Shutting the stable door

The bank welcomes him in and he takes £1.3m. I’m sure no-one at the bank thought it was funny, but before the rest of us laugh at someone else’s misfortune we need to take a quick look in the mirror. It couldn’t happen to us, could it?

Barclays have not released much detail of how the “IT engineer” gained access to the bank’s computer but either the crook did a good impression or maybe all IT engineers look like crooks.

Either way, all the layers of IT security were simply bypassed. The thief literally walked in through the front door. It shows that you can have all the security in the world, but you have none at all if you just welcome the perpetrator in.

The IT security needs of your business probably are not as stringent as a bank's, but you need to spot any gaping holes. Here are my top ten security gaps to look for: Passwords Make sure everyone has a password and that it is it is never divulged to anyone else.

Passwords must be ‘complex’ — a combination of letters, numbers and non-alpha characters. The word ‘artichoke’ could fall victim to a dictionary attack but ‘art1CHOKE!’ or even ‘rt1chke!’ would be a lot stronger.

If you want to get really tough on passwords, set them to expire regularly. But remember that this does tend to make life significantly harder for your computer users.

And if you want to go a stage further, try two-factor authentication using a token or a one-time security number.

Administrator password The administrator password(s) for servers, firewalls, etc are obviously very sensitive. Make sure knowledge of these passwords is carefully controlled.

Ex-employees Make sure ex-employees are ‘killed off’ quickly. When someone leaves, delete or deactivate their account immediately. There is no point showing someone the door and then leaving your computer system wide open to them.

Suppliers Choose suppliers carefully. Your security is only as good as that of your IT support company. Find out where they store your administrator password and what they do when one of their employees leaves.

Physical security No-one could just walk into your office, claim to be an IT engineer, and be allowed to do whatever they want. Could they?

Is your server room locked? Is your server even in a controlled space? Think of the disruption if it was stolen or even if the person watering the pot plants accidentally dropped a litre of water into it.

How does someone gain access to your server room? If they just collect the key from reception, what security do you have?

Remote access You need to be certain about controlling remote access to your IT systems. There is no point having double locks on the doors and windows if anyone can break in via their PC.

Do not even think about letting a laptop out of your office unless it is fully encrypted.

Mobile device management You should have control of all mobile devices with access to company data or e-mail — phones, iPads, Android tablets and laptops. Mobile device management is a rapidly developing field.

Knowing that you can easily wipe a lost phone will give you peace of mind and stop a mishap turning into a disaster for your business.

Controlled access to sensitive documents You do know that only the right people have access to your HR and finance files — don’t you?

Backup There is another gaping hole in your security if someone can steal your backup and help themselves to all your data. Make sure your backups are encrypted and kept safe.

Most of all, you need to educate your staff. If your people understand why security is important and why you do what you do to protect the security of your business, they will be on your side and they will comply.

And the lesson that we have learned here at Riverbank from the Barclays theft? We are changing and upgrading the locks on our office doors. Contact: 0845 6809680 Web: www.riverbank.co.uk