Business as Usual?

By now we’ve heard the exhortations to get back to business as usual, but to avoid opening envelopes with white dust. The Israelis having been doing that for years-their high tech industry doesn’t shut down every time another suicide bomber attacks.

Are we really back to business as usual? Yes, we’re back to business, but no, not as usual. The one-two punch of the Nimbda and Code Red viruses in the weeks after the terrorist attacks reminded us once more that webservers and email servers continue to be enterprise computing’s weakest links. Rewind the tape to September 11. On that day, email was the only dependable mode of communication for us New Yorkers. Just imagine the panic that could have ensued had those viruses been timed just a little bit differently.

Unfortunately, for most organizations, IT security policy is anti-virus and access control. Period. That’s akin to building another Maginot Line.

At Gartner Group Symposium last week, a couple points became chillingly clear. Analyst Richard Hunter mentioned that the enemy that you really have to watch for probably already has a company ID badge-a scenario redolent of those hijackers who casually blended in at Wal-Mart the night before they destroyed the World Trade Center. Added colleague John Pescatore, maybe it’s time we started encrypting, not just our external communications, but internal databases as well.

So what does a Real enterprise IT security policy look like? David Cotter, a security specialist for consulting firm Alliant Technologies, described a recent Fortune 100 corp. engagement.
1. Define policies– who’s in charge of what, and what’s considered an attack. Most companies have policies, but few cover IT.
2. Protect against viruses, not just with packaged software, but with escalation strategies and procedures to quarantine rogue servers at a moment’s notice.
3. Filter content, starting with a highly restrictive list of suspect keywords, then gradually easing up to eliminate those proving innocuous.
4. Monitor system events, logging servers, routers, firewalls, and any other network devices-and even if the logs are dispersed, make sure there’s a central portal to them.
5. Ingrain security to the internal corporate culture. Don’t just walk away from that live workstation, take it off the network, dummy…

For this client, the strategy probably will cost up to $5 million for the first couple years. Security’s like an insurance policy. It’s a lousy investment if you think your company will never be struck.