Do you recognize the line, “Keep it secret, keep it safe?”
Bonus points if you cited Gandalf from JRR Tolkien’s “Lord of the Rings” series — and double points if you remember the context of the quote around Gandalf’s sudden suspicion that Bilbo’s ring might not be all that it appears to be.
Well, the logic applies to your data and technology just as well as it does to magic rings.
Unless you’ve been living in a hobbit-hole deep in the back country of the Shire (that’s somewhere east of Enumclaw, I believe) you’ve already been lectured on the importance of keeping your network safe.
Your IT Guy has undoubtedly installed a firewall, anti-virus software and he’s insisted you use passwords that contain numbers and punctuation. If that’s not the case, then you need a new IT Guy because your existing one is either unrealistically optimistic or underpowered for your technology needs.
If you have mobile devices, like laptops or smart phones, then “unlock” codes and hard drive encryption surely must be present. And if you use e-mail, then somewhere there lurks an anti-spam solution keeping your inbox threat-free and uncluttered from ads for products not mentionable in a family friendly column.
All of that, however, isn’t enough. The nature of the threats to your network continues to change.
As recently as a few years ago, the primary threats were more a nuisance than anything else. Please don’t misread me, nuisance could still mean damage to your business, but the intent of the attack was comparable to graffiti or vandalism.
Unless permanent damage was done, the proportional response was akin to the Monty Python Centurion (John Cleese) correcting Brian’s (Graham Chapman) Latin graffiti from Romanes Eunt Domus to Romani Ite Domum.
No, you’ll have to look it up, try a YouTube search for this classic video clip from “The Life of Brian.”
Today’s threats are far more dangerous: They’re economic in nature and the bad guys are out to turn a profit at your expense.
Siphoning funds out of your accounts, reselling your clients’ credit card numbers and other personal information or flat-out extorting money from you in return for not melting down your network are more common events today than most folks care to acknowledge.
In addition, this modern-day focus on criminal profit-making has resulted in an increased level of sophistication in the attacks aimed at breaking through your defenses.
For the most part, businesses have taken the steps to technically secure their network (see “IT Guy” reference, above), so bad guys are forced elsewhere and now typically seek to exploit the human element in your business.
The most obvious people-related exposure is, of course, you and the rest of your team. You’ve likely already received phishing e-mails designed to trick you into revealing confidential information.
These e-mails work by requesting that you enter confidential information into a “spoofed” website or sometimes by luring you to a website where a hidden surprise, in the form of malicious malware, awaits — much like Shelob waited for Frodo at Cirith Ungol. There are automated defenses available for these threats, but nothing replaces good common sense around clicking and browsing only to known, safe places.
For the traditionalists out there, don’t forget to be cautious of unsolicited e-mail attachments — being a PDF doesn’t guarantee that it’s safe — and also of physical media such as DVDs or USB flash drives that arrive in fancy packaging via your neighborhood letter carrier.
Another way to exploit the human element is to look for manual processes that are used to maintain your network’s security posture. These processes are, by their very nature, dependent on you or your IT Guy to keep them operating.
In the event something gets missed, that creates the window for a bad guy to exploit.
Examples of these exposures include operating system and software patches, renewals for anti-virus or anti-spam systems, and firmware updates to your firewall and other network defenses.
Your best defense is to automate these activities wherever possible and then enlist your IT Guy or some other trusted external supplier for an arrangement where you review the status of these activities on, at least, a quarterly basis.
The last vulnerability we’ll address falls under the category of “even good people do silly things.”
Sometimes even the best of folks wind up in situations where they inadvertently cooperate with the bad guys — and the damage that results can be catastrophic for all involved.
The wizard, Saruman, likely didn’t know what he was getting into when he gazed into Sauron’s crystal ball, now did he? Technology can do little to address this situation. Frankly, if a trusted person goes rogue, there are simply too many possibilities for technology to keep up.
Your best bet to manage this risk is to establish reasonable controls in the first place so that while people are given access to information and tools allowing them to excel in their job, they don’t have access beyond their needs or abilities.
If you find yourself granting permissions — system, information or otherwise — just because it’s “convenient,” you’re likely making things more dangerous than you should.
Sit down with your IT Guy on a regular basis and review things like folder permissions, accounting system privileges and administrator account rights.
Grant them appropriately and remove them when the need has passed.
Hopefully somewhere in here a thought was triggered that causes you to tighten up some portion of your security. If that didn’t happen then it means you’re likely already secure — or not.
In the meantime, remember that the saying is “Keep it secret, keep it safe,” not “Make it secret, make it safe.”
The difference is more than grammar. There’s ongoing work involved in making sure that your technology is serving you and your clients rather than the bad guys lurking just outside the door.
David Leonhardt is a partner at Seitel Systems LLC. He can be reached at email@example.com or www.seitelsystems.com.
Agree? Disagree? BE welcomes your thoughts and opinions for publication. Send your responses to news@BusinessExaminer.com.