I
recently read the “When IT Security Advice Goes Overboard” article written by
Gene Marks, and I have to say I was a little taken back by what he considers
going overboard with IT security. At a time when businesses and consumers are
experiencing data theft, identity theft, etc., Mr. Marks sure does seem to take
a pretty laid-back approach to IT security that I think can be misleading to
other small business owners.
He thinks
it’s a bad idea to spy (I doubt any security professional uses that wording) on
their employees. Monitoring employees’ activities on a network should not be
confused with spying. In fact, a network administrator or security professional
could simply setup their system to alert them if an employee attempts to access
forbidden areas, instead of watching every place they go. By examining this
information they can see if an employee made an honest mistake or if they have
a potential internal threat on their hands.
Hackers
spend their time attempting to infiltrate a company’s network from outside of
the network, while an employee already has access to the company’s network
posing a greater threat. A business with lax security policies as suggested by Marks wouldn't be likely to catch an employee attempting to access forbidden areas of
the network.
Marks
poses the question, “Do we really need to "block" certain Web sites
from being visited at the office?” The
answer is unequivocally, yes! Employees viewing porn while at work is a growing
trend and very big problem, but porn on the job isn't the only problem. Illegal
file-sharing sites and torrent sites can also be a problem and should be
blocked, not in an effort to make employees do their jobs, but in an effort to
protect the network. File-sharing and bit torrent sites are notorious for having
malware, viruses, trojans, and root kits all waiting to be downloaded by an
unsuspecting person who thought they were downloading the latest Lady GaGa
song. Any of those infections on
a network could cause a major headache to network administrators and cause
money loss to the company, especially if productivity comes to a halt due to
the infection.
Security
software such as the one misused by Pennsylvania's Lower Merion School District is actually beneficial when used
properly. Marks may not see the point in using such software, but using anti-theft software such as Ken Westin’s GadgetTrak, laptops and mobile devices are
able to be recovered and returned to their rightful owners. Software that
remotely eliminates the contents of a hard drive is a good solution as well but
it basically gives the thief a free laptop or mobile device; whereas GadgetTrak
can potentially help get the item returned to its owner, and also provide a
picture of the criminal to the authorities getting bad guys off the street.
I
was surprised even further at the comment, “What about sensitive information? Most shouldn't be
stored on a computer's hard drive in the first place.” Initially I was thinking maybe Marks is a supporter of
thin clients but that obviously isn't the case. At some point in time, sensitive data will be stored on a hard drive, so to say it shouldn't be stored on a
computer’s hard drive is impractical. I will agree that encrypting data could
be cumbersome especially if dealing with a large amount of data, so a better
solution would be to encrypt your entire hard drive. So if your computer is
stolen data won’t be able to be retrieved by thieves.
The bottom-line is the IT world and the business world
will never see eye to eye on security measures because the focuses are on
different things. IT focuses on providing the best security measures to secure
a company’s functions and data. Business focuses on how much the security
solution is going to cost, and how to keep the cost as low as possible. Individuals
like Marks may not really see the true value of advice from security
professionals when approaching matters from a business perspective and security professionals may seem like they go
overboard with their advice -- but that's until you become a victim of a security breach.
No comments:
Post a Comment