Security is one of the most dynamic issues in all of computing. Just because a system is secure today, doesn’t mean that the system will be secure tomorrow. New exploits are constantly being discovered, and it’s important that you secure your network against those exploits as they are made known.

I have known a lot of administrators who take a “set it and forget it” approach to network security. They do their best to make sure that a system is secure, test the security, and then never touch the security again. It isn’t that these administrators are lazy (well, maybe a few of them are), it’s that being a network administrator is an extremely demanding job. If someone isn’t screaming at you to get a project done, then that project will almost take a back seat to higher priority projects. At the end of the day, there just isn’t time to monkey around with improving security unless upper management makes security one of the highest priorities.

Microsoft has done a lot to help overworked administrators to maintain a secure environment. Utilities like the System Update Service and Windows Update allow security patches to be automatically downloaded and installed. This insures that all of the servers and workstations are kept up to date with all of the latest security patches.

Unfortunately, automatically downloading and installing security patches does not guarantee a secure system. It simply makes those administrators who are forced to use the set- it-and-forget-it technique less vulnerable to a security breach. Fortunately, there are some things that you can do to make your organization more secure, even if you are too strapped for time to take a really hands on approach to security.

Re-examine security philosophy
Re-examining the corporate security philosophy on a periodic basis is an important, yet commonly overlooked step. The idea is that you must determine if your security policy still matches well with the corporation’s needs and culture.

Check your network for known weaknesses
The second step is to check your network for known security weaknesses. I realize that you are probably keeping your operating systems up to date with Windows Update or something similar, but that isn’t enough. You need to take a look at the rest of your network’s security a couple of times a year. Remember that things that are considered to be secure today might not be secure tomorrow.

Attend a security training event
The third piece of the plan is that you should attend at least two security related training events each year. I know that it’s difficult to make time for class and that classes tend to be really expensive and really boring. Even so, I believe that staying current with your security training is an absolute must. Otherwise, you may not know what to look for when it comes time for the semi-annual network security check.

Shortcuts to the shortcut
Addressing your network’s security twice a year is a huge shortcut compared to what should ideally be done in the way of security. Even so, I am one of those people who is always looking for shortcuts to shortcuts. There are a few tips that I can give you that can make your life a lot easier.

The first trick is to delegate and sub-contract when necessary. Like I said, the six month plan is less than ideal and I know plenty of people who really don’t even have time to follow that. If you are that busy, then it’s time to get some help. Ideally, you should hire someone whose job it is to handle security. If you don’t have the budget for that, consider having a consultant come in a few times a year and give your organization a security check-up.

Another shortcut is to subscribe to security related Web sites. There are lots of sites out there that will send you e-mail messages explaining all of the latest security issues.

Perhaps the best advice that I can give you is to win management’s blessing for better security. Unfortunately, this can be difficult to do. Many top level executives see cyber security as an expensive endeavor for which the company gains nothing in return. If you can win over management though, you will have a much easier time getting the resources that you need to keep the organization secure.

If you can convince management that security is something to be taken seriously, then your first goal should be to find out how much input you have in planning the IT budget. Ideally, it would be nice if you could allocate enough funds to hire someone to handle security for the company. That would relieve you of the burden.

If you are able to create a new security position, then it’s important for you to convince the top level decision makers at your company that a security manager’s position needs to be structured very differently from that of other employees. In order to be effective, the security manager needs to have direct access to the company’s top executives. The person must also have the authority to take what ever actions are necessary to enforce the company’s security policy.

Of course selling management on the idea of hiring someone to handle security in an organization where security hasn’t been a concern previously is a tall order. It might be necessary to take baby steps. Even if you can’t get enough budget money to hire someone, maybe you can get enough money budgeted to invest in some professional consulting, at least some security tools that will help to automate security for you.

ISTCL can help to improve ongoing security in your organization. Our experienced security consultants will audit your security risks and work with you to develop tools and business processes that support you in maintaining and updating a strong security defense over time. Or, we can help you to bring that expertise in-house, by sourcing highly qualified security personnel for your company.

Contact ISTCL for more information.

Toll-Free Phone: 1.800.457.4123
General Email: Jessica Bouchard