Web of Security

››› DON’T forget security over the phone lines, especially when implementing Internet telephony. “Once an organization goes to VOIP [voice over Internet protocol], phone calls can be listened to by breaching security on the data network,” says Joseph Hines, CEO of Edina-based network designer Voice & Data Networks, Inc. “A breach like this can store a phone conversation on disk. Once that’s done, the conversation can easily be distributed to places it wasn’t intended to go.”

Do the Right Thing

Likewise, there are a number of best practices that will benefit any company’s IT security efforts:

››› DO make sure everyone at the executive level is on board. “Without approval and support from the executive team, even the most comprehensive security approaches can be impaired by the lack of appropriate funding and resource allocation,” Garlock says.

››› DO develop a security strategy. This means establishing or modifying a strategy that can be effectively monitored and adapted to growing criminal threats. “Risk assessment and monitoring can come from outside managed-security service professionals,” McGee says. Organizations such as the CERT Coordination Center recommend investing in managed security services to perform a security audit of existing systems, McGee notes. The center is a nonprofit organization specializing in Internet security located at the federally funded Software Engineering Institute research and development center in Pittsburgh .

››› DO have your systems examined on a regular basis by a security company you trust. “Any qualified Web vulnerability professional can conduct threat assessments and make recommendations for mitigating possible Web security threats,” says MacLeslie.

››› DO make sure that software applications that depend on each other are updated at the same time. Software should also be compliant—registered, with legal licenses, and operating according to any applicable regulations (i.e. credit-card processing standards)—and complementary, or able to run in tandem without conflict. Maintain all software by applying patches as soon as they become available.

››› DO use secure socket layers (SSLs)—an encryption method that ensures privacy of data during transmission—on any company Web sites that accept or display sensitive information, and encrypt any sensitive data transmitted by e-mail, even internally.

Also, “never store any customer credit-card information anywhere on a Web server or database server that the Web server accesses, and process credit-card transactions through a payment gateway service,” says Chad Braafladt, CEO of Duluth-based phone, Internet, and Web-hosting provider CP Telecom.