EVEN SMALL BUSINESSES SHOULD CREATE COMPUTER SECURITY TEAMS
COLUMBUS, Ohio – With computer viruses and other Internet attacks on the rise, even small businesses should create dedicated security teams to minimize the financial and political fallout from these incidents, according to a new book.
A senior security engineer at Ohio State University has joined with a director of security operations for a Fortune 500 company to explain how businesses can create such teams. The book is The Effective Incident Response Team (Addison-Wesley 2004, ISBN 0-201-76175-0).
Brian Moeller of Ohio State said he and coauthor Julie Lucas wrote the book primarily for office managers -- the people who often bear the responsibility of creating and supervising a computer incident response team (CIRT), even though they may have no technical background in the area.
As a result, the book offers step-by-step details ranging from how to protect a computer network from attack, to how to write an effective computer use policy for employees.
For readers who want to persuade upper management to invest in computer security, the book makes a convincing case. One chapter outlines the costs of computer crime, including a 2002 survey by the Computer Security Institute and the FBI that found that such crime has cost American businesses nearly $1.5 billion since 1997.
Computer security threats can come from inside or outside a company, and vary from unauthorized access to information to denial-of-service attacks that shut down a network, Moeller explained. And theft of business intelligence or lost hours of operation can end up costing a business more than just money.
“The big lessons here are that preventing computer attacks is really worthwhile, and having clear policies that employees can follow is worthwhile, too. Those things sound very easy, but it’s sometimes a challenge to actually implement them,” Moeller said.
Other chapters cover a wide variety of CIRT issues, such as how to form
a CIRT team, define its mission, and work with law enforcement. The book
offers lessons in security terminology, walks readers through a typical
security incident, and includes copies of relevant federal codes for cyber
For instance, one question managers face when budgeting for a CIRT is
which security tasks to perform in house, and which ones to outsource.
“When you don’t have incidents that require forensics very often, it’s hard to keep up with forensics technology,” Moeller said. "So if you can't justify the expense of maintaining a full-time forensics capability, it may be more cost effective to outsource."
Years as a computer security consultant have helped Moeller formulate some general advice.
“What people really need to do is look at their information technology infrastructure and think about what’s important to them,” he said. “They should make sure they’re backing up their data, patching their networks, and managing users.”
Moeller says many common mistakes are easily solved. For instance, many companies don’t automatically cancel an employee’s access to the network after the employee has left the company.
“I’ve worked with companies that have never removed a user, even after they’ve been gone for years,” he said.