A Need for Greater Cybersecurity
otterit writes "A story in the Washington Post discusses how chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said."
Isn't it about time to really assess whether it is absolutely necessary to provide every employee with their own internet access?
Restricting the internet to a single machine (or battery of machines) that only sent and received external email and forwarded it on to the internal network seems like the absolute maximum internet connection necessary for most businesses.
Surely employees don't have to surf the web at work?
I have been pwned because my
Corporations announce they should be responsible for securing their own networks.
(as opposed to relying on magical network security elves that secure your network while you sleep and provide freshly made footware in the morning)
So the people that use the software should assume liability for not patching holes but the manufacture assumes no responsibility for leaving security holes in their product to begin with? This sound very backwards to me.
Yea, but how will we post on slashdot then?
Think about the slashdot. Think!
Let business Darwinism takes its course: those that implement effective countermeasures survive and thrive in a competitive marketplace, those that don't...
When you make demands like this, the next thing you know, you'll try to make them directly responsible for their corporate financial statements.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
I know of one large government agency that recently had to turn off all linux machines. Why? There was no anti-virus software installed on them, and the "security czar" required such software on all servers.
This is typical. Focus on just one part of a greater problem. The issue is security overall. Your computers can have the most advanced security possible, but it can become useless with a few misplaced words from one of thousands of employees, or a document that missed an appointment with the shredder. When I worked in tech support, I can't count the number of times I found usernames and passwords in plain view on post-it notes...the "security conscious" employees would put them under the keyboard. Outside vendors could see any of this at will.
The internal network can also be destroyed by a simple click on an email attachment. The real issue here is educating people about computers, and expecting a certain level of competency. To many employees are using something they don't understand; it would be like giving company cars to people who don't know how to remove the keys from the ignition and lock the doors.
...
For the last 8 years, I would not have been able to do any of the work I've been paid to do if I didn't have timely access to the web. It's to the point that I now wonder how I was able to have any work done 15-25 year ago!!! Granted, not all work **REQUIRES** it, but if you start discriminating between functions at work, you will get more disgruntling than good work done; it has come to the point that web access is nothing less than telephone access.
However, granting internet access to employees doesn't mean that the barest minimum security and/or monitoring should not be deployed. In fact, it would be quite foolish to grant unrestricted/unmonitored internet access to employees.
I think it's great that attention is being drawn to security. I think that there should be triple damages for a company releasing data defined private or against any agreement you had pre-arranged. Yet how are you going to protect your data when you outsource your transaction to some place that doesn't live by these rules? You can't. Except recognize that certain corporation outsource and use this information for your decision on who to use. Evaluate it and if you feel that this type outsourcing isn't protecting your data and interests than don't use said corporation.
1. Allow insecure software to become entrenched with monopoly power
2. Watch while a global industry in wormware develops to take advantage of this
3. Blame the users for not preventing it.
Excellent strategy, which will help enormously. While we're at it, let's stick a large label on new PCs saying "Warning: this PC is likely to infected within 5 minutes of connecting to the Internet, but that's your fault."
Why... why are companies allowed to sell software that has known defects? Surely it's technically possible to ensure that every installation of Windows XP leaves the shop with all necessary patches?
Ceci n'est pas une signature
The problem solution isn't the lack of CEO involvement, it's the lack of clout technology officers have. People seem to ignore the advice of technology advisers of all sorts. If a system administrator says something is insecure, one would think the people who hired them would listen, but they don't.
This is brilliantly demonstrated by electronic voting. Almost all security experts say it is a bad idea. Almost all technology websites trash the idea. When all the experts in a field so not to do it, the politicians still think it's a good idea. Thus, they are truly fools, for they do not know that they are fools.
One of the main flaws to all this: they used representatives from technology companies. Did they never consider talking to security experts? Despite recent changes, the American higher education system has some of the best research institutes in the world, and amazingly enough, there are experts at those institutes! Even better, those experts are relatively unbiased! Oh, the possibilities!
Strangely enough, that's not the problem. the problem is that there are too many governmental enablers. The government gives all sorts of help to companies who suffer losses from cybersecurity, so they have no motivation to secure themselves. What idiocy.
I guess that, in general, I would have to say most of these problems are caused by governmental stupidity and corporate vileness, but there is still hope for the future, as there are proposals to force businesses to have regular cyber-security audits, as well as other measures.
This is gonna land me in deep water but it's definetly a two way affair -
if the CEO's spend the required money hiring people to take on the responsibility of securing a network then why is it the ceo's fault?
If the people being hired are not competant, but played the 'i know what im doing' role then it is still their fault.
The only time I see it as acceptable that the ceo gets the blame is when the ceo him/herself directly contributes to the lack of security or employee laxness.
The article, imho, is hinting that if a company was to go down due to security problems then it's the ceo who gets the blame if, and when, they are led to believe their networks are (or were in this case) secure/d by an (incompetent) tech-support guy.
I say it truthfully AND before I become flamebait: I have the utmost confidence for *most* IT people, it's usually the users who contribute to the problem not IT departments, but I truly do, in this case, feel sorry for the CEO (with their huge paychecks and massive perks) when they get the blame for something that they did honestly have a go at fixing/preventing.
Worms/Virii are designed to be destructive and disruptive and there is little to no way that most users will ever learn that they need to be more cautious about security without having their credit card details exposed by a black-hat or their personal PC brought to a halt by the worlds least advanced virus - becausethe user hadn't patched their virus scanner.
It's a case of once bitten twice afraid - and if it's kept that way by the community, as long as it doesn't affect me, then I'm all for it - I just hate cleaning up after one has hit.
New rule for virii - release a strain to the public and release a quick-repair tool at the same time to slashdot!
Surely employees don't have to surf the web at work?
No, they don't need to surf at work. However, being a BOFH and cutting off internet access to the employees doesn't do much for employee morale.
Sooner or later all your good employees will leave, and you'll be stuck with disgruntled employees who don't have the skills to get another job (and are underqualified for the one they have), or recent grads who have no other choice but will leave as fast as they can. You'll lose money in training and recruiting costs.
Draconian measures might save money in the short run, but keeping employees happy does much more for employee retention.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
What definition of 'absolutely necessary' are we using here?
:) ).
Quick anecdote: I used to work for a large company that made web authoring tools. At some point we had to ask ourselves whether we still wanted NFR versions of our rather expensive software available to every employee on the intranet. Was it absolutely necessary for the receptionist to install an HTML editing environment? Creating HTML was not part of his job.
Our decision was that if our receptionist takes an interest in our own products and wants to play with them, that's a Good Thing[tm Martha Stewart] and should be encouraged. It'll make him more interested in the company and a more committed employee; we might find out that he's actually a decent designer and can contribute more to the company in our web design group. Did the NFR products get 'pilfered' every once in a while? Sure. But I'll bet you that 95%+ of the pilfering that was going on with them was to people who wouldn't have purchased them anyway -- but now were using them, and talking about them (mostly positively, we hoped
I work now for a company that doesn't allow general internet access for 90%+ of its employees. I think disallowing general internet access is symptomatic of a certain sort of relationship the company wishes to maintain with its employees and is indicative of how it thinks of them -- and it's not indicative of a particularly high level of trust in, or care for, the employees.
Left to my own devices, I'd rather put in a robust anti-virus and anti-malicious-code system coupled with employee education and discipline for people who break the minimal rules and then let the employees loose. Will some of them surf during work hours and damage their productivity? Indubitably. I still think that the overall benefit in employee morale and easy access to information is going to be worth the occasional loss from someone who can't control his surfing.
> If your IT department doesn't know how to kep a network secure....
How can they keep a network secure if their own users are working against them by installing crap on their PCs like Kazaa or whatever else they think looks fun? They can't really protect a network if the people inside the network are the problem.
Isn't it about time to really assess whether it is absolutely necessary to provide every employee with their own telephone?
Restricting telephone calls to a single secretary (or secretarial pool) that only make and receive calls and forwarded messages on to the internal workforce seems like the absolute maximum telephone usage necessary for most businesses.
Surely employees don't have to make calls (especially personal) while at work?