The Global Internet and proliferation of information systems have significantly increased the risks to corporate Proprietary Information
The greatest known losses to American companies are in manufacturing processes and research and development information
On-site contractors and disgruntled employees are perceived as the greatest threat to Corporate Proprietary Information
Most companies have no framework to safeguard their Proprietary Information
Most companies have no idea of the value of their Proprietary Information
How much of that $250,000,000,000.00 is your company's Trade Secret, Intellectual Property and Proprietary Information worth to you and what are you doing to protect it?
Information Security
Curious about Computer Security? Want to know how to protect your information?
The following dissertation will arm you with the basics of Computer Security techniques.
First let me tell you this. If you think Computer Security is too complex and best left to specialists - think again. Computer Security is not technical, it is human.
The mystique of Computer Technology and Security is BS. It is perpetuated by computer geeks that want to take your money and make you think that they know something that you could never understand. I have been a Computer Technology Consultant since 1973 and the longer I am in the business the more amazed I become at the way people in the industry are hoodwinking businesses and people by spouting technobabble that nobody can understand just to make them think they are the most technologically proficient geek on the planet. Who cares! Do you really give a damn how computers work? The answer should be NO! But when you ask a Computer Consultant to put together a PC for you what do you hear? You hear about all kinds of technical specifications and other garbage that you don't understand! Why? If you can't dazzle them with brilliance, baffle them with b**ls**t, that's why!
The best and brightest Computer Consultants I have ever met learned to speak to their audience at the most understandable level. The common denominator of communication. Speak to me in my language. The best of the best are humble, truthful and strive for understanding and parity in communications. Why is this important and why am I telling you this? Because if you don't understand what some geek is telling you, if you are being overloaded with technobabble and idiotic technojargon what will you do? You will hire geeks to work with geeks so you can go on to more important things than listening to someone tell you how a dlt or dat drive works and why you can't get your data backed up every Saturday night.
Now to the meat of the matter. It is my opinion that herein lies the trouble with Computer Technology and Security. You as a business owner or executive will hire and contract with Computer Consultants who do not speak your language and will try to BS you by talking over your head to maintain, secure and protect the most important asset you have - information. Trade Secrets. Intellectual Property. Proprietary Information. They will recommend that you spend lots of money on technology that is supposed to protect your information from unauthorized access and theft. You will feel secure in the knowledge that these technogeeks and their wonderful security gizmos are on the job protecting your information at all times.
Then the disaster happens. The network crashes and your last backup was 2 weeks ago. Another geek hacks into your network and trashes 1500 files. Someone steals designs to an innovative technology and gives it to a competitor. Your customers are getting unauthorized charges on their credit cards and pointing the finger at your company. During an IRS audit 500 Megabytes of pornographic images are discovered on your network.
How can this happen? Why did it happen? It happened because you, the business owner, were not looking, not paying attention to the people you hired to protect you. You hired the fox to guard the hen house and then you went to plow the fields. You interviewed the geek yourself and the geek was talking in such technical terms he or she MUST know this stuff! You interviewed the Computer Security consultant who explained fully how their company could secure your network and therefore your information. In fact the resumes and referrences were glowing! Of course, why wouldn't they be? Would you give a prospective employer or client a resume or reference that had negative information on it? No. So what do you really know about this new employee or Computer Security consulting company? Nothing they don't want you to know.
Think about this. If you hire a consultant to design, build, maintain or secure your information systems what do you get? The salesman or consultant you talked to? Or do you get a geek that works for them? You want to secure your information from those who desire to take it from you so you hire someone you don't know who works for a company you may or may not know. How secure is that company you just hired and what do they know about their own employees, vendors and clients?
By now I am sure you are wondering what the point of all this is. Well, the point is that the security of your Trade Secrets, Intellectual Property and Proprietary Information has much more to do with people than technology. Yes, there are technological tools that can be used as a barrier to limit unauthorized access to information. However, these tools have limitations and must be designed, installed, monitored and maintained by people. Those people have access to the deep recesses of these tools. You could spend hundreds of thousands of dollars on tools to protect your information but if I find or someone gives me access to the tool I will just turn it off and walk away with everything.
General guidelines -
Obtain support for information security from Senior Management.
Do not waste resources protecting that which does not require protection.
Identify which information should be protected and for how long.
If extremely sensitive, material should be hand-carried or transmitted using encryption techniques.
To dispose of sensitive material, shred or make it unreadable.
Valuable company information must not be left unattended in hotel rooms. This includes hardcopy and computer.
Email and voicemail passwords must be protected and changed frequently.
All sensitive materials must be removed from conference rooms and whiteboards erased after meetings.
Where possible, conduct background investigations on all individuals with access to sensitive information. This includes clients, vendors and consultants.
Obtain nondisclosure agreements from employees, vendors and others with access to proprietary information.
Determine monetary/competitive value of your information.
Develop information safeguarding guidelines that are practical and user friendly.
Get user input and buy-in when developing an information security program.
Ask knowledgeable employees what should be protected; they know the market and the competition.
Form a partnership with the organization’s legal and information systems departments to better address information security issues.
Identify and get the cooperation of senior stakeholders in key areas such as technology, finance, personnel and marketing.
Train and periodically remind - from the first day of work through the exiting process - the appropriate people why certain information needs protection and of the guidelines used to protect it.
Work with management to decide what access will be given consultants, subcontractors, and joint-venture partners to what types of information and for how long.
Partner with the legal department and others to develop a process to review employee publications such as papers and speeches including those to be placed on the internet.
Ask new employees if they are obligated under any confidentiality or nondisclosure agreements.
Use annual performance reviews to remind employees of their obligations to protect information security.
Develop relationships with Security Investigators and local and regional law enforcement agencies.
Always remember -
The disgruntled employee is the greatest threat to your organization.
Telephone conversations, both fixed and mobile, are vulnerable to intercept.
Information regarding the movement of your company aircraft, including routes and destinations, is available for sale on the internet.
Be knowledgeable of your organization’s physical assets, information assets and vulnerabilities.
Specific guidelines -
Design effective backup schedules (Software).
Design disaster/intrusion plan (Software and Hardware to run on).
Perform a security audit to Identify exposures.
Design security policies to cover exposures.
Educate users and IS staff on security policies and issues.
Baseline normal operations for comparison.
Enable accounting and logging.
Monitor system and network activity.
Upgrade/patch software.
Install firewalls and proxies.
Install anti-virus software.
Perform Penetration Testing.
Develop a relationship with a Professional Security Investigator having Professional License
accountability and Law Enforcement referral.
Perform Intelligence Gathering on all personnel and companies with access to systems including security consultants.
Coordinate implementation of the technical stuff.
Monitor, review and analyze modifications to infrastructure and personnel changes.
What if it happens? -
Make immediate need to know notifications and seek professional legal and investigative assistance.
Make a complete backup of compromised systems.
Analyze all available information to characterize intrusion.
Collect and preserve all pertinent evidence maintaining chain of custody.
Apply short term solutions to contain the intrusion.
Eliminate all means of intruder access.
Return systems to normal operation.
Notify Law Enforcement if appropriate.
What if we suspect it is happening? -
Make immediate need to know notifications and seek professional legal and investigative assistance.
Make a complete backup of compromised systems.
Implement covert investigation to characterize intrusion and identify perpetrator.
Analyze all available information to characterize intrusion.
Collect and preserve all pertinent evidence maintaining chain of custody.
Notify Law Enforcement if appropriate
Summary -
You could lock up your valuable information in a vault with locks and all kinds of technical alarms and sensors but if I find or someone gives me the key and the password to turn off the alarms I will walk away with everything.
Technical protection is another tool in the fight for information security but people are the weak link and the criminal knows that.
Don't tell me how to keep someone from opening my safe with a hammer, tell me how to keep someone who knows the combination to my safe from stealing all of my money.
Email Contact