The folks at Altiris, acquired earlier this year by Symantec, recently invited me back to their ManageFusion user conference to participate in a panel discussion about security.
The other panel members included my old friend David Strom from magazines past, Andi Mann, research director at Enterprise Management Associates, and John Sawyer, part of the University of Florida IT security team. Steve Brown from Altiris drew short straw and had to keep us all focused.
We had time to prepare for the first question, which was to name the biggest internal security threat. Strom and Mann focused on portable devices, with Strom holding up his laptop and asking the audience, "Who knows where this has been? Do you want it on your network?" (Or something like that -- I thought it would look funny to take notes during the panel so I don't have his exact quote.)
Sawyer's primary concern, users, made everyone in the audience nod in agreement. Can you imagine trying to keep thousands of students on your network out of trouble?
My concern? Executives, and I listed four reasons. First, executives feel they make rules, not follow them. Every security tech has stories about executives with "password" as their password and more anecdotes showing even less security awareness.
Second, executives carry too much information on portable devices (like Strom's laptop), don't secure them properly and lose them too often. When a Human Resources clerk loses a laptop, the data inside won't hurt much. But when an HR executive loses a laptop, thousands of employee records get lost.
Third, executives take all your secrets with them when they change jobs. Of course, they brought secrets from their old jobs to their current one, so maybe that washes out.
Finally, executives talk too much. If you want to know what your main competitor is doing, you can launch a huge business intelligence programme, or you can pretend to hire their vice president of sales. During the interview they'll spill their guts. After the interview, they'll repeat all the same details in a bar or restaurant talking to their friends. Either way, secrets leak.
There you have it: portable devices aren't secure, executives don't follow security rules, and when they lose their PDAs and laptops, bad things get worse. These issues frighten big companies. Should smaller companies be scared to death?
Actually, smaller companies have two advantages over their bigger relations. First, an idea I told Andi Mann I'd steal, they can develop, more easily than a big company, a "culture of security" to protect themselves (thanks, Andi).
Mann gave an example of how machine shops handle federal regulations about safety in the workplace. Rather than list each item to remember, like don't feed metal into a hydraulic stamper by hand, they develop a "culture of safety" to cover every possible danger. Hydraulic stampers will chop off fingers easily when given a chance, so keep your fingers as far away as possible. You don't need detailed instructions, just a culture of safety and common sense.
Second, smaller companies have more success working together. Explain to your employees and coworkers how lost files cost the company money in the time required to restore them or recreate them. Don't trust anyone calling and asking for login information. Don't open spam attachments you don't expect from people you don't know. Don't surf to non-business websites on your company computer. Don't let users bring USB hard drives from home and plug them into your network. All these issues and thousands more can be handled with a culture of security and common sense.
Demand all your PDAs, smart phones and laptops include a pre-boot encryption tool, either built into the hardware or with add-on software. Check that all your users enable that encryption tool, and make sure they don't have their passwords written on a piece of paper tucked into the device case. Encrypting devices cost a little bit more, but pay off big time in less worry and fewer security leaks.
Follow these guidelines and you can rest easier for two reasons. First, the culture of security in your company will guide employees to the right decision in security areas. Second, you have many fewer clueless executives blowing holes in your culture of security than larger companies.
Fewer executives mean fewer security time bombs ticking down to an explosion. Even better, fewer executives mean fewer meetings. That's a win-win for everyone.