I was reading this article from TechRepublic today and at first I thought it had little to do with me, because I manage such small networks. But it wasn’t many paragraphs until it was ringing too true to me to ignore. It matches my experience.
Now the largest network I manage has 12 pieces of hardware hooked to it, so I’m not playing with the big boys here. But there are two elements that relate very closely. First, the temptation is to secure the network. Doing this electronically is easy for me. I can set up a firewall and the original shares, and most of the people I work with have no desire to mess with that anyhow. And it’s necessary to do all of that.
But does that actually secure people’s data? That is the real question. Here’s the key quote from Jason Hiner:
Pironti said, “Let’s define the new perimeter by thinking about how our data can be impacted, not how our technology can be impacted. That is the biggest challenge. Security professionals still run to the box. It’s still too easy to [just] buy the box… The perimeter is wherever the data is. The perimeter follows the data.”
Now if you manage small networks as I do, of if you’re one of my customers that I’ve sent to read this little post, then it shouldn’t take you very long to see some big holes in the way your data is protected. “How can that be,” you ask, “since you’re managing my network?”
Well, the key is simply that I’m managing your network from another location on a day to day basis with occasional visits to your place of business according to our agreement. And though it’s rare for anyone to turn off security I’ve set up, it’s quite common for it to be bypassed, often in ways I can’t prevent.
- The password problem
There are the twin problems of insecure passwords and passwords posted on computer monitors. If your password is posted on your monitor or in a drawer near your workstation, or generally in any place that is both accessible to you and you think nobody will find, then you might as well not have a password. I was once told that a workstation could not possibly have been compromised by anyone in the building because it was password protected. The problem was that the password was stuck to the wall next to the station on a sticky note, and was not a secure password in the first place. It’s hard for me to solve this one, because when I get people to use secure passwords (technically), they post them nearby. But you should realize that if you work this way, you cannot claim that your data is secure.
- CDs, DVDs, flash drives, good old floppies
These can bring things in and take things out, and once it’s out of the building on any form of media, it’s no longer secure. This is where the data security person can’t win.
- Installation of unauthorized software
On each network that I manage I ask people to leave software installation to me. Now it’s possible to secure network stations from such interference, but most people don’t want to be completely shut out by someone who doesn’t work on the premises. If you have the administrator password and are determined enough to mess things up, you will succeed.
These are just a few minor points, but they are all elements that I have experienced. Normally people don’t want to fix these things because the fixes might involve inconvenience (memorizing a more difficult password, limiting access to files that people might want to work on at home). Until they’ve had data stolen or lost, it’s hard to get people’s attention.
In the meantime I’m writing this little post to which I can refer my customers. If you’re a small businessman, start thinking about what could happen if someone took your customer list, for example, out of the building on a flash drive. Are you sure this is a good idea?