IT Employment

"Much of the time we focus on preventing attacks from anonymous internet criminals, when often information leaks can be attributed to company policy or employee actions."

Not true. Companies must also watch for internal misuse and fraud, especially in lieu of the recent company scandals and SarbOx. That is why there are products such as anomoly detection and auditing/auditing controls. We audit userIDs, make sure the principle of "least priviledge" is followed, to bbe certain they have no more access than necessary, and we audit inmportant data, to keep track of who accessed what...etc.

Yeah, people need to actually start doing some THINKING!

I just read an article in information week about how people are getting too used to having security software alerting them of danger. We have brains while software doesn't! We should be able to make our own choices about our internet security. Too many individuals install Norton and think they're good to go, or businesses think they got a firewall and a secure server and they're ready to do business. Norton and Firewalls do nothing to prevent our lack of common sense. In fact, it just fuels our laziness; waiting for that red flag from Norton saying "You've got a virus!"

Security software should be flexible and give us choices. It should not be expected to do the work for us. Those who are used to the install and run model of doing things need to stop being so lazy. Otherwise someday it will be YOU who will cost your company millions of dollars and it's reputation for a mishap.

So often when I discuss security with SMB business owners / managers, they think only in terms of firewalls and keeping hackers out.

I emphasize that the risk isn't hackers, the business is too small and it really isn't that easy to go in through a reasonably well protected Internet connection, especially in a cost/gain analysis by an attacker.

However, it can be surprisingly easy for someone to pose as a help desk tech, gain the the confidence of an employee, and then take their information and escalate their priviledge to full admin. The weakest link can be the employees, _who_already_have_legitimate_access_.

The solution isn't to not trust employees. That way leads to rediculous discusssions like how can you prevent employees from printing text that is on their computer's screen. (The best option there isn't the technical one of making it very difficult for the employee to print, but a legal one where the company's stated policy is termination and litigation.) The solution is to have the necessary technical (least priviledge, account audits) and legal (dismissal, litigation) measures in place and educate the employees about those measures.

Employees are one of the most valuable assets that a company has. It is important to maintain their productivity while still protecting the comapany against the risks that result from having employees. As long as the company has employees, there will be risks. You can't make the risks go away, but you can manage them and even insure against them.