A message for the IT Department

I often ask people how much they think they need to spend to “Secure” their network. The responses I get are actually quite astounding. The range is anywhere from $0 all the way up to tens of thousands of dollars. While no one answer is completely wrong, I usually start at the bottom. $0.00..... So I probe deeper. If your not spending anything on security how are you getting any. 100% of the time I want to cry when I hear the answer. “Free Anti-virus Software”. After I stop my head from spinning I ask them “how many times has your Free Anti-Virus Stopped a security threat?” This answer does not amaze me as much because I already know the answer. 99% of the cases they say “I don't know”. Which if you translate that to the Rational language it means Never. So then I go to the “Smart People” in the room and ask them why 10's of Thousands are needed to secure a network. Again, the response is always the same. Firewalls, Routers, Content filters, Spam Filters, and who can forget to bring the 7 Layer Security Dip to the party, Right??? In a sense, a lot of good points are brought up in the discussion but everyone always forgets to mention the one thing that is needed. Now before I get to that let me first digress and say that I am not dismissing many of the solutions that are recommended. Except for Free AV software. Sorry but you get out of it what you put into it. ….. Do the math. Firewalls and filters are a vital part of network security and play a major role in stopping many kinds of attacks. However, we live in a society where personal values mean nothing when it comes to a pay day. By that I mean large security corporations are now paying the “Black Hat Hackers” to counter their piers. And they are paying them a lot more then they would make stealing bank accounts and credit cards. Not to mention they no longer have the fear of those pesky Cyber Crime laws to avoid. With that said we are playing on a much more even plain then before. When you have companies out there like Barrier 1 offering $1,000,000.00 to anyone who can crack their device with no questions asked, says a lot. As far as I know they have yet to loose that cool million.

As I was saying, every time I pose this question I never really get the answer that I am looking for. The correct answer. Education. A good friend and college of mine in the IT industry stated that “Security is not a product. Its a process.” He could not be more right. Being educated on the different types of threats that are out there, many that we encounter daily, is the number one rule to success in securing your network. In today's world it is almost impossible to find people who have the ability to rely on themselves for anything that is outside of their comfort bubble. For many Technology is not inside that bubble.

I have been told that end users infecting their machine is nothing more then an “End User” or “HR” problem and not a Technology problem. OK, I'll buy that, but only to an extent. The truth is, it is all three. Lets start at the accused root cause. The “End User”. Well they are the ones who got infected right? You know for a fact they received a complimentary copy of the Acceptable Use Policy because you have their signature saying they did, right? Do you think they read it? I would say 70% of them have not made it past the first page. So let me ask you this. Have you Read it? Maybe you wrote it. 99% of the time that is the problem. Yes it makes complete and total sense to you because 1. You wrote it 2. You speak the Language and finally 3. You are the smartest person in the room! OK OK , number three was my sarcastic side coming out but remember, I am a fellow Geek so I can say that and you are not allowed to take offense..... I am one of you. But on a serious note, the average person with average technical skills is not going to understand that thing any way so you might as well save the company a lot of money and replace the Toilet Paper in the Men's room with the extra copies you may have. Dont forget to pull the staples. Or you can do something innovative with it. Use it like it has never been used before. Hold on to that thought I will get to it.

First you need to get Party number 2 involved. Yup you guessed it HR. You have seen your company spend countless hours and dollars on HR Training programs. They are always on very critical and sensitive matters and mean a great deal to the success of your company. Topics such as Sexual harassment, Work Place Conduct, all the way to team building within the organization. Well isn't Information Security Vital to your Companies success? And, if you think back you might remember that HR is the one who handed out the complimentary copy of the Acceptable Use Policy to all new employees. But again, How do you expect HR to enforce a policy that they themselves do not understand.

Now remember when I said “Use it like it has never been used before”? Perfect this is where you get the third and final party involved. YOU. Now before you get to worked up and say “I have Enough on my plate already” , read carefully, because toady Ladies and Gents, Today is your day to shine!

Transform it from a policy into a script or notes. First use it to educate HR so that they see the value in what you are about to ask them to do. Then, once you have their Buy In on it TRAIN YOUR END USERS. Dumb it down to an easy to follow Power point if you have to. Show them visually what that policy means. Teach them the do's and Do not's of technology use. Ensure that they know that Google may know a lot but that Google also lies a lot. Prove to them that they do not have a rich ancestor in Nigeria that wants to deposit €6,878,174 into their bank account. And for the few that are not quite sure, let them know that “Interweby” is not a real word. Talk to them on their level. Hire someone if you have to. But, what ever you do ….. EDUCATE EDUCATE EDUCATE!! This is how you secure your network. So to answer the question of “How much do you need to spend to secure your network?”. Its very Simple.

The first 20% - As much as you want to spend on hardware

The Last 80% - As much time and effort as you are willing to put in to Educate.

As a side note for all of the paranoid:

Kaspesky recently stated that only 9% of cyber attacks world wide were targeted attacks. Everything else is random. Your safe to remove the tinfoil hat!

#photo