As IT lawyers we regularly advise clients on data theft and computer misuse by employees. As IT users, we’ve had our share of password fatigue and virus scares. And as website operators our firm and its IT consultants have dealt with hacker attacks.
Based on this experience and reading widely (see the reference for this article), here is a list of 51 computer security problems and in each case a brief statement on solutions.
They mostly involve developing positive habits and legal mechanisms designed to reduce the major cause for data and IT security gaps – human error. Additional technical solutions will be required. In essence the solutions in this checklist comprise setting:
- clear statements of responsibilities;
- clear contractual and other legal sanctions for breach of those responsibilities by all individuals with access to data or IT;
- initial, periodic and/or per-transaction communication to the individuals on their responsibilities and the sanctions for breach; and
- initial and periodic education and training on the rationale and skills needed to meet those responsibilities.
Contact us for the solutions highlighted in green text. For technology solutions contact us for a referral to appropriate specialists.
1. On thinking about IT and computer security, you don’t even know where to begin.
Conduct risk management and compile a list of all your electronic resources. We call ours our Intellectual Capital Register. Decide which resources, departments or other areas most deserve protection or require immediate attention. Inspired by this, improve your IP Strategy. The security of your transaction or customer relationship management database is vital, especially if it contains customer credit card details and personal information.
2. Nobody can remember when data and IT security measures in your organisation were last reviewed and updated.
The pace of change in IT is self-evident. Regular monitoring and review are essential. Do them to plan for survival in the event of IT department staff losses, fire, flood, theft and other calamities. Make a person or department responsible for routine monitoring.
3. You don’t know the level of risk or cost consequences of potential data or IT security breaches.
Refer to your IT, business systems, insurance and legal advisers. A useful risk-assessment tool is an online calculator run by Darwin Professional Underwriters.
4. Your IT system has previously been penetrated and you want to be ready to act quickly next time.
Obtain technical advice on how to monitor your firewall logs regularly. They generally contain details such as the source of each IP address, the destination IP address and port, times and dates and other technical information. Ensure they are backed up and archived for long enough to be useful.
5. Computer viruses cause damage, ranging from annoying to catastrophic problems.
Ensure all anti-virus software is up to date. The range of other pests include Trojans, malware and worms. Never plug a computer into a network until it is properly patched and has had anti-virus software installed.
6. Software versions are out of date. Could this cause a problem?
Yes. Keep software up to date as appropriate. Check key software providers’ websites regularly for updates or news on security patches and updates.
7. Your data requires very high levels of protection and it’s in a high risk environment which could benefit from vulnerability testing.
Employ hacker “penetration testing”. IT professionals will test systems to see if they can “hack in”. To gain from the test results, ensure the parameters of the tests are clear.
Email and online communication
8. Embarrassingly, staff have copied and emailed documents which have document metadata identifying the name of another client.
Educate staff to check, change or delete metadata as a routine activity before transfer of documents or files to others where it is not meant to be viewed by others outside your organisation. For example, a Microsoft Word or Excel document contains properties that reveal information such as the creator’s name and the date of creation. Failure to realise this has affected individuals in the highest offices in business (Microsoft) and government (members of the Bush Administration).
9. Staff habitually email personal attachments from their home computers to distribute via the office.
Consider staff training on the dangers of attachments. Email attachments are among the most common carriers of viruses. Tell staff “Don’t download anything unless you trust the sender — and the file.”
10. People are involved in personal disputes over email.
Again, common sense is needed for personal communication. Emails “leak”. A copy may be present on every computer an email travels through. Also, a recipient may be accidentally added. Someone may for whatever reason forward an email that was intended as a private or personal communication. All this can result in legal issues. Include rules and guidance in policy manuals.
11. Spam has gone through the roof!
Even the best spam blocking programs provide only a partial solution. People additionally need simple actionable rules and guidance on recognising phishing and other common scams, as a general rule not replying to spam (it only helps email harvesters), and using non-company email addresses (eg Hotmail, Gmail or Yahoo!) for their purely private emails.
Legal compliance and legal action
12. Some industries are affected by sector-specific strict liability obligations under legislation.
Obtain and act on legal advice relevant to your specific industry or sector, eg privacy law has a specific impact for the health and financial sectors.
13. You don’t know if your organisation keeps electronic records or copies of emails for a legally sufficient time.
Several dozen separate laws apply in Australia to the question of how long records must be kept. They range from business records to tax returns. Contact us and we will email to you a Document Retention Guide.
14. Employees are concerned about monitoring of their “personal” email.
You should take appropriate steps to ensure compliance with the law before monitoring employees, their emails, other communications and movements. Our Employment Contracts and Employment Law Documentation incorporate such compliance.
15. You think a standards-based approach would sit well with your “best practice” reputation, but are unsure what it means for IT and data security.
Seek professional advice on available information standards, including for project management, contract and document management and legal knowledge management. Useful Australian and overseas “official” standards, industry codes and reference standards are available to manage many topics including risk, human resources, projects, record keeping, knowledge, compliance, disaster recovery and business continuity.
16. An employee has used pirate software and files, exposing your organisation to legal liability to the software provider, and media ridicule.
Organisation policies should state a no tolerance policy against pirate software and data files. Companies are regularly raided by the Business Software Alliance with court orders permitting seizure of pirate software. Your Asset Register should include all computer hardware and IT devices. You might also keep records there for identification of licences for all software. Consider rationalising your software licensing practices for such record keeping.
18. In worst case scenarios legal action is necessary. Are your documents and records in a proper state ready for delivery for court or police action?
Be proactive, prepare for success in legal action by implementing processes, record keeping and contracts to ensure you can rely on the armour of civil and criminal law. Contact us for practical advice guides, eg Document Retention Guide, How to prepare a file note, and Legal Knowledge Management Guide.
19. A laptop taken home by a senior finance department executive has been stolen. It had client credit card details in a database file in it.
In your core policies, eg your policy and procedure manual, you should have clear rules for laptop use outside the office and data on the laptops. If practical, implement a check-in and check-out procedure to ensure all laptops are accounted for. A recent illustration of risks is the UK case involving Nationwide Building Society. It was fined £980,000 under the Financial Services and Markets Act 2000 stemming from failure to take “reasonable care” to protect information contained in an employee’s laptop which was stolen. The laptop contained details of around 11 million account holders, although corresponding PIN codes and passwords were not included.
20. Computer, program or Website passwords are misplaced, forgotten or lost as personnel change.
Obtain technical advice. Consider preparing a register of passwords. Obviously this requires the utmost care and consideration and very secure storage.
21. Employees are selecting passwords that are obvious, they can be easily guessed or hacked.
Distribute information on what makes passwords harder to hack, eg dtg#$840 – a password that combines letters, numbers and symbols. Also in your IT security policy consider setting guidelines for administrator levels and for setting and resetting passwords.
22. Some computers or data require higher than usual levels of protection.
Obtain technical advice. Consider setting variable levels of computer and data protection depending on defined criteria, eg the value of the data or the level of risk. Consider classification of data from a security, value or risk perspective. Consider setting up automated email notification on access by anyone of certain files. Monitor for exceptional patterns in access to such files (eg level or frequency of access, or access where there’s no current need/project).
Policies, auditing and record keeping
23. Employees do not seem to adequately follow, or are not aware of, IT use policies.
First, consider conducting staff training as discussed below. Second, integrate adherence to your IT use policy into employment and contractor agreements and documents. For example, ensure employment contracts refer to the policy and even incorporate the terms of the policy into the agreements.
24. Employees are not aware of practical and legal obligations which apply to their use of IT and email communication.
Prepare an Information Security Policy (focused on concise and relevant “Dos” and “Don’ts) or include all that in a broader Communications Policy which also covers use of email and other means for correspondence or communication. It is useful to ensure all staff sign a copy of the policy document or a register acknowledging they have read it.
25. Pirated MP3 music files and illegal content are being stored on your computers.
Conduct periodic IT network audits or random sampling to check downloads on computers. Notify staff of this possibility in organisation policies.
26. IT audits have found employees are looking up pornographic, inappropriate or illegal material on computers.
Include in your policy manual rules for staff use of the Internet. There are now regular reports on court action against Internet abuse by staff at all levels. It causes potential legal liability, negative publicity, business disruption and loss of staff morale. Web browsers, like Internet Explorer and Firefox, can be “cleaned” (eg deleting history caches or files) and configured to reduce the level of information gathered by third parties in the background during Web browsing. Also note there are programs such as Anonymizer.
27. Staff have poor computer skills and poor appreciation of security issues and threats.
As human error is the most common cause of security breaches, IT security requires an attitude and framework more so than a product. Enforce legally binding contracts, introduce a proper or integrated human resources management system and then build on this with technical and other advice by conducting regular training of your staff to raise awareness about security issues. Also consider broadcasting to staff the occasional email on the topic of security.
28. Improper written communication is harming your business. It’s not just poorly worded emails, it also involves Excel and Word files being sent without sufficient editing or “legal labelling” (eg IP notices and disclaimers).
Run staff training to improve business writing skills and business communication generally and understanding of business communication protocols. Introduce or improve your House Style Manuals. Educate staff to use IP Notices, eg warning statements on trade marks, copyright, and confidential information.
29. Staff use email inappropriately. They often write a short email saying “Agreed” to business proposals even before they review the full financial terms and legal conditions that apply.
Consider running our workshops in-house on business writing and business deal making process and contracting. Educate staff to not make spam-like broadcasts. Educate staff on good procedures to follow when attaching files, eg checking that the wrong file has not been accidentally attached. Consider obtaining our advice on use of IP Notices, which covers disclaimers and notices for copyright, trade mark and confidential information.
30. Whilst everyone has a basic understanding, you still rely far too heavily on IT people.
Engage IT consultants to provide IT and software skills training and educate all staff, including senior management levels or specific high risk departments.
Backup and archiving procedure
31. Regular or routine backup procedures do not exist.
Obtain technical advice on what suits your situation. Carefully identify the files and programs that need to be backed up and ensure it is done regularly.
32. If the backup itself fails, is destroyed or lost, you can be in big trouble.
Store backups, preferably off-site. Test backups to ensure restoration is possible. Businesses in New Orleans that did both these things survived the Hurricane Katrina flood in August 2005.
Premises and network security
33. A server “crash” has caused loss of a full day’s work.
Work out how many hours or days of data your organisation can afford to loose in a server crash. Then obtain technical advice to cover such a period. If necessary or appropriate, arrange for a period of uninterrupted power for servers to ensure graceful shutdown in the event of server failure.
34. Police report that stolen laptops and mobile phones are rarely recovered.
Engrave or attach non-removable labels to all your hardware as a deterrent to thieves.
35. Hackers are regularly breaking through your firewalls.
Obtain technical advice to properly configure your firewall. Regularly examine firewall logs to monitor for unusual activity. If your Website or Internet connections have slowed that could be a sign of a hacker present.
36. You wish to completely stamp out staff use of certain materials online.
You may wish to use programs which can block staff from accessing some Websites or content, eg peer to peer file sharing sites. (The music industry has taken legal action against several universities which they say are not doing enough to block P2P file sharing.) If your Internet connections have slowed it could be a sign that there is a “bandwidth hog” present, eg unwanted files from file sharing services.
37. There has been unauthorised copying of sensitive client data while wireless networks were used.
If your network is wireless, ensure proper encryption is set up to prevent unauthorised access. Obtain technical advice.
38. Employees install software on computers that lead to problems.
Take technical steps to restrict unauthorised installation of programs through different administrative access profiles. This way, only an administrator can install software.
39. You installed a new software program which seems incompatible with your existing system.
Experts warn against using the first version of software, especially any new operating system. Read reviews, obtain technical advice or wait until the software is stable and others find the bugs.
40. Your business has become heavily dependant on its Website. Does this form part of IT security?
Yes. Websites are the number one target for hackers. Apply equal rigour for Website security as you do for your computer systems. It is not unusual to hear of Websites and sometimes their related businesses closing due to a catastrophic loss of all data, none or little of which had been backed up or archived. Backup your website content regularly – including SQL database tables, PHP/ASP script files and HTML documents. Ensure proper content management records are kept and archived.
41. Employees and clients want an intranet or extranet for remote access but you fear exposure to more IT security problems.
Obtain technical advice on use of HTTP authentication for restricted areas of Websites, eg “client access” zones.
42. Depending on the size of your organisation there can be many different copies of software and accompanying licences to manage.
Include in your policy manual a rule that software may be installed only by one person or department to centralise tracking of all appropriate licences.
43. Non-genuine software can cause problems with things such as enforcement of warranties.
Only buy software from authorised software resellers.
44. Prior versions of software and beta versions can cause issues with licensing.
Delete all prior versions of software when upgrading.
Intellectual property protection
45. Your organisation’s domain name has been taken after someone forgot to renew the domain registration.
Take domain name legal infringement action. Keep an Intellectual Property Register. One section of our template Register lists detailed records on domain names and is a useful place to keep domain name renewal dates and contact details. It helps to prompt measures to reduce cybersquatting, typosquatting and URL hijacking resulting from misspelling, typing errors, and using the wrong domains (eg .com not .com.au).
46. Confidential information and files have been stolen or copied.
Use confidential information procedures, IP Notices (eg warning statements on trade marks, copyright, or confidential information), and documents and contracts. Consider installing software that will prevent removal of data by typical methods such as USB or ftp transfer. Similar considerations apply to use of PDAs, smart phones and other mobile devices.
47. Staff are making comments in online forums, newsgroups, chat rooms and on blogs using their office email addresses or website reference.
While generally not an issue, common sense is needed. Comments might reveal confidential information, expose an employee to threats from angry outsiders, and affect your organisation’s brand. Use search engines to monitor what is said, and by who, involving your organisation.
48. Financial bid information has leaked from a major top secret tender proposal prepared for a client.
Use password protection and encryption techniques where appropriate, ie if you transfer highly confidential files between offices or to clients.
49. People have infiltrated your system from within, by installing software on your machines or attaching devices in your building.
Ensure your server is physically secure as well as your premises. Check security measures near your reception desk. Further in, keys, separate passwords, security cards, or locks might be appropriate, including for individual offices, filing cabinets and any server room. Keep records of all these measures, for a court the measures can indicate the data is confidential and has value, and hence a court will more readily make orders to protect the data.
50. A confidential webpage or intranet page is appearing in search engine search results.
Sometimes, search engines can add confidential pages to their search results. This can be avoided by keeping confidential material off your Web server, through to use of a robots.txt file to control information search engines add to their index.
51. Data has been lost or stolen, you think you know by who, but you have no list to check the loss with precision.
If you don’t know what you have or had, it is difficult or impossible to prove to a court what you lost or what was taken. We provide advice on knowledge management, it is especially useful for businesses built on intellectual property. If you don’t have a working definition in the context of your organisation about the meaning of “knowledge management” and “information architecture”, then you need to find out before you can educate employees, contractors and others with whom your company collaborates.
Robert Schifreen, Defeating the Hacker: A Non-technical Guide to Computer Security, John Wiley and Sons Ltd, West Sussex, 2006.