Companies urged to tighten security practices

Threats from within--such as disgruntled or former employees--are one of the greater security threats facing organisations, according to Mark Mortimore, senior technical specialist for TechNet/Security at vendor Microsoft.

Accidents, such as lost encryption keys, accidental deletion or not having a backup of data were also high security threats for organisations, said Mortimore.

He used the example of an IT professional who had inadvertently skipped creating a backup of their encryption keys when reinstalling an operating system. After unsuccessfully trying to crack the encrypted drive, the IT pro had to accept the data wasn?t recoverable.

Other threats Mortimore cited included natural disasters; and threats from outside a company, such as hackers, viruses and cyber-terror.

Mortimore explained to a session at Microsoft?s Tech Ed conference about the steps he saw as important for organisations implementing security processes.

He urged IT professionals to engage executives in their organisations in helping identify what was most important to protect, and also to carry out a security assessment of the current infrastructure. ?What if one of these assets were compromised? Those are the assets you need to identify and protect most,? Mortimore said.

Performing ongoing security management such as drills, as well as revising and improving plans were other areas he highlighted. Mortimore said that making sure that there was redundancy in the security plan and that security standards were in place before an attack occurred were other important points to remember.

?Organisations should also put in place processes for employee training and to create awareness of security threats,? he said. ?Employees - they?re the ones that help you enforce and drive forward your policy.?

He said that there was ?no patch for bad judgement?, such as users who might write their passwords on a sticky note and then attach it to their monitor.

Likewise, Mortimore warned companies to make sure that they patched vulnerabilities quickly enough. ?Everyone has a patch strategy, whether they know it or not,? Mortimore said. ?Patch management is part of your risk management strategy.?

Laws Clause: Vivienne Fisher travelled to Tech Ed 2003 courtesy of Microsoft.