You want to protect your network? Then give your staff some lessons on security.
This advice comes from Howard Schmidt, chief security strategist, US Computer Emergency Readiness Team (CERT).
Schmidt previously worked in the White House as presidential advisor on cyber security.
Stressing that security should not be viewed as a problem for experts alone, Schmidt urged organizations to “operationalize” IT security. “We have to look at security (at) every level of operation. Security is everybody’s job,” he said.
Security professionals act as “enablers” by setting up policies, but policies alone won’t do the trick, he said. Instead, corporations should ensure that all employees are trained to understand security. And this, he said, includes security training and certification for their IT staff.
Vendors, he noted, tend to blame end-users for security breaches. Rather than pointing a finger, vendors should educate users and give them the tools they need to avoid such breaches.
Schmidt also debunked the notion that attacks are only targeted at specific groups, such as defense agencies or financial institutions. Hackers look for vulnerabilities and not specific IP addresses, he said. Determining where these vulnerabilities exist is key.
According to Schmidt, the less complex the network is, the easier it will be to find holes in it. “A well-defended network is a well-designed network…the difficulties in defending a network have to do with its complexity.”
Schmidt said when selecting a security vendor, technology should be the deciding factor. “Look at the technology they offer instead of the size of the company.”
The quest for network security, however, does not end with the selection of a vendor and rollout of its technology.
Regular maintenance, such as keeping patches up-to-date and addressing known problems instantly, could spell the difference between security and vulnerability, he said. “Eternal vigilance is the price of security. Develop processes to make sure it’s being taken care of on a regular basis.”
Schmidt emphasized that IT security is an on-going expense and said vendors must be able to communicate that clearly with the customer. “It is not something you can plug in and walk away.”