Capital & County logo - Independent Commercial Insurance Brokers

News

Computer Security

4 Apr 2007

These days there are few businesses that do not have at least one computer present. 

These days there are few businesses that do not have at least one computer present.  This increased use has unfortunately been accompanied by an increase in computer related crime; with thieves being attracted by the portability, value and anonymity of most equipment; and hackers or disgruntled staff sometimes seeing malicious interference with systems and data as a challenge or form of revenge.

This Hardfacts provides businesses with general computer security advice.

Risk Assessment

Computer security measures should always be determined by considering the impact on your organisation of possible computer crime.  The following should be considered:

  • The effect on your operations, including customer confidence, following loss of or interference with key equipment, systems or date.
  • The cost of replacing equipment, systems or data and expected replacement times.
  • Vulnerability of premises, systems or data to unauthorised physical or electronic access.

Computer security can be considered under the following broad headings, but the best security will come from adopting a range of complementary measures from all of them.

General/Procedural Security Measures

Options include:-

  • Ensure passwords and other procedures limit access to systems and equipment.
  • Install and maintain up to date anti-virus software and internet ‘firewalls’.
  • Implement strict and clear staff controls on use of the internet and downloaded or unauthorised software.
  • Ensure users are aware of the theft risks of leaving equipment unattended in public or semi public areas of the workplace or when working away from the premises.
  • Ensure users don’t leave equipment in unattended vehicles or walk through streets with items such as laptops in recognisable laptop carrying cases.
  • Avoid sitting equipment next to externally accessible glazing.
  • Locate key equipment in secure inner rooms wherever possible.
  • Maintain an ‘asset register’, i.e. a list of all serial numbers and installed locations of computer equipment.
  • Avoid advertising the arrival of new equipment by not leaving discarded packaging in yards or public areas.
  • Ensure key computer data is regularly backed up and copies maintained off site.
  • Produce a ‘continuity plan’ to assist in getting computer systems quickly back to normal after any security breach or loss.

Physical Security Measures – Premises

All premises benefit from a well secured perimeter, with the nature of the protection depending on the premises type, location, ease of access, hours of occupancy and type of computer equipment within.

Specific advice on physical security is available from your insurance company or police crime reduction officer.  However as minimum, you should ensure that:-

  • Walls, roofs, doors and windows are of robust construction and in good condition.
  • Windows and doors are fitted with good quality locks or padlocks.

Further protection of doors and windows can be achieved by installing laminated glazing, steel shutters, gates, bars or grills.

IT/Server rooms often contain concentrations of expensive or critical equipment.  Ensure these are robustly built, sited away from outside walls (ideally on upper floors) and good quality doors and locks are fitted.

Electronic Security Measures – Premises

Given sufficient attraction of the equipment within, thieves will often go to the trouble of overcoming physical security measures.  Electronic security devices can usefully supplement physical and procedural measures.

 Options include installation of:-

  • An access control system to assist in vetting/controlling persons seeking access to or within key parts of premises.
  • An intruder alarm, ideally monitored by an alarm receiving centre able to call our police and keyholders after an activation.
  • A locally monitored CCTV system to allow staff to manage, monitor and or record visitors during working hours.
  • An external remotely monitored CCTV system.  These can be particularly effective outside business hours in detecting and responding to potential intruders whilst they are still outside, i.e. before a break in occurs.  The nature of such systems requires careful attention to system design and operating procedures.
  • A ‘smoke’ generating system operated by alarm sensors.  When activated these rapidly fill an area with a dense non-harmful chemical fog which obscures vision, and thus prevents intruders from seeing what they have come to steal.
  • A forensic intruder marking system.  When activated these fill an area with a near invisible non-harmful uniquely formulated chemical mist, which adheres to the clothes and body of intruders.  The police can detect this marking on suspects and trace it back to the registered premises.

Other Security Measures - Equipment

Good physical and electronic security measures at premises provide a first line of defence, but security measures applied to particular pieces of equipment can provide very effective additional security.

Options include:-

  • Permanent visible marking of equipment with details of your name and postcode.  Marking can take the form of engraving or chemical dye.  By removing anonymity, attraction to thieves is reduced.
  • Securing equipment to walls or furniture with steel cable ties to hinder removal.
  • Securing equipment in an ‘entrapment’ device is bolted to a floor, wall or desk to prevent removal of equipment or internal components.  In conjunction with the insurance industry, the Loss Prevention Certification Board has a certification scheme available against which manufacturers can have equipment tested.  Test category 1 relates to removal of equipment, test category 2 relates to removal of equipment and any internal components.
  • Securing plug in ‘dongles’ (devices that enable/encrypt software to specific users or computers) within a steel enclosure separate from the computer equipment e.g. under the desk.  If the computer is then stolen the dongle should be left behind, avoiding the need to buy new software and the inconvenience of not being able to run any backup copies on replacement equipment.
  • Using equipment alarms designed to emit an audible signal if equipment is moved or interfered with.  They are ideal for alerting nearby staff to a ‘walk in’ theft of unauthorised use of equipment.
  • Using internet computer tracing devices.  These send you a message if a computer is used from an unauthorised location, e.g. after being stolen, and can then enable its location to be established.

Key Action Steps

Effective security is usually achieved only after considering the various risks faced and then implementing an appropriate set of complementary security measures, so:-

Undertake a risk assessment.

Assess current security against the aforementioned headings.

Consider adopting additional security measures, (e.g. security targeted at particular items of equipment).

Aim for a layered set of security measures don’t rely on just one or two.

Review security as circumstances change, e.g. new equipment is installed, or existing equipment is relocated.

Urgently review security after any loss.  If you do not do so are at high risk of a repeat incident.

Sources of further information

BSIA (British Security Industry Association).

Tel 01905 21464 or www.bsia.co.luk

BOSS Suppliers of dongle security boxes.

Tel 01273 202720 or www.bossuk.com

LPCB (Loss Prevention Certification Board).

Tel 01923 664100 or www.redbooklive.com

MLA (Master Locksmiths Association).

Tel 01327 262255 or www.locksmiths.co.uk

For Alarms, Access Control and CCTV:-NSI

(National Security Inspectorate). Tel 0870 205 0000 or ~WWW.nsi.org.uk

SSAIB (Security Systems & Alarm Inspection Board) Tel 0191 296 3242 or www.ssaib.org



< Back to list

© Copyright 2004 - Capital & County  Site Map