Soft on the Inside
While external security threats abound, most serious risks still emanate from lax policies and procedures and a lack of ongoing employee training.
As the arrest of an AOL employee this week for allegedly pilfering screen names of AOL customers for resale to a spammer attests, internal IT security at most companies is still a greater threat than being hacked from unknown, outside assailants with malicious intent.
''There's a saying in security: 'Crunchy on the outside, soft on the inside','' says Barry Kaufman, CTO of the Intense School, an IT training center in Ft. Lauderdale, Fla., that provides accelerated certification boot camps for computer professionals. ''And the general mentality out there is perimeter security as opposed to comprehensive and internal security. While you can technically do great things like patch systems and whole bunch of other stuff, it's hard to patch human beings.''
While worms, viruses, Trojans, external hacking and other outside threats are ever increasing, 80 percent of hacks still originate from internal sources, as do 80 percent of computer crimes, said Kaufman. Some of this is intentional and malicious. Yet many security issues are simply caused by carelessness on the part of system administrators unaware of the pervasive security holes in their systems.
With so much attention paid to security issues over the past few years this seems paradoxical, but it is understandable once you realize the average security mentality stems from a medieval mindset: build high walls with strong gates to keep the barbarians out and you'll be safe. The problem is, once the barbarians breech the walls (or bypass them via a tunnel or Trojan Horse), most companies' systems are wide open for attack.
Overcoming this mindset and building a better security mousetrap is really about three things, says Gerry Wilson, CIO of Bedford, Mass.-based security firm RSA Security: People, process and policy -- and then technology, in that order.
And, while technology solutions proliferate, most are defensive in nature. Wilson prefers to promote a 'good offense is the best defense' strategy that heads off attacks through ongoing employee training and security policies and procedures that are strictly enforced.
''The easiest things for a CIO to do is to go buy a technology solution,'' says Wilson, ''but the harder component is to surround that with processes and people and the administrative policies that help that technology do its job and do what it's intended to do.''