Internet Industry Association

This website is accessible in two versions. A graphic rich, full featured version and a non-graphic version (text only) intended for people with vision-impairment and those who want an even faster experience using the website.text-only site
Home Australian Resources International Resources News Centre About IIA About This Project
Security Portal
About This Site Contact Us Feedback Search image: spacer
Australian Resources
Security Issues
Managing Security
Cyber Crime Watch
Ask An Expert
 
Fact Sheets
Frequently Asked Questions
 
Glossary of Common Terms
 
How to navigate the site
image: side toolbar border

 
Frequently Asked Questions

If there are any questions you believe we could usefully address, please go to our Feedback page and complete a survey and add the question in the Comments sections.

Q1: What is the most common form of threat to a business which has an online presence?

What is called computer worms and Trojans that spread via electronic email, usually as attachments. These are small programs which can invade your privacy and company confidentiality by exporting information or customer records and potentially lead to serious damage to your company.

Q2: How does one know when a virsus has infected your system?

Often you won't know. If you are infected by one of the email worms then you may well find out when a customer or supplier calls you to tell you that they are receiving infected emails from you or your staff. More often than not viruses and worms are not obvious to the average computer user.

Q3: How does one go about fixing the problems caused?

There are several things that usually need fixing after a virus outbreak - your anti-virus policy, your anti-virus software and probably your company's credibility. The first two are easy to fix up.

You can employee an IT security professional to evaluate your systems and security needs, or if you are on a tight budget there are plenty of useful resources on this security web site that are of immense value.

Q4: Who is responsible for these e-mail viruses and how have they got my e-mail address?

It's difficult to identify who writes viruses. Sometimes they are written by individuals looking for an outlet for their technical skills, other times they are efforts from a virus writing group. The general opinion is that these people are often younger males, sometimes girls, doing the online equivalent of tagging (spraying walls, buildings etc). Often it's a phase these individuals go through and they eventually find a legitimate use for their skills.

Occasional there are rumours in the industry that viruses have been written by 'professional' developers for government organisations. These claims are never substantiated and it is a ludicrous suggestion.

Q5: What other threats must a small business watch out for?

Apart from viruses, worms and Trojan's, the next obvious threat is probably the opportunistic hacker. These guys will often scan or search for vulnerable computer systems and use them either as storage for illegally obtained data or Trojan Horses.

Sometimes they are just looking for a launch point for other illegal activates such as DoS, DDoS (descibe these) and hacking other higher profile online services such as financial institutions, ISP's and Telcos or government systems.

Q6: What about internal security and threats?

Many organisations and especially smaller business don't realise that often security breaches occur within an organization. Sometimes this can be as simple as becoming infected with a virus from internet downloads via email, internal mail or bringing in a laptop computer that got infected at home.

Or it can be more serious such as an employee that is leaving the company emailing your customer database to their new employer or personal email account for later use. Or deliberate leaking of confidential business plans or research documents to competitors or the media. Unscrupulous people often think that using electronic methods to get sensitive data out of a company is easier, when in fact it's very traceable with the correct tools.

Q7: How do I find out more about the threats I need to consider?

Spend some time reading the information supplied on this website and follow some of the links to support security vendors and organisations. This will give you a good understanding of the issues you need to consider and the solutions that are available.

If you want professional help then there are lots of resources available, many listed on the web site and if you go to the 'Ask and Expert' section, you can ask your questions online.

Q8: What is the first thing I should do to manage the risk to my company?

The first thing you should do to manage the risk to your company is to write a list of your electronic assets and where they are stored and backed up to. For example, customer database, financial and accounting data, product research and development data, processes and procedures documentation etc.

You should note whether these are stored on secure systems; are they password protected, encrypted and backed up offline or are they easily accessible to anyone both inside and outside of the organization?

This will give you some idea of where you need to focus. Often simple changes are very effective - use strong passwords that are changed often; disable external access to you financial systems and customer database.

Once you have these simple tasks under way you can start looking at anti-virus software, firewalls and other security systems.

Q9: Why do I need a security policy?

You need a security policy for the same reason you need a policy about annual leave, emergency procedures and daily book keeping. Unless it's written down and effectively communicated to your colleagues and staff no-one knows anything about the policy and what is required of them. In its absence, security is not a factor in the workplace.

A security policy should set down simple guidelines for all employees as well as more detailed guidelines for people running and managing IT systems.

Q10: What issues should a security policy address?

There are a number of issues a security policy should address; the most important is why there is a need for one to start with. Many people using computers as part of their daily duties are not aware of the security risks, although this is not as true as it was a few years ago.

The security policy should then address simple working practices and procedures that can improve security and the company's ability to recover from security events (e.g. backup schedules and business recovery plans). Followed by outlines for training and awareness programs that may be required.

The policy needs to outline minimum standards for IT security within the organisation; for example specifications for anti-virus and firewall products, and the management, maintenance and upgrading of these products.

A very important part of a security policy is specifying processes and procedures for dealing with security events (e.g. a virus infection or network 'hack'). There should be clear guidelines and responsibilities should be clearly documented for each part of a 'security response' process.

Finally, the security policy should specify procedures that are invoked after a security event to address issues of concern and corrective measures. A security policy needs to be a living document that is continually revised to account for changes in technology and the business processes of the company.

Q11: How would I go about developing one?

The best way to start developing a security policy is to look at your business, the people and IT systems that make it work. Put a value on these and the digital assets (data) and then decide how much you want to spend to secure these.

There are many good resources on this web site, related government and vendor web sites that will enable you to make a good first pass at developing your own security policy.

Once you have got the first stage done it's then your decision; do you leave it at that? In some cases you will have done enough, or is the problem to difficult for you to handle alone? If it is then there are many people that work in this area every day and it may be a wise to speak to a security professional, get an idea of the cost of developing a security policy and then weigh up the cost vs the risk.

Q12: What can I do to manage the risks to my business?

There are many things you can do to manage the risk to your business. We have discussed security policies and the areas a good policy should cover; such as training, simple security measures like passwords and access control systems.

There is a range of software and hardware products that can help reduce the risk. Anti-virus software is the one we all know about; recently there has been a move to integrate desktop anti-virus software with personal firewalls. These can be effective at stopping viruses as well as intrusion by hackers and the loss of confidential data via a networked connection.

Many businesses have email servers which should be protected by a good enterprise level anti-virus program which will stop infected email attachments penetrating your defences.

Another very effective method is to put a computer firewall between your company and the internet. These software or hardware solutions are rarely 100% effective but the key here is what we call 'defence in depth'. If you take a few steps to deter hackers and protect yourself from viruses then it make you a hard target, most of the time the hacker will go away and look for something easier to attack.

Q13. Will it be expensive?

It doesn't have to be expensive, depending on your own assessment of your assets and the costs a security breach may incur you may decide that a home grown security policy and plan will be sufficient.

If however you have a significant number of employees and IT systems running many complicated business processes then you may not be aware of all the vulnerabilities you business has.

At this point it's worth spending some money to get a security audit done by a reputable IT security company. The results of the audit will help you decide what to do next and the costs involved.

Top

 

Symantec_Tower

 
  Proudly hosted by
  Proudly hosted by Web Central		 Site Map  |   Disclaimer  |   Terms & Conditions  |   Privacy  |  Text Only Site
powered by nuero