Smith & Gesteland Quick Tip

Computer Systems Security

You've heard more about security over the last couple years than you probably have cared to, but in today's world it can't be taken too lightly. A survey of over 500 organizations conducted by the Computer Security Institute in conjunction with the FBI found that 90% had detected computer security breaches within the last 12 months. 80% acknowledged financial losses because of breaches.

Your company information is a valuable asset. You don't want to find the new product that you've been working on for months released by one of your competitors first.

Your image would also be tarnished if someone compromised your system and was able to steal personal information on your customers including credit card information.

There are a number of areas that computer security must address, these include:
· Security policies and procedures
· Internet firewalls and Remote access methods
· Internal security
· Physical security

While no system is 100% secure, a reasonable amount of protection can be afforded by implementing some basic security practices. Unfortunately many businesses fail to take these basic steps. There are many reasons for this; among them, not enough time, overworked system administrators, insufficient knowledge or skills and even a lack of concern/urgency.

Develop a security policy for all system users to follow; at a minimum it should address acceptable use of system resources and minimum password requirements. Security procedures should also be developed for the staff responsible for maintaining your IT systems. These include rules for configuring firewalls and remote access, as well as applying necessary security updates.

Part of the problem with computer security is keeping the operating systems and applications updated with patches to fix vulnerabilities. Last year alone Microsoft released 72 Security Bulletins regarding its Windows operating systems and applications including Office, Internet Explorer, and Media Player among others. So far this year it has released over 30. While it can be a daunting task at times, it's important that system administrators keep on top of the updates and apply them as necessary in order to keep their systems secure.

The SANS Institute and FBI jointly released a listing of the top 20 Internet vulnerabilities which you can access at www.sans.org/top20. The list is comprised of the top 10 Windows vulnerabilities and the top 10 UNIX vulnerabilities. The majority of security breaches on the Internet exploit one or more of these weaknesses.

Keep in mind, unauthorized access to your computer systems from external sources are not your only concern. You will also need to take into consideration disgruntled employees, office visitors and others that can obtain physical access to your systems. Servers and infrastructure equipment should be secured behind locked doors. Systems should not be left logged in while unattended and administrator, supervisor, or root accounts should not be used by system personnel unless that level of access is required.

Follow these steps to get a start at making your company's computer systems more secure:

· Conduct a security assessment
· Take corrective action on results of the assessment
· Create a security policy and enforce it
· Provide user education

Greg Gleich is an Information Systems Consultant at Smith & Gesteland, LLP, a Madison-based CPA and business consulting firm. Please feel free to contact him at (608)836-7500 or greg.gleich@sgcpa.com with any questions.