Okay, it's been a year since the worst terror attack in American history. Are your data and systems any safer than
they were 12 months ago?
If you haven't made much progress, you're not alone. More than half of the 500 IT and security professionals surveyed by SearchSecurity.com report no improvement in their organization's security since last fall. About the same percentage report no increase in their security budgets and 84% said their security staffs have no more clout than they did a year ago to enforce security rules.
So where's the good news? It's in the fact that some of those who responded to the survey are taking practical steps to improve security without waiting for mammoth increases in their security budgets or for corporate reorganizations. As you read these, remember that you only have to avoid one security disaster to look like a hero -- or at least boost your chance of surviving the next layoff.
Talk to your users
You don't have to go far to see a kind of grass-roots patriotism among your employees. Since September 11, one survey respondent reported seeing flags and boxing gloves replacing watches or mugs as prizes for events such as sales contests. This patriotic urge can be channeled into a greater awareness of security, but only if someone tells users what to look for, said Gary Dickhart, an independent security consultant in Houston.
For example, you can warn users to watch out for and report unfamiliar e-mail attachments and insecure wireless network access points. Or, you can ask users to report unfamiliar people wandering around their work area or the data center. The keys are to be clear and consistent, reminding users regularly that they are on the front lines of your security struggle.
Talk to your boss(es)
A veteran security manager once told me that the best way to get a budget for a function within an organization (such as security) is to ask for it. Repeatedly. And by making the argument in business, not technical, terms.
Dickhart said whatever interest business managers have in security after September 11 will fade if the security staffs don't make "business-oriented" proposals for improving security. Many security staffs, he said, "talk about the technical hurdles they have to overcome, and that will be enough to turn (the business manager) off." Instead, lay out the dollars and cents risks if your request gets turned down. And remember to describe how robust security tools can save money by making it easier for customers to reset their passwords without calling a help desk or by making it easier for authorized business managers to create e-mail accounts for new employees without help from IT.
Eventually, you'll get at least some of the budget you're after -- or realize you have to look for a new job where management understands the business implications of security.
Test your backups
Especially if you're in a small shop, you probably just copy a bunch of files to a floppy or a CD-RW, throw it on a shelf and hope the files you need are there in case of a disaster. But what if the right files aren't there, or are in the wrong format or on the wrong media to be read by your backup computers?
Bryce Hoverman, a programmer/analyst at the South Carolina Department of Consumer Affairs, learned this the hard way when a hard disk and power supply failed in one of his computers. It took him a week to restore the system properly, he said, because "I hadn't even made an effort at doing a mock disaster" to ensure he was backing up the right files and could find them. "Had I done that, six months ago or a year ago, I would have noticed," he said.
Running a test restore of your data is something you can do in a matter of hours, so you can find and fix problems in the privacy of your cube, rather than with your boss looking over your shoulder in the middle of a crisis. Testing and updating is also crucial for your broader disaster-recovery plans which include finding new office space, phones, computers and Web access for your users in case of a disaster. You do have a disaster-recovery plan, right?
Centralize (or at least play well with others)
Just as in any human endeavor, someone needs to be accountable if you want to get things done. Like a growing number of organizations, the federal Department of Transportation has a chief security officer and is considering creating a department-wide operations center and enterprise-wide intrusion-detection system. At a major financial services firm, security staff and network administrators are working together to ensure critical security patches are applied across the organization.
You may not have the clout to order reorganization or launch a formal program, but there's nothing to stop a security manager from informally coordinating with the network administrators on mundane work like applying patches. There's also nothing to stop a security manager from sending a weekly newsletter to users with links to critical patches and a brief description of those that are the most important.
None of these steps will guarantee you won't suffer an embarrassing or expensive attack tomorrow, nor do they eliminate the need for proper funding and management support to make major improvements in security. But security is a process, not an event, and these suggestions will at least get you moving in the right direction.About the author
Robert L. Scheier writes frequently about security from Boylston, Mass., and can be reached at email@example.com.