3) Access control and monitoring
Okay, youve got your policy, but is it being followed? More importantly, there are industry regulations that require you to demonstrate compliance, Solanki says. An airtight security infrastructure will block access, and it will also record the user, the time, and attach the document that he or she is trying to print.
Is the Mac Really More Secure than Windows?
Web 2.0 Security: Application Scanners
Spam Bust: The Lessons of Yesmail
Russia's Export To America: Malware
Solanki describes this process with a tone of satisfaction right out of an episode of TV show CSI: forensic evidence.
This policy can be tighter still for employees who management identify as at risk, or who are about to leave the company. For these workers, some companies set up a system that records every single contact this individual has with sensitive data. It can be done in a quiet mode, or in a more visible way that prevents the employee from doing it, and it pops up a screen, he says.
4) Monitor and prevent installation and usage of unauthorized applications
One of the biggest threats is that when I go to visit a seemingly innocent Web site, behind the scenes a keylogger is being installed on my laptop that is the No. 1 issue today, Solanki says. This keylogger allows a hacker to perpetrate identity theft by stealing all of an individuals passwords.
The identity theft business has gotten so sophisticated that if I wanted to rent a botnet an army of infected machines I can do that for a dollar a day per PC, Solanki says.
Safeguarding against authorized apps includes building a tough line of defense on the front lines: all your workers PCs must have tough anti-virus and anti-spyware, and ironclad technologies to prevent the installation of a botnet app.
5) Educate and train your staff
Companies have wide latitude in terms of how they enlist their workers in security efforts. The stringency of these effort can range from a pop-up that informs users theyre breaking company policy (which Solanki notes that many users ignore) to iron-wall pop-ups that block action.
To be sure, staff training is urgently needed in battling security threats. For example, many security administrators were aghast that employees kept opening emails whose subject line was I Love You long after it was identified as part of a massive virus attack. Clearly, employees represent a loose link maybe the loose link in the security chain.