Where the leaks are
Companies big and small have user security problems.
Small Business Tech
By
James E. Gaskin
,
Network World
, 10/25/2007
- Share/Email
- Tweet This
- Print
The folks at Altiris, acquired earlier this year by Symantec, recently invited me back to their ManageFusion user conference
to participate in a panel discussion about security.
The other panel members included my old friend David Strom from magazines past, Andi Mann, research director at Enterprise Management Associates, and John Sawyer, part of the University of Florida IT Security Team
(Sawyer wrote about our discussion here). Steve Brown from Altiris drew short straw and had to keep us all focused.
We had time to prepare for the first question, which was to name the biggest internal security threat. Strom and Mann focused
on portable devices, with Strom holding up his laptop and asking the audience, "Who knows where this has been? Do you want
it on your network?" (Or something like that -- I thought it would look funny to take notes during the panel so I don't have
his exact quote.)
Sawyer's primary concern, users, made everyone in the audience nod in agreement. Can you imagine trying to keep thousands
of students on your network out of trouble?
My concern? Executives, and I listed four reasons. First, executives feel they make rules, not follow them. Every security
tech has stories about executives with "password" as their password and more anecdotes showing even less security awareness.
Second, executives carry too much information on portable devices (like Strom's laptop), don't secure them properly and lose
them too often. When a Human Resources clerk loses a laptop, the data inside won't hurt much. But when an HR executive loses
a laptop, thousands of employee records get lost.
Third, executives take all your secrets with them when they change jobs. Of course, they brought secrets from their old jobs
to their current one, so maybe that washes out.
Finally, executives talk too much. If you want to know what your main competitor is doing, you can launch a huge business
intelligence program, or you can pretend to hire their vice president of sales. During the interview they'll spill their guts.
After the interview, they'll repeat all the same details in a bar or restaurant talking to their friends. Either way, secrets
leak.
There you have it: portable devices aren't secure, executives don't follow security rules, and when they lose their PDAs and
laptops, bad things get worse. These issues frighten big companies. Should smaller companies be scared to death?
Comment