When it comes to computer security, what’s the difference between your company computer system’s vulnerabilities and its risks?
A lot, says Dr. Peter Tippett, the well-known chief technology officer of Cybertrust, a Herndon, Va-based information security.
Tippett, who is widely credited with creating the first commercial anti-virus product that later became Symantec’s Norton Anti-Virus software, lectured more than 25 GBC members on his contrarian view of computer security during the January 20 Breakfast Briefing hosted by the GBC’s Technology Policy Committee.
A significant portion of experts in the information technology industry are working on projects relating to security, but most are concentrating on system “vulnerabilities.” But businesses should be concentrating on “risks,” says Tippett.
“Vulnerabilities” are the number of theoretical ways that IT systems could possibly be compromised. They are the infinite collection of all of the “what ifs” devised by the community of IT security experts and ultra-geeks seeking a perfect world of impenetrable systems, futile viruses and “best practices,” he explains.
More than 3,000 vulnerabilities were identified just last year alone, sustaining the perpetual quest by much of the world’s cadre of IT security experts to develop thousands of sophisticated updates, patches and other reactive programming tricks, says Tippett.
With so much brainpower devoted to addressing “vulnerabilities” of computer systems, “it should be getting better, but it’s not. It’s getting worse,” says Tippett. “Of our best practices, about half are not worth doing,” he adds.
Savvy business owners and IT managers would be better off concentrating on “risks” presented by “what threats are really happening” and should concentrate more on basic, practical solutions “to address the security breaches that are actually occurring,” argues Tippett. “We should concentrate on ‘essential practices,’ not ‘best practices,'” he says.
Most effective essential practices are basic computer use policies and work habits that can be applied relatively easily and inexpensively, but that have a high protective value against most security breaches prevalent today, he advises.
Basic computer security tips offered by Tippett include:
- Ensure that your office computer system uses a router. A router can act as a hardware firewall that, Tippett argues, and can provide better protection than software firewalls in many cases.
- Connect office computers to the internet directly, not through the office network. Have everyone in the office connect to the office network through the internet via VPN, or virtual private networks – the same secure technology that enables you to access your office network from home, Tippett suggests.
- Have your credit card payment applications audited for compliance with the Payment Card Industry data security standards. Such an audit can cost a small organization as little as $1,000 – $2,000, says Tippett.
- Absolutely restrict email. Deny all email attachments except the ones you use, such as .doc and .ppt (Powerpoint). More than 80 percent of viruses arrive in emailed zip files. Don’t accept them, says Tippett.
- For email, use text format rather than html. “Text is hugely safer,” says Tippett.
- Back up your data to hard drives rather than tape. Hard drives can include any of the large variety of inexpensive external hard drives available today.
- Route incoming email through an outside service provider. “They do all the scrubbing,” says Tippett.
- Don’t open attachments for emails from sources you don’t know.