"There are so many risks to deal with, it's an overwhelming job," says Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a wholly owned subsidiary of Raytheon. "In the day-to-day, they're responding to wildfires, and they just don't get a chance to stand back and figure out where they need to go next...Security administrators are really struggling to keep up."
Security officers have been battling worms, viruses, denial of service attacks and hackers for years now. When you add the threat of cyber-terrorism, employees using Instant Messengers and downloading full-length feature movies onto their work PCs, the list of risks is multiplying far faster than security budgets or staffs can keep pace.
SilentRunner has created a Top 10 list of risk factors that security administrators should guard against. Here's what has made their short list of vulnerabilities:
"It is a big job that's for sure," says Van Nguyen, director of global security for American Presidential Lines, a oceanic shipping company with 11,000 employees and more than 76 container ships worldwide. "One thing interesting to me is that due to the state of the economy right now, our senior executives want us to cut costs and be secure at the same time. It's doable but it's difficult. It has to be blended into the business process."
And to do that, Nguyen says security and network administrators would be smart to form official policies around most, if not all, of SilentRunner's 10 risk factors.
For instance, Nguyen says they drastically cut down the bandwidth that was being used by simply telling users that they are not allowed to download movies, and then tied the policy in with employees' performance reviews. Instant Messaging is in the same category, he notes.
"We have users who claim they have legitimate reasons to use it," says Nguyen. "They say they can save the company money because they won't make long-distance calls. But stay with policy. There are too many risks inherent in Instant Messaging. You have to educate users to the risks so they understand what theyre doing."
Charles Kolodgy, an analyst with Framingham, Mass.-based IDC, says Instant Messaging is such a risk that he's surprised it didn't make SilentRunner's Top 10 list.
"It's a solid list but the only thing I'd add is Instant Messaging," says Kolodgy. "That should be No. 11 if it's not Top 10."
But it is on Woolley's own list of vulnerabilities that companies should be worried about -- and writing policy for.
"When they finally get encrypted Instant Messaging, it will be great," says Woolley. "When a user types that message, it goes out of the network, to an ISP and around there two or three times and then to the intended recipient...You may be chatting with the guy down the hall and not realizing that the message doesn't just go down the hall. It's actually leaving your network. You're broadcasting that information."
IDC's Kolodgy says tackling all these risk factors is becoming a bigger job than just one department can handle.
"The network and the security guys need to start communicating more because so many vulnerabilities are dealing with the network and bandwidth," he says. "There's so much going on and you've got to lay down policy on top of it all."