Controlling access to your IT

Before being able to use your business systems, legitimate users should be required to identify themselves (identification) and provide confirmation of that identity (authentication).

You also need to physically secure your equipment, of course, not only to guard against theft, but also more sophisticated threats such as the installation of ‘keyboard loggers’ and ‘screen scrapers’.

The traditional method of identification and authentication is by using a log on process that verifies a password against a username. The username selects which user account the user will connect to. The password should be known only to that person, which provides access control by verifying something that only that individual user should know (ie the password).

Passwords need to be changed regularly. Make sure that they are not easily guessable or so short they can be found by exhaustive search. Make sure that administrative accounts are not left with their initial default passwords set by the manufacturer. Whenever possible, remove or disable unnecessary accounts. Likewise unnecessary software. Do not give ordinary users unnecessary access to privileged system functions and other powerful programs.

Stronger authentication tests are now common and you might be familiar with the passcode generators banks issue for internet banking. Businesses can now buy similar devices. Double-checking, such as verifying something you have as well as something you know, is called two-factor authentication.

Many small and medium-sized enterprises use data servers. They make sharing information easier, but they also increase the risk of paying a high price for a single failure of access control, whether accidental or deliberate. Information held on servers needs to be duplicated and stored elsewhere as part of a business’s backup and restore strategy.