IT Security: The Flaw in the System May Be You

IT Security: The Flaw in the System May Be You

As the number of cyber-related threats steadily increases, so too do the lines of defense. But technology has yet to find an answer for what many regard as the greatest risk to computer security: the human element.

In the view of one expert, David M. Cieslak, computer users often are the “weakest link” in the ongoing struggle to minimize exposure to harmful or unwanted outside influences. As such, hackers, spammers and scam artists not only prey upon, but in fact rely on, many users’ lack of due diligence and, more importantly, their impulse to click first and ask questions later.

A CPA and principal of Information Technology Group in Simi Valley, Calif., Cieslak served as the opening speaker for the second day of the 2005 New York CPA, Business and Technology Show and Conference in Manhattan. Cieslak offered practical advice for safeguarding machines from viruses, spam, spyware and identity theft.

Though most people know better, Cieslak said some users who can’t resist the urge to satisfy their curiosity continue to be beguiled into opening unsolicited e-mails from unknown senders. While the source of these messages may look legitimate and the content, from charitable causes to the promise of a new job, may appear reasonable and involve matters that would pique anyone’s interest, the consequences of a single click frequently are severe, including installing malicious software, debilitating the computer and stealing personal financial information.

“These scammers are always looking for your sucker factor,” Cieslak told the audience attending the July 26 presentation. “Unless you have very high confidence in the sender, don’t open it.”

Cieslak strongly advises against entering confidential information on a Web page unless the user has initiated access to the page and progressed there as part of an online transaction. Even then, he said, users should always look for a padlock at the bottom of the screen, which indicates that the site is digitally secured and serves as third-party verification to the Web site owner’s identity. In addition to their own internally hosted Web resources, businesses also may want to consider digital certificates for their e-mail system as well.

Other suggestions that users might want to implement include using pass phrases rather than passwords. These phrases should comprise four or five words, with some of the characters replaced by numbers. Cieslak also urged wireless users who work a fair amount in public spaces to subscribe to a third-party wireless provider for a guaranteed encrypted connection instead of relying on a possibly compromised network connection found in coffee shops or hotel lobbies, for example.

Of course, all these steps require a proactive, cautious approach to computing, which Cieslak believes is lacking in the business community but also is noticeably absent from the home environment. One area in which he said home users must become more vigilant is critical updates or system patches, which normally are manifested by a revolving globelike icon that shows up at the bottom right side of the screen.

“Since new vulnerabilities are discovered daily and exploits seeking to compromise systems appear virtually immediately afterward, critical updates should be installed without delay,” Cieslak’s handout states.

If a connection is made, failure to install these patches on the home machine can lead to significant problems for the office network.

Other simple, nontechnical procedures for protecting business and personal computers include the installation of anti-virus software and spam-filtering solutions. However, spam continually evolves in its effort to evade filters. It is considered the single greatest method for gaining access to a system, and now constitutes 90 percent of all e-mail. Cieslak recommends using a third-party managed service, such as FrontBridge True Protect or Postini, that permits only legitimate messages to get through.
Similarly, Cieslak said all machines must regularly be scanned for Spyware and Adware, which monitor action taken and sites visited and are estimated to infect more than 80 percent of home computers. He recommends installing at least two Spyware/Adware programs per computer, such as Webroot Spy Sweeper, Lavasoft, or Microsoft Windows AntiSpyware (Beta).

The New York State Society of CPAs and the Foundation for Accounting Education sponsored the two-day show and conference.