When it comes to managing information technology (IT) security, the difference between success and failure often comes down to how proactive an organization is in addressing threats.
 | Many companies view training as an afterthought or feel that it's unproductive to pull people away from their work for any period of time. |  | | Joseph Feiman,
research vice president,
Gartner | |
|
In Summary:| • | Make security a top priority and budget for it. | | • | Develop policies, procedures, and plans for responding to security incidents and managing everyday events. | | • | Use testing methods to ensure that your security environment provides maximum protection. |
Too many companies approach IT security in a haphazard, even casual manner, with the result being that hackers, thieves, and disgruntled employees have open access to systems and data. Here are the most common mistakes organizations make and what you can do to reduce your risk. 1. A failure to prioritize security. Despite an onslaught of headlines chronicling security breaches and breakdowns, many companies still put security issues on the back burner. "Security is expensive and it doesn’t seem like a core part of the business," notes Matthew Green, an analyst at Independent Security Evaluators in Baltimore. "It eats up money that business executives prefer to spend elsewhere in the organization." Executives often don't recognize the risk until it is too late — after a thief steals customer records, for example, or defaces a Web site. Andrea Gallazzi, president of Krisopea, a Microsoft Certified Partner in northern Italy that specializes in infrastructure and security, says that the most common breakdowns involve poor patching practices, outdated system configurations, and an overall lack of focus on security. Solution: Take security threats seriously, and devote adequate time and money to securing your IT environment. This means stepping beyond the basic requirements of the Sarbanes-Oxley Act and other U.S. government compliance initiatives. Although every organization must determine where security ranks among its spending priorities, the average security investment in 2006 was 8 percent to 12 percent of the overall IT budget, according to IT consulting firm META Group. Savvy organizations develop a business case for security solutions — with input from various departments — and use it to define spending. 2. Inadequate response strategy. When a security threat strikes and there's nobody to take the lead, delays and indecision can torpedo any effective response. "Today, many organizations are able to identify security incidents within their IT environment, but they lack the agility to respond effectively — especially to emerging threats," says Ken Dunham, director of the Rapid Response Team at VeriSign iDefense in Dulles, Va. Solution: Upfront planning must involve cross-functional groups and tap outside consultants and security intelligence services that track the latest threats and distribute that information to clients. Identify a point person — someone knowledgeable about security within or outside the IT department — to deal with incidents, establish an emergency response team that is available 24/7, and develop a clear set of policies and procedures for addressing security threats or incidents. The response team should consist of individuals from various departments, including human resources, legal, finance, and operations. 3. Poorly integrated security systems. Because security threats constantly change, many organizations find themselves coping with a tangle of applications, hardware configurations, internal administrators, programming code, and consultants — all of which can create incompatibilities and inefficiencies. "At some point, things completely break down and a company has a mess on its hands," Gallazzi says. Solution: A solid best practice involves reevaluating your IT environment at least once a year, and then integrating, consolidating, and testing systems regularly. Many newer offerings, including the Microsoft Forefront line of integrated security applications, can unify and simplify administration while boosting overall protection. Although the cost and complexity of managing and testing security upgrades can be formidable, organizations that cut corners face steeper costs in the event of a major security breach. Such an incident could result in damage to their reputation, angry stockholders, possible compliance penalties, and lost revenues. 4. Lack of workforce training. A growing barrage of threats is designed to exploit the weakest security link in the chain: your people. In particular, social engineering techniques such as phishing and spear phishing (the latter is targeted to a particular person or small group) are wreaking havoc. "Many companies view training as an afterthought or feel that it’s unproductive to pull people away from their work for any period of time," says Joseph Feiman, a research vice president at the IT research and consulting firm Gartner in Stamford, Conn. Solution: Basic training on password management, secure Web browsing, instant messaging, and e-mail practices can go a long way toward locking down systems. Don't bother with the details of firewalls and intrusion detection systems; focus on safe computing practices and other topics relevant to job roles. Taking 10 to 20 minutes for companywide presentations or instituting mandatory monthly online trainings (or longer sessions every quarter) is often enough. Follow up with regular e-mail tips or a brief monthly e-newsletter. 5. Ineffective rules and procedures. It's easy to react to a threat by blocking instant messaging or banning Universal Serial Bus (USB) flash drives (which can carry data outside the physical walls of an office). You could also create the illusion of stronger security by requiring employees to change their password every month. Unfortunately, onerous rules can crumple productivity — or simply encourage employees to find workarounds. "Poor policies can become a hindrance to getting work done and actually increase the security risk," Dunham says. Solution: Try to balance security and productivity. While it's imperative to have strong protections in place — say, mandating the encryption of sensitive data on laptop computers — it should be simple and painless for legitimate users to access the company's systems. As an example, some computers now feature built-in biometric fingerprint scanning that automatically logs in a user or decrypts a file. Finally, don't toss aside policies and procedures in the rush to meet a deadline. Require consistency and establish penalties for noncompliance. 6. Insider threats. Despite all the talk about hackers and intruders, many security breaches take place inside a company. Disgruntled or crooked employees are a constant threat, and carelessness can be rampant — particularly among road warriors carrying portable PCs and personal digital assistants. High-level executives and administrators with virtually unchecked access privileges are almost impossible to stop. Adding to the woes: Delivery personnel, temporary workers, and even janitors are too often allowed to roam freely within facilities. Solution: While there's no way to achieve airtight protection, there are steps you can take to minimize risks. First, distribute systems and privileges so that no one has too much control. Second, know where backups, archives, and copies of databases used for testing and debugging reside. Third, maintain accurate records of who is using mobile computing devices, and ensure that employees understand how to protect devices and data while traveling. Finally, do not allow outsiders to wander unsupervised around your offices. Samuel Greengard is a West Linn, Oregon, writer whose articles have appeared in AARP, American Way, Arrive, Business Finance, IndustryWeek, and Wired. He is a past president of the American Society of Journalists and Authors.
| |
