Information Security in an Organization

Information security in an organization can be improved by precautionary actions. Organization should have an up-to-date information security plan that covers any delicate materials and information and how to control it, how to report any violations, responsibilities of employees and how to introduce them. Often the problems in information security appear because of ignorance or negligence of users. Emplyees might openly discuss about password conventions, give theis login information to suspicious sites or use same passwords and usernames in several services.

Information Security of a private person

A private person should also pay attention on his or her own personal conduct regarding information security. Whether a person uses private, organizational or a public computer, it is essential to maintain any account information only to oneself.

A good password is long enough and contains both letters, numbers and special characters. It shouldn’t contain any common words, like your name.  A good way to improve your password is to use upper and lower case letters. Some services set limitations or requirements to passwords that need to be fulfilled. Login information should never be written down together and not to be stored near the computer.

Giving ones account information to a third party is prohibited. Especially in organizations, schools and companies the user account is only given to person that is considered trustworthy to have one. Letting some one else into the network is always at the risk of the one owning the credentials. The owner then is accountable of any violations caused. Often the minimum penalty is to lose the credentials and right to use the services.

In social media great damage can be caused by not protecting ones information. Any unintentional publications are hard or impossible to remove and permanent harm can be caused in relationships or to peoples reputation with false information. Often there are news telling phishing and misuse of credentials related to e.g. online bank accounts. In these cases financial losses can be great and the credit transfers often happen really fast after the credentials have been learned.

Think over! Are your passwords versatile enough and how you keep them safe? Have you used same credentials in several services?

Viruses

Viruses can be divided into three main groups: viruses, worms and trojans.

  • Viruses are small programs that spread from computer to another without the user normally unnoticing. Designed to make fun of, harm or destroy data or to secretely forward information b using the computer
    • File-infecting viruses are infecting executable files damaging them or making them unusable
    • Macro viruses are written in macro programming languages used e.g. in MS Word. This enables them to be launched e.g. when a document is opened or another action executed. Macro viruses can spread through email attachments, networks and storage media.
  • Worm can spread by its own, without having a host
  • Trojans need a user to send it to target. Trojans can be implemented e.g. into a video or a normal-looking software. It is designed to enable attack to the system.

Anti-virus software is needed to identify and remove any suspicious programs from computer. Firewall prevents unauthorized data communication. To prevent viruses to spread, attention needs to be paid to ones behaviour. Any suspicious emails, attachments and websites should be avoided. Sometimes emails have been masked in a way they seem to be send by a colleague, often they still have some alarming contents, like typographical errors or poor language. In this kind of situations you should check whether the email came from colleague or not.

Anti-virus software

Anti-virus software (AVS) inspects files that are used. AVS operates on the ground of virus description databases containtg information of how to recognize and remove malware. Database needs to be updated regularly in order to be able to identify new malware. It has descriptin on viruses, what they do and how they behave. Based on the information, AVS can isolate, clean or remove files that are infected.

AVS can be either commercial (like F-Secure) or free (like Avast). Commercial softwares are usually easy to use, they update the description databases regularly and often contain also firewall and tools to remove the malware.

Changing AVS

Normally computer only operates one AVS at a time, otherwise they might disturb each others correct operation. Is you need to change AVS, do it in the following order:

  1. Purchase the installation media or download it from internet
  2. Disconnect computer from any networks
  3. Remove existing AVS
  4. Restart computer
  5. Install new AVS
  6. Restart computer
  7. Connect computer to network
  8. Update virus description database

Firewall

Firewalls can operate based on hardware technology or software definitions. Firewall is located between internet and computer or LAN/WAN. It is designed to inspect data communication and to block any unauthorized use, whether it is incoming or outgoing. Firewall kind of makes the computer invisible towards public network. Nowadays operating systems also have integrated firewalls.

Basic operation of a firewall is to block any communication that is not allowed. Firewall can be setup in a way that best serves the use and needs of softwares. E.g. web browser needs to be able to access the internet, but some other softwares well work without internet connection.

Free firewalls can be downloaded from internet, probably the best known is ZoneAlarm.

Note! Computer must not be connected to networks until it has an operational AVS and firewall. Otherwise the safety of the computer it self is at risk but it can also be used to spread malware to harm others.

Think over! What kind of AVS and firewall do you use? Are your mobile devices protected against malware?

Data backup

Backup means copying important information and data to another location, quite often to an external storage media (like DVD, external hard disk etc.). Media needs to be protected against sunlight, moisture and theft and it would be good to store it in another building than the original data, e.g. in case of fire. Nowadays cloud services have become popular and they provide quite safe way to backup your data. Data is distributed across the globe which decreases the risk to lose it because of any breakdown. Of course, also the data in cloud services has backups. In case you need to store any personal information, take into account that some cloud services are in this case not suitable. Check GDPR in the next section!

In organizations data backup is normally at the hands of data administration department. At home, backup is in your own hands. The most important thing to backup are any files you use or any media and contact information you wish to store. Softwares can be reinstalled, but any unsaved work or data will be lost if computer breaks down. Thus lots of work and important data may get wasted if there is no regular backup routine. To decrease this risk, it is possible to use automatic synchronization to cloud storage.

Information Security of Mobile Devices

Quite often people tend neglect information security of mobile devices. When a mobile device is stolen or lost, it might be realized in the following

  • Misuse of confidential data (automatic login for services)
  • Loss of data (files, document, media)
  • Loss of contact information
  • Misuse of contact information

Think over! How is the information security of your mobile devices handled? Do you use automatic logins? Have you protected the device against unauthorized use (passwords, screen lock etc.)