IT Has The Cure For An Insecure Organisation!

Here are some solutions that can help businesses keep security threats and vulnerabilities at bay!

Ensuring the security of an organisation's physical and digital assets is a complex task! It can't be achieved merely by building high walls of concrete around critical assets. Considering the gravity of the problem, business units today have begun to look around for solutions that can help them protect their software applications, like ERP, CRM, etc, and also their IT and data infrastructure.

Let us take note of a few IT tools that can help businesses to pro-actively deal with this challenge:

Identity authentication tools

It is not possible to validate or authenticate the identity of all staff members or customers, manually, every time they attempt to access organisational information. This is because small firms operate with less resources, and manual authentication may lead to transaction processing delays.

To address this problem, companies can opt for tools like biometric devices, which can validate the identity of an employee, by validating physical traits, like fingerprints, vein patterns, etc and automate the process of allowing information or network access to only authorised staff or customers, suggests Ram Krishna Ghildiyal, technical head, Sanvei Overseas, an international IT-based surveillance company.

Rajat Agarwal, executive director, Bhorukha Aluminium , seconds the thought and suggests: "This is a great option if you want to add an extra layer of security to certain areas such as server rooms, electrical control panels, etc." Milind Mody, CEO, eBrandz.com, however feels that while biometric devices are quite relevant for businesses like jewellery shops that have precious assets, for a company with more than 100 employees, such devices can be a real problem if used at the entrance gate.

He explains the flip side: "You will have a long queue of employees while coming in or going out of the organisation premises, either at the start of the day or at lunch time. There is a school of thought that claims that biometric devices help prevent the buddy system that involved the problem of proxy attendance. But I would advise keeping biometric devices only at places where companies store their sensitive information, which could be their server room or where the accounts or sales team sits.

The selective application of such devices can still be made. Otherwise biometric devices cost two or three times more than RFID* (radio frequency identification) card-based systems, which are also a viable alternative.

*RFID tags refer to small electronic devices that are made up of a small chip and an antenna. The device can carry approximately 2,000 bytes of data. And, just as information can be retrieved or read from bar codes or magnetic strips via a scanner or bar-code reader, RFID devices also require a scanner to retrieve the information stored in them.

Information security tools

Companies that have online systems or processes and depend on data and information assets, must consider information security technologies like firewalls, antivirus software, information authentication, encryption* tools, etc.

*Encryption is the process of converting information given in plaintext into an unreadable format, which can be decoded by a person possessing a special key/password to convert the coded text into plain text again.

Mody shares details about solutions that his company, eBrandz has adopted. "I personally feel that if an organisation has more than 25 PCs then antivirus are useless without a hardware firewall. Besides, most firewalls have the antivirus component built into it. So you do not need to invest separately on the antivirus."

Not spending on such intrusion prevention systems (like firewalls) makes mission critical systems and information vulnerable to new attack variants, warns Dhruv Soi, chair--OWASP (Open Web Application Security Project) India. Agarwal agrees and adds: "This works really well to control and more importantly monitor the kind of information your employees have access to and also what they are doing with it (saving, emailing, copying to USB drives, sending to competitors, etc)."

Many a time organisations resort to using pirated software to avoid investing in buying original software. Soi cautions that use of pirated software brings spyware into the system without the knowledge of users, putting the organisation's data at risk.

Tools to safeguard physical assets

Many organisations assign laptops to their workforce to enable them to keep in touch with the firm from anywhere, anytime. In such a scenario, the security of the laptops, which invariably carry crucial work-related information, is vital. Organisations can have encryption software installed on all the desktops and laptops to avoid the risk of data theft in case a computer is stolen/misplaced, suggests Soi. There are two types of encryption tools. One type is used to encrypt files, digital documents or e-mails that an organisation sends out to people, within or outside the organisation, over the Internet. The other type of encryption tool is used to convert the data on the hard drive of a computer into an unreadable format, in such a way that it can't be made readable again unless a password is entered. This tool is useful to prevent data loss in the event of theft or the loss of a laptop.

A RFID (radio frequency identification) asset tracking system is another solution, which can help in safeguarding assets like laptops, or any other expensive devices. The RFID tracking system keeps track of assets whether placed within the bounds of the organisation or even when anyone moves out of the company gates.

Tools for network security

To ensure organisational network security*, a firm can disable the use of USB drives on PCs/laptops, advises Mody. "Apart from this, have your network configured in such a way that data of different departments are stored at different places. And, then allow access only to authorised people.

Some common data can be stored centrally but in this case there is a need to have different levels of access rights.

"Access to Web servers* also needs to be restricted only to a few select individuals. If an organisation uses Internet based applications like SaaS (software-as-aservice)-based ERP, etc, make sure all such applications are protected through some specific Internet-based restrictions," he adds.

Soi explains how network access protection tools work: "A network access protection (NAP) system prevents access to organisational networks unless the connected computer complies with a set standards."

* An organisation network comprises the local area network that is made up of a group of computers within the organisation premises or across its different branches connected to each other for the purpose of communication; the other type is a wide area network through which the organisation communicates with the world outside, over the Internet. * A Web server is a computer program that fetches content in the form of information, data, images, etc, from the Web pages available over the Internet and delivers it via a Web browser (like, Internet Explorer, Firefox, etc).

Surveillance tools

Have CCTV (closed circuit TV) cameras across the entire premises to monitor physical threats (external/internal) from within the organisation or remote locations. The devices enable not just real time monitoring but also keep records for future reference, says Soi. Mody agrees and says that CCTV cameras are also a must for any organisation that has more than 25 to 30 employees. "This will deter people from stealing devices or cash. In serious cases, it might help the police track down culprits," he adds.

Agarwal feels that having CCTV cameras is a good option for firms that are into manufacturing and need to monitor labour movement and behaviour. "Firms can also have CCTV cameras to monitor strategic locations," he observes. Currently, these devices are slightly expensive, but the cost is decreasing rapidly.

Assistant editor, IT Vertical