INTRANETS/EXTRANETS -- To stave off the finger-pointing and--even better--to greatly reduce the risk of a network-security meltdown, now is the time to talk and plan.
It could be an incident in which proprietary company data is stolen. Or youremployees’ personal information could be exposed to others who might not keepit to themselves. It could be a situation like the one that occurred at IndianaUniversity last summer, when hackers rooted around in the university’scomputer system, having free access for at least three or four days to theapplicant data from 1,200 prospective students.
There’s a long list of nasty possibilities, one of which is that someonemight be attempting to break into your company’s digital infrastructure rightnow. “The threat exists for everyone by varying degrees, regardless of whothey are,” says Steve Fuller, president of NetWorks Group, a company inBrighton, Michigan, specializing in network security and data protection. “Automatedscans, worms, and pre-attack probes launched from the Internet go on constantly,testing for vulnerabilities in companies’ networks.”
Consider this, from a survey released in April on computer crime and securityby the FBI and the San Francisco-based Computer Security Institute:
- Ninety percent of respondents (primarily large corporations and governmentagencies) had detected computer security breaches within the last 12 months.
- Eighty percent acknowledged financial losses due to computer breaches.
- Those reporting losses quantified them at nearly $456 million in 2001.
Another thing that is almost certain: when these computer breaches occur anda company experiences significant negative impact, the vigorous finger-pointingthat follows would cool a Tucson warehouse in the summertime. HR may say thatthe IT department should have had better technology in place to protect thesystem. IT may insist that the problem is with HR’s network-securitypolicy.
So, to stave off the finger-pointing, and--even better--to greatly eliminatethe risks of a network-security meltdown, now is the time to talk and plan.
Working together to create sound policy
A strong partnership between HR and the technical staff is crucial, saysFuller. Working together to formulate policy ensures not only that theguidelines being established are sensible, but also that they are practical toimplement and enforce from a technical standpoint, he points out. "Networksecurity works best when it is policy driven. The actual policy should come fromthe HR side, but the technical people should be involved in implementing thedetails."
Having a clearly established network-security policy also serves as a guideto IT staff for decision-making when incidents arise, says Fuller. “Forseveral reasons, it is much easier for technical people to respond in situationswhen they have a clearly written policy as a guide. First, you get moreconsistency in your reactions. For instance, if you had to discuss how yourcompany was going to handle things like lost passwords each time it happened,you’d waste a lot of time and end up with haphazard responses in handling iton a case-by-case basis, as opposed to having to make the decision only once atthe management level.”
Having the weight of an established policy behind a decision is important,too. “With a clearly written, well-communicated policy, IT people don’t haveto make compromises they're not comfortable with,” says Fuller. “They knowthat they have the backing of management in their decision. It’s not anindividual making that determination--it comes from the organization through thepolicy.”
Some problems come from within
Not only are people trying to break in from the outside, but a company'snetwork can also be compromised when someone inside the company does somethingthat can harm the network, accidentally or otherwise.
Eliminating problems from within is more challenging. To put it logically: a)employees are people, b) people are human, and c) to err is human. So justassume that you're going to have incidents.
"Something like 60 to 80 percent of network-security problems come fromthe inside," says Fuller. "It's not a small problem."
To minimize the risk from within, there are two things you should do: providetraining on proper use of the system, and perform thorough background checks oneveryone who accesses the system, temps and contractors included.
Also, periodic reminders of your appropriate-use policy and network-securityguidelines are crucial. At the least, you should have employees annually signthe policy, indicating that they understand it and agree to act accordingly.
“Security works best when it is part of the culture,” says Fuller. “Endusers will know what to do in most circumstances, and providing employees athorough orientation combined with frequent reviews of the policy can go a longway to preventing incidents.”
When there Is trouble
So, what do we do if some sneak does get far enough into the system to pokearound a little bit? Or if it turns out that everyone knows that Rita inAccounting uses “SPRING_FEVER” for her password?
"Every company should have an incident-response policy in place,"says George Jelatis, director of security architecture services for SecureComputing Corporation, in San Jose, California. "This can be as minimal asdefining a reaction team and the roles they play, but usually goes further andaddresses questions like whether or not the company will want to contact lawenforcement in the event of information loss or theft, and when and if thecompany will publicly acknowledge a breach has occurred."
Giving early thought to these questions--before the heat is on--is somethingthat can really pay off in the event of a network-security problem. “If youcan make these decisions when things are calm, it will save you a lot ofheartburn during an incident,” says Fuller of NetWorks Group. “These arevery stressful, chaotic times, and you’ll be glad you considered these issuesin advance.”
Keeping up with technology
Your policy is now in place and the technology has been deployed. Youremployees know the guidelines and have been trained in appropriate use of thenetwork. Your job is done, right?
“The biggest thing that people--tech staff included--do not understand isthat security is an ongoing process," says Fuller. "You need constantreview of your policy and the technology used to safeguard the system. Youshould also regularly remind employees of the policy and the expectation it setsfor them.”
Dan Jude is president of Sugar Grove, Illinois-based Security SoftwareSystems, which offers Internet monitoring, filtering, and blocking software toemployers. He agrees, saying that an outdated network-security plan is almost asbad as not having one at all.
"Technology is changing so quickly, and in such big ways, that thenetwork-security policy has to be a living document," says Jude. "Ithas to change as technology changes, and change as the organization changes. Asthose updates happen, they must be continually dispersed to employees aswell."
Though you can never eliminate risk completely, when you tie HR and ITtogether to formulate a sound network-security plan, when you train end-users onsmart and safe computing, and when your IT people incorporate the latesttechnology to keep the bad guys out, you go a long way toward keeping yournetworks safe and your life happily free of finger-pointing.
Steps to creating a network-security policy
- Perform a risk assessment
- Create a clear policy, keeping it as simple as possible.
"Your network-security policy should be three to five pages long, 10 atthe most," says George Jelatis. "The policy should be written at afairly broad level, with references to specific procedures when more informationis needed.”
Also, given the amount of information out on the Internet, you won’t haveto start from scratch. Sample policies are available free from the SANS (SystemAdministration, Networking and Security) Institute on their Web site.
- Communicate the policy and train employees on it regularly.
Workforce Online, September 2002 -- Register Now!