As you probably know all too well, most IT pros are nothing
more than walking help desks when it comes to their friends, families, and even
coworkers. How many times have you ended up installing—or recovering—the system
of someone who knows next to nothing about computers, let alone security? I
admit it: I, too, am not immune to the pleas for help from my nongeek friends.

I recently found myself in one such situation. I was helping
a non-computer-savvy friend set up his new Windows computer, and he and I started
discussing Windows and security. While I was copying his files from his ancient
Apple Macintosh IIcx to his new Windows PC, I noticed that the file sizes of
the applications on his old hard drive were miniscule compared to Windows. In
addition, his programs were much easier to use. (He still used Word 5.1 for the
Mac.)

Even more comical was the size of his hard drive: 120 MB! Of
that, he was only using about 30 MB for his programs and the document files he
needed me to recover. Windows uses more than 120 MB just for the base operating
system, but then again, that’s because it’s a much more complex and
feature-rich OS, right?

When we began the process of setting up the new Windows
machine, I told my friend that it would take about two hours to fully update
and secure Windows and Office. After hearing this, he wasn’t so sure he wanted
to get rid of the Mac. All of this got me thinking about the increasing
complexity of computer systems and their underlying security.

Internet and information security is the No. 1 issue for
most corporations, and that’s because they have no choice. Ignoring security
means risking the loss of information and business intelligence, not to mention
the potential legal, human resources, and public relations issues.

I’m never surprised when I read that more and more companies
are making the move away from Windows. Windows is an expensive operating system
to secure and support. And I think that Microsoft is failing to deliver on its
promise of better security.

By this point, you would think that Microsoft would have at
least included an administrative ability to disable or not install any Internet
features, but it hasn’t. More times than not, Windows systems are vulnerable
right out of the shipping box.

In my opinion, regardless of what the so-called experts claim, we owe the majority of
Internet insecurity to Microsoft. As the company added Internet feature after
feature to the already bloated and buggy code of Windows, it opened the door to
massive distributed exploits. In addition, it made the software too complex for
the average user to use safely—or, for that matter, for the average corporation
to maintain.

And Microsoft isn’t the only vendor making its products
increasingly complicated—security products are also becoming more complex and
more prevalent. It’s my job to worry about Internet security, and yet there are
plenty of products out there that I’ve never heard of.

Members frequently send me feedback about this newsletter to
recommend an Internet security product they use in their shops. Quite often, the
product is something I haven’t heard about. And, of course, I occasionally
stumble across a product on the Internet that catches my eye.

Because I’m a cynic, I typically find software that doesn’t
make promises or quote favorable media reviews much more interesting. These
days, any software product that claims to be revolutionary, especially when it comes to Internet security, will likely
convince me otherwise.

The simpler and the more specific an Internet security
product is, the better I like it. I’m convinced that the more feature-rich
Internet software is, the more bugs it’s going to have—and some of those bugs could
be exploitable.

Unfortunately, many organizations fail to use their security
tools well, and the problem only seems to be getting worse. Falling victim to
hostile attachments, phishing scams, or fake e-mail unsubscribe links should be
a thing of the past by now, but these are very real threats.

I believe that the best Internet security tool out there is
the one between your own ears. You can implement all the layers of Internet
security that you want, but they’re all useless unless the user has some form
of understanding of how to safely operate a computer.

As for my friend, I ended up fixing his Mac, and he’s back
to using it to manage his business. And as for the new Windows system, he
decided against it: He was too concerned about the security, and it was too
complicated for him to learn to use.

Instead, his Windows PC’s sole purpose is for surfing the
Web, which he does with no fear. He doesn’t care about viruses, worms, spyware,
exploits, or phishing scams; there’s nothing important on the computer anyway.
For his purposes, simplicity is the ultimate sophistication—something that Microsoft
no longer provides, which a 9-year-old outdated Macintosh still does.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.