Information is any organization’s most valuable asset. As proof, consider your response if you entered the office one morning only to find all of your data – in both electronic and manual formats – to be missing or corrupted beyond repair with no ability to recover the data from offsite backups.

Sources for such catastrophic losses of data vary widely, including a daily deluge of viruses, spyware and other forms of malware. People both inside and outside our organizations attempt unauthorized downloads of our data. Unsecured laptops with sensitive data are carried offsite and the data becomes compromised. Hurricanes, fires, floods, and other natural disasters strike and leave us without access to our critical business information. Server hard disks fail and we are unable to restore data from tape backups.

What is the likelihood that you will face such situations? What would be the impact on your organization if you did? Would your organization be able to survive? Consider the following statistics:

• Losses of data cost U.S.-based businesses more than $12 billion annually, with hardware failures accounting for 78% of the losses; only 1% of the losses were caused by natural disasters. (Source: American Data Recovery)
• 61% of companies reported losses of data continuing for more than 48 hours placed the mere survival of the company at risk. (Source: Ontrack - 2001 Cost of Downtime Survey Results)
• 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. (Source: National Archives and Records Administration)
• An unprotected computer will be attacked by viruses and other forms of malware within 15 seconds of being connected to the Internet. (Source: InformationWeek)
• An unpatched computer will become compromised within 20 minutes of being connected to the Internet. (Source: CNET News)

Clearly, information – our most important asset – is at risk on a number of fronts. And while there is no one-size-fits-all solution to this problem, there are reasonable steps each and every organization can and should implement to minimize the overall risk to the entity.

Basic Protections
First, the organization’s senior management team working in concert with the information technology (IT) team should develop and implement a set of policies addressing information security. These policies should address such areas as: acceptable uses of the organizations’ IT assets, passwords, remote access procedures and anti-virus guidelines. Employees must be educated on these policies and held accountable for adhering to these standards. While there are a number of good sources for policy templates, one outstanding resource for obtaining template policies focused on technology is The SANS Institute (www.sans.org/resources/policies).

Next, each computer on the network must be protected from outside attack and this protection should be enabled before the computer is attached to the network. Properly protecting an individual workstation includes performing such tasks as: disabling the guest account, disabling simple file sharing and ensuring that all operating system and application patches are installed. For the nine out of 10 computers running Microsoft Windows and Microsoft Office, perhaps the easiest way of ensuring that updates are downloaded and applied regularly is through the utilization of Microsoft Update, which may be accessed at no charge from www.microsoft.com.

Anti-virus measures must also be implemented. For network-attached computers, it is generally preferable to administer virus-protection from the server; this ensures virus signatures are updated frequently. However, for laptop computers that may be disconnected from the server from time-to-time, local PC-based protection is also a must. Many good anti-virus programs are available; some of the leading companies in this area include Computer Associates, McAfee and Norton. In addition to anti-virus measures, computers should be protected from spyware and unsolicited e-mail, as these can also contribute to security breaches and losses of data.

Backup strategies must also be examined closely. Though many companies believe data is being backed up to tape on a nightly basis, they are often surprised to find out the backup job failed and that, in the event of a disaster, they would not be able to restore their data. To minimize this risk, companies are turning increasingly to Internet-based backup solutions from companies such as Mistral, iBackup and Connected.com. These solutions provide for automatic backup of company data files over the Internet to secure, offsite storage facilities. Often, the cost of implementing such a solution is less than the cost of attempting to continue backups using more traditional means.

For those companies allowing remote access of network resources, it is critical that any remote computer used to access the network maintain the same minimum level of protection as all other computers on the network. Thus, employees accessing the organization’s network from a home PC must implement the same security measures at home as are implemented in the workplace. Otherwise, the organization is at risk from being compromised due to weaknesses found in offsite computers.

Perhaps the most significant measures organizations can implement is to ensure employees understand the risk associated with data loss and to educate employees on their role in minimizing the risks. This education includes making employees aware of scams and schemes such as “phishing” and “pharming” attacks and the importance of maintaining strong passwords and never revealing a password to anyone. As new sources of risk seem to appear almost daily, this education should be viewed as an on-going and continual process to ensure information security is a priority of all employees.

Because new threats appear constantly and because each and every organization is unique, the steps outlined above represent only the beginning of a plan to minimize the risk associated with data loss, whatever the cause. Nevertheless, implementing the steps outlined above – in addition to those mandated by unique organizational characteristics – provides a solid foundation for information security. Take action now, as the survivability of your business may depend on it.

About the Author
Thomas G. Stephens, Jr., CPA, CITP is an associate with K2 Enterprises, a leading provider of technology-focused continuing education courses for accountants. K2 Enterprises staff provides CPE programs for the MACPA. Mr. Stephens resides in Woodstock, Georgia.