The Worst Security Mistakes You Can Make - Part 2
By Jeff Bloom and Rob Kay
Last column we began a series on security lapses that too many of us in the Aloha State seem to suffer from. I know that we preach quite a bit about the perils of the Internet but this is an issue that we must take very, very seriously.
In our first column on this subject we looked at some of the common errors that average "end users" make. Today we'll focus on typical security mistakes senior executives make. We don't mean to pick on upper management but more often than not, they are saddled with the ultimate responsibility of overseeing their company's IT department. If a network is compromised and valuable data is lost, management will pay a very heavy price. To minimize the chances of this occurring, we put together a list of common mistakes. This is what not to do:
In Hawaii and on the Mainland for that matter, managers are constantly faced with shortages of trained IT people. It's all too tempting, to save a few bucks, to put an untrained individual to maintain network security hoping that they will learn on the job. Those that practice this do so at their own risk. Learning network security on the job is asking for trouble. If you need to beef up your security spend the money to educate your administrator. There are several good programs available in Honolulu and you should avail yourself of them. Otherwise you could be putting your entire business at risk.
- Assign untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
As managers, it's easy to understand that you've got to keep your offices secure. You don't want unwanted visitors bothering your employees nor do you want uninvited guests walking off with your photocopy machine. However despite the headlines in the newspapers about hackers and viruses, many managers still don't recognize the fact that you need to keep your data safe from prying eyes. Yes, it takes educating yourself. Last year, our crack security expert, Randy Williams electronically surveyed over 8000 cable modem and DSL users and came up with the startling conclusion approximately 25% of this group did not have the most rudimentary security measures in place.
- Failing to understand the relationship of information security to your business. Managers understand the issues of physical security but do not see the consequences of poor information security.
Human nature being what it is makes a lot of us take the easy way out. Networks need to be surveyed constantly for security lapses but often this does not occur. Sometimes security can be bolstered with software patches or upgrades to thwart hackers. However, it's not enough to install a software patch and hope that you've done the right thing. The network has to be tested to make sure that the upgrade actually works. Unfortunately too many network administrators fall down on the job because they don't follow through. Make sure your own IT people are thorough. No network is 100% safe from the most ardent hacker but you can do a lot to make sure you're at least 99.9% secure.
- Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure that problems stay fixed.
A firewall is not the answer to all your security problems and if it happens to go down you're incredibly vulnerable. A firewall, said Earl Ford, founder of Pacific Interactive, a Honolulu technology company, should be configured in conjunction with an additional "security zone" or "DMZ" (De Militarized Zone) as it is sometimes called. This will insure additional protection if for some reason the firewall fails. (For more information on firewalls, Randy Williams suggests that you check out http://www.makeitwork.com/net/firewall/firewalls-101.htm for more information on this vital topic.
- Relying primarily on a firewall.