suggest you consider signing up with one of them for their monitoring service such as Equifax ID Patrol or Experian ProtectMyID.

The other main step I would take is to log into your banking sites and set up “alerts” that send you a text message or e-mail you DAILY a message of all charges and other activity on the account. Some banks even allow alerts in real time as the activity occurs. That way you can keep a really close eye on things and, if anything looks out of the ordinary, call your bank ASAP.

If you are protecting any of your accounts with a “mother’s maiden name” as a secret word for when you phone in, change that code too—it is too easy to figure out.

The FTC offers even more detailed advice here:
http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt07.shtm.

Businesses focus on IT security, especially after they experience a breach.

Consumers also bombard me with questions after my presentations saying they want their home and family to be secure.

I built a not-for-profit web site (www.LearnToBeSafeOnline.com) with short instructional videos to help consumers be safe online. To date, only 500 visitors in 3 months have viewed videos on the site.

Maybe there is less traffic because the site does not answer their needs, the videos are confusing or boring, or is it just that our demanding lives in 2010 push IT security way down the list below other more pressing matters at home?

In my own family, we focus on school, homework, after school events, doctor appointments, the pets, and pretty much everything else we feel will provide the best possible upbringing for the family. And, yes, that includes weekly dates for my wife and me away from the kids.

IT security is a big priority at our household, although it is largely “hands off” since the processes are automated and the systems take care of themselves. Maybe that is the disconnect—many families don’t know where to start, fear they will be confused, so they decide, consciously or unconsciously, to deal with computer security “first thing tomorrow” and focus on more pressing issues instead.

If nothing else, I sleep better at night being able to send people to www.LearnToBeSafeOnline.com when they ask questions like, “How do I stay safe on Facebook?” or “How do I make my WiFi wireless networking secure at home?” I’m also happy to give you a place to send people who ask you the same questions.

If you want to, please respond on this blog with your ideas on how we can help consumers realize the importance of IT security before they experience a problem of some kind.