Send Feedback Print Article
Managing key IT security-risk areas
What are the IT security risks that retailers face today? Michelle Leuhman, managing principal, Highpoint Innovations, Sinagpore, identifies some key security issues in this first of three articles on retail IT security.
Most, if not all, companies today are almost completely dependent on a computer system to manage their operations. It holds, collects, calculates and communicates all of the company’s data on stock, customers, operations and finances. Each company has a team of staff who manages the system and others who use the computer system as part of their daily activities. How the system is managed and maintained is an integral part of mitigating the risk.
Here are some simple areas or questions to consider when reviewing your company’s security and how real the risk is to your company of losing either data or access to the data which is pivotal to your operations and viability.
Controlling physical access:
Who has access to the systems and why? Is the room always left unlocked for convenience? Is it used as a storage room for old computers and paperwork? The more people who have access, the more chances there are for problems.
Here is a story, simple but true, about a computer system that was crashing at about 10pm every weekday night.
After an extensive two-month code review, testing and patched software, the 10pm crash was still occurring, but could not be replicated in the test environment. One engineer was tasked with staying with the system through the night to monitor its status. On the first night everything seemed normal. At about 10pm the door to the computer room was pushed slightly open and a hand came through. The hand unplugged the system, causing the crash, and plugged in a kettle.
At 10pm, every weekday night, the cleaner used the power point to make tea!
Another company I worked with had an elaborate system of codes to the various office doors. However, these security procedures were not communicated beyond the IT team, and if the last person out of the office was not from the IT team, then a number of the doors were left open. More ingeniously, the key to the secure data entry, protected by the various passwords, is hung up in the key box, in the main office, directly opposite the security door!
Controlling virtual access:
As well as physical access, virtual access should also be controlled. Many computer-user accounts are set up with default security permission, enabling access to more data than they need for their daily work.
Practices such as using generic accounts such as ADMIN or SYSTEM accounts, with many people using the same account, limits the ability to track who is doing what on your systems. Typically, generic accounts are also very powerful. Hackers know about the accounts that come with your operating system and can use them to gain access.
So, your user accounts should be:
Many problems and flaws with access only become apparent after the system has been around for a while. The main weakness is that often a change in procedures is not accompanied by a complete review of people’s access.
Controlling physical assets:
How often do you audit your user computers, printers, etc? It is a five-minute job to open up a computer and steal the memory or hard disk. People then have access to your system’s data, security codes and infrastructure set-up.
Do you have control over who has access to your computer backup data? If they cannot get to your live data, then having yesterday’s backup is just as effective.
Is your operational network connected to the Internet, or another external network. If so, does it need to be? Isolation from external networks is a sure-fire way of protecting your network from outside interference.
If it needs to be connected, what precautions do you take to protect it? Do you have Firewalls, virus-checking software and traffic monitoring? If you need to be exposed for sound business reasons, then control what you can control, and monitor what you cannot.
To ensure the integrity of the systems, and make sure we get maximum benefit from our investment in them, a regime of continual improvement and monitoring is required. What I suggest here is a simple regime based on a normal business activity - risk management. Many processes and procedures already in place in other areas of your business are equally applicable to maintaining your IT infrastructure and protecting your investment in it.
IT risk is mitigated by business process management and Infrastructure security management, not by one or the other.
Michelle Luehman, managing principal of Singapore-based Highpoint Innovations, is a business management consultant from Melbourne, Australia, specialising in the service, airline and retail sectors. She has worked extensively throughout the Asian region with companies such as Coles Myer, Cathay Pacific Airways, Qantas, Royal Ahold, Beijing Pharma and Guang Zhou Pharma.