Security scan

Network managers should consider new technologies and practices in their resource protection strategies.

Security breaches used to be a private matter. Networks were pretty hard to break into, since they weren’t exposed to the Net as they are today. Even if someone did break in, you’d do your best to keep quiet about it and hope the damage to the business would be minimal.

Now, it’s hard to maintain that type of containment. First of all, in the era of e-business, the consequences of a security lapse can quickly extend to your trading partners. If someone gets into a customer database, you have no choice but to tell the affected parties that some data pertaining to them has been compromised. With systems like customer relationship management applications capturing more such data than ever, those people can take the news pretty hard.

Secondly, the Web itself provides an excellent means of broadcasting news of such breaches to whomever wants to hear. In the past, hackers didn’t have a good way to announce their triumphs. Today, anyone can post the news of your failure any time.

The result of a breach, therefore, can go well beyond some downtime or lost data. It can tarnish the reputation of your whole organization and even undermine your stock price.

That’s why security is the topic of this month’s column. While there certainly isn’t enough room here to cover security as a whole, I thought I’d point out three areas that are attracting an increasing amount of attention from industry observers.

BIOMETRICS

Passwords are a hassle, especially as users have to connect to a greater number of systems within and outside of their own organizations. People end up either forgetting their passwords—resulting in a large percentage of all help desk workloads—or making them so easy to remember that they’re too guessable to do any good.

Biometric systems, such as fingerprint scanners, eliminate the need for passwords. Once these systems recognize the user, they can automatically supply necessary passwords to the multiple back-end systems with which that user must interact.

This convenience is a critical consideration. Biometrics may or may not be inherently more reliable than other forms of identification—but it’s an extremely fast and convenient technology. As we all know, even the best security tools in the world are useless if people don’t apply them. A busy doctor trying to get to some digital patient information really doesn’t want to use a security token. Pressing a finger against a piece of plastic, on the other hand, is hardly a bother at all. That’s something to think about if you’re trying to safeguard a hospital against the legal consequences of failing to adequately protect patient records.

INTRUSION DETECTION

This technology has been around for a while, but hasn’t been widely accepted in corporate IT departments. That’s probably because it seems more logical to focus on prevention rather than detection.

There are two problems with this way of thinking:

1. All the protection in the world isn’t much good if you have no way of knowing whether or not it’s actually working.

2. If you can’t document a breach, then you can’t prosecute the offender.

This second point is particularly important to note. IT managers usually think about their own company, not the business world as a whole. If we don’t all decide to make intruders pay for their crimes, then we are all that much more vulnerable to attack. By documenting intrusions—and turning that documentation over to the appropriate law enforcement or industry groups—we can mount an effective counterattack to the growing number of security incidents on the Net.

BEST PRACTICES

Technology alone can’t do the job. Here’s why. Your company is hit with an e-mail virus. You have to notify everyone right away to limit your exposure and that of your trading partners. But there’s only one way to get the word out: e-mail. What’s wrong with this picture?

This is just one example of an area where network managers need to put better processes in place for coping with threats. From change management to PC disposal, processes are as critical as technologies for limiting exposure and maintaining e-business health. Yet, many organizations still don’t have clear, published security policies and/or properly trained computer security managers. Many companies just assume that network managers know how to secure a network and systems administrators know how to secure systems.

It’s not true. Even if it were, there would still be a need to secure the overall environment, in addition to securing each individual component in that environment. After all, that’s how hackers work. They find a very specific weakness and then exploit that weakness to penetrate the whole enterprise.

In today’s universally connected environment, security entails a whole lot more than encrypting e-mails and locking up server rooms. Security must become a core competency of every IT organization, or the company will suffer. If your company doesn’t have a dedicated security team, form one. If you haven’t re-examined your security technology strategy lately, get on the case now. The Net has made life too risky not to.

Contact me at LL@exit109.com to comment on this month’s column.