A description of normal hazards to business information is as follows:
On our clients' small business networks, it is common to log 10 - 20 intrusion or network reconnaissance attempts every day. These attempts are generally made in order to "foot-print" targets of opportunity so that information of value can be stolen, or so that the network operations can be disrupted.
Document handling is a key source of information risk. It is worthy to note that "going through the trash" is a valuable means of gathering information about a business. Account numbers, phone numbers and addresses, and other information which can be used against individuals or businesses are routinely thrown away without proper document destruction practices. In addition, document storage must be secure from prying eyes during and after the workday.
It is amazing in this day and age, but many businesses are naive enough to believe that a single door with a keyed lock are adequate to protect their premises from intrusion. In addition it is not unusual for personnel to be permitted to leave confidential working documents and records lying out on tables or in cubicles during breaks, meals, and after hours. In these times, information equals power. If all that someone needs to do to gather crucial information is to scratch-pick a mechanical lock and run photocopies of information in unlocked cabinets, then you are not making them earn their money.
Electronic eavesdropping is a relatively simple activity for a knowledgable network technician to engage in. If a few criteria are met, and if your network is not adequately protected, it is possible for an attacker to use eavesdropping to acquire logins, passwords, and other vital data which are then used to exploit the network. This eavesdropping may occur on a continuous basis, or only on an occasional basis. If your LAN uses such features as Outlook Web Access, or you utilize web connections which are not secured by VPN or SSL (Secure Sockets Layer) then you are passing network credentials in the clear. This is very hazardous to the health of your network's security.
It is estimated that over 400 new virus', variants, and worms are released every month according to the International Computer Security Association (ICSA). Based upon current data from Trend Micro typically over 30000 computers are reported to be infected by virus or other troublemakers (malware) every 24 hours. And those are just the reported numbers. If virus scanning is not performed using updated virus pattern files, and if administrators are not notified of problems 24x7, who pays the price?
Walk around the office and take a look at the number of workstations and printers which are connected to the network in your office. How many of those machines are attached to an uninterruptible power supply? Oklahoma, Texas, and Kansas areas are infamous among IT personnel for the poor quality of the power provided to outlets for both residences and businesses. Consider that in northwest OKC, it is rare to pass a single weekend without sustaining power brownouts or even outages due to maintenance on power systems. While power outages are bad enough, brownouts are not perceptible to us but they are to the processors on our computers even if they are connected to surge protectors. This shortens equipment lifespan, increases maintenance costs, and is the cause of a good deal of data loss.
Flood/Fire or Structure Damage
Although flooding seems uncommon, for a water pipe to burst or a hot-water heater valve to stick open is more common than you would think. Are your servers, data equipment, and workstations at least 2 inches off the floor? If not, imagine the good that one inch of water will do all of that electronics.
Fire damage is relatively rare, but where there is fire there is a great deal of smoke. In addition, many businesses have automatic fire sprinkler systems in place. Just imagine, a fire followed by a flood...when the extinguishers go off is all of your critical data onsite, or do you take your back-up tapes off-site? Are they safe and up-to-date?
A depressing thought, but the fact is that well over 50% of the risk of damage or theft of business information lies with insider theft. This means that over 50% of the effort spent securing your data should be spent on securing data from unauthorized access by insiders, and identification of who is accessing (or trying to access) critical information.
Wireless networks (WLAN) are rapidly becoming prevalent in the business world...they are especially helpful in organizations where laptop usage in the office is heavy. The mobility which these networks provide increases productivity...it also increases risk.
WLAN's run on radio systems provided by a network of access points (AP) and wireless network cards. These systems generally come with security systems which are relatively standardized, but which allow for customization of encryption and authentication. Yet the vast majority of business networks do not utilize any encryption at all. This leaves the entire network open to intrusion because in essence the firewall does not touch wireless traffic.