Four ways to secure your company on a shoestring budget

Computerworld - Blaster, Nachi and SQL Slammer are modern plagues that strike wired businesses with increasing regularity. But even if these cataclysms have failed to bring in more budget dollars, you, the security professional, are still expected to keep company networks and assets protected. Here are four steps you can take, using zero capital dollars, that will visibly reduce risks and improve your security program.

1. Update and publish your security policy.

The weakest link in many organizations' security perimeter is employees. Therefore, it's important that workers be aware of what they're permitted—and not permitted—to do with their workstations. Security policies address this issue head-on by defining the boundaries of acceptable behavior.

Part of an organization's security policy should be its Internet acceptable-use policy. Here are some of the main points that should be included:

• Don't open e-mail messages from unknown or suspicious persons, or suspicious e-mail messages from known persons. Many viruses have been known to spread because of their enticing subject lines.






• Don't share access to computers or applications with other employees, and don't use other employees' access: Get your own. Anyone who requires additional access to computers or applications should make a formal request to the person or group that administers access.






• Use locking screen savers and lock your workstation when you leave your desk.






• Don't use the Internet at work for non-business-related purposes. This includes personal e-mail or Web surfing. Most organizations permit occasional exceptions.






• Don't install programs that are not approved by the IT department. Unsupported programs can not only jeopardize the stability of one's PC, but they also introduce undesirable programs such as spyware into the business network.






• Don't allow personally owned computers to connect to the business network, even via an approved VPN program. Personally owned computers often lack up-to-date antivirus software and other protections.

Make sure employees are keenly aware of these rules. Here are a few ideas for ensuring that the word gets out:

• Hold mandatory security-awareness training classes.






• Get senior management's support for these policies, and have the CEO or chief operating officer send out e-mail(s) drawing employees' attention to these policies.






• Include a rule that states that failure to comply with policies will result in disciplinary action up to and including termination of employment.

2. Protect the entire perimeter, including laptops.

If your organization has users with laptops, you can bet that some of them are connecting to the Internet via broadband connections (DSL, cable, satellite) lacking firewalls. This is exposing your laptops to the full force of still-active worms such as Blaster, Nachi, Slammer, Nimda and Code Red. A laptop whose antivirus signatures are not up to date and is connected to a broadband connection for any appreciable length of time will become infected with one of these worms.