April 10, 2001, 3:32 PM — COMPUTER SECURITY means different things to different people. To someone trained in physical security concepts, the computer is secure as long as it's behind a locked door. To a system administrator, security depends on installing the patches for known security holes in the applications and the OS. To your customers, security means that personal or sensitive data won't be available to every 15-year-old with a Linux box and some hacking tools. But no matter your perspective, one thing is for sure: Security is going to be an IT hot button for as long as computers are networked.
The cost of beefing up security may seem like a tough sell during the current economic downturn. But companies that fail to ensure security may not be around long enough to learn from their mistakes. After all, the true cost of a security breach is not the overtime your emergency response team racks up or the potential fines and litigation expenses; what really hurts is the loss of confidence and goodwill that follow.
Preventing security issues from knocking your business for a loop isn't easy, but it doesn't have to be overwhelming either. Rather than tackling everything at once, the best strategy is to determine where the greatest vulnerabilities are and address those problems first.
Start with the basics
There's an old saw in the IT business that the only completely secure system is one that is disconnected from a network, encased in concrete, and lying at the bottom of the ocean. Because that's an impractical goal for most of us, the next best thing is to ensure that your systems are protected at a level that befits the data on tthem.
Obviously, security starts at the physical level. Your gear may be housed in the strongest bunker since Hitler's Chancellery, but there's more to security than gates, guards, and guns. Knowing who goes in and out of the server room -- and when -- is the difference between controlling access and simply handing out badges.
Remote offices and telecommuters sometimes offer weak spots to hackers. There is little point in building a corporate data fortress if you're going to leave it open to a server stashed in an unlocked closet in Peoria. The unsecured home computer of an employee whose work follows him or her home is an even greater hazard, as we saw during the Microsoft "QAZ" incident earlier this year. Of course, these folks are your co-workers, and you can't string them up first and ask questions later. But remote workers should know that their privileged status means they must pay more attention to security basics than the ordinary cubicle rat does.
If your shop is like most, the IT operations staff handles tasks such as data backup and disaster recovery. But that doesn't relieve the security manager from responsibilities in these areas. And disaster recovery and incident management plans are good things to have, but only if you rehearse them regularly.
