Security: plan for the here and now
Talking about the future of security is one thing, but it doesn’t help businesses planning security initiatives now. When thinking about future security, many tried and true words of advice still ring true:
1. Obscurity is not a defence. The “it can’t happen to me” syndrome means many businesses have seen data security is someone else’s problem. But on the Internet, everybody is an equal target. Small businesses need to think about these issues as much as anybody else.
2. Diversity is a necessary evil. Security research has been widely distributed around the world, meaning that individual tools typically do just one thing. That means a complete security defence requires multiple products—and that raises the spectre of integration. Find out how well your security products work together, and consider a higher-level solution that can analyse output from many subordinate products.
3. Use the Net when you can. Encrypted Virtual Private Networks (VPNs) are being successfully used for all manner of secure communications across the Net. One US nuclear power station recently began using VPNs to transmit secure status information to a central monitoring point. If it’s good enough for them, it’s good enough for you: VPNs are the most cost-effective security technology for the near future.
4. Good authorisation is crucial. Security systems handling user access are a common weak point for many companies; passwords just don’t hack it. Consider biometrics, smartcards or other hardware tokens that add an extra level of security to user authentication. Also consider backing these with an enterprise-wide directory service that allows for enforcement of consistent security policies.
5. Policies are everything. Security technology without policies is like a sailboat without a sail. To make sure you don’t get sunk, work with business leaders to identify and formalise necessary policies for data security. These include people, technology, and business policies.
6. The biggest threat lies within. Stories about malicious hackers peering through your windows and pushing through your gates may make great press, but surveys consistently show that internal employees—who often abuse legitimate access to cause extensive data damage—are the biggest threat. Management, not technology, is the solution here: know your people well, and know what they’re doing even better.
7. Speed counts. Good security is mathematically intensive, particularly at high volumes. While users won’t mind waiting a little bit for a secure network connection, undue delays can hinder productivity. Make sure your security products have room to move; security appliances are good for this reason, because they don’t have to share processor cycles with other applications.
8. Seatbelts can hurt you if you don’t wear them right. And simply installing security products isn’t going to do much for your overall security if they’re not configured correctly. Many security products ship with intentionally broad settings that can leave your network open for attack. Make sure every door they provide into your network has been closed, and monitor every pathway you retain.
9. Don’t skimp on people. You pay security guards handsomely to make sure nobody breaks into your offices; why do anything different for your data? Technicians with proven skills in building and enforcing security policies are few and far between, but can mean the difference between good security and none at all. Don’t be afraid to pay well to lure the best security talent.
10. Security panacea is a long way off. The need to prove new security technologies work means a long lag time between when they’re invented and when they actually matter to your company. Keep one eye on future security trends, but don’t lose focus on the here and now; future security won’t help you if data loss makes your business go bust in the mean time.
