A small technology provider installed a T1 and shared it with two other small companies in the same building. One of these was a real estate office that began experiencing network problems.
“Fortunately, there was a guy there who had a background in IT,” recalls Danny Nickason, who managed technology for the provider in a previous job, and is now IT director for Genesis Physicians Group. “He told me they were getting heavy pinging, about 25,000 a second, and gave me the IP address it was coming from.”
Devices on a network use “pings” to check the connection to other devices, but viruses can also use them to overload a network. Nickason checked the IP address, which came from a wireless system his company used for demos. He shut down the server in question, and the pings immediately increased to 1 million per second. “It brought both our network and their network down,” he says. “We were hosting eight or nine websites for our clients, and those went down as well.”
Nickason investigated further, and discovered the problem originated with the computer a new employee was using. He began by disconnecting the offending computer, which immediately returned both networks to normal. Next, he tried a virus scan on the computer, and encountered a file that wouldn’t let him complete the scan. The file was located in the computer’s “My Music” directory — the result of downloading infected music files. Because of this activity, Nickason notes, “That employee cost several companies money. We had to send apologies to both the companies using our T1 line, and to our clients whose sites went down.”
Inviting the vampire in
When asked how a network became infected with a virus, Nickason once replied, “The vampire gets in if you invite him in. If you don’t invite him in, he stays out.” This is a major issue in security, where most problems begin with someone downloading an infected file, browsing to an infected site, or leaving a computer unprotected.
“Computers come configured to do just about anything,” notes David Rice, author of the new book Geekonomics: The Real Cost of Insecure Software (Addison Wesley 2007). “So you’re starting out behind the eight ball, as far as security is concerned.”
How can you improve those odds? Consider these steps:
1. Invest in educating users. “Employees do stupid things, and attackers are out there trying to trick them,” Rice says. “So making them aware of the dangers is probably the biggest bang for the security buck.”
Frequent communication is essential, Nickason adds. “I see too many IT departments hide in a room, waiting to react to problems,” he says. “I’m very vocal, constantly reminding them about security. If there are updates, I make sure to advise everyone to reboot their computers, and leave them running that night. I let them know not to open attachments, even from someone they know, unless it’s something they’re expecting.”
Communication also helps build trust. For instance, Nickason reports, suspect e-mail is quarantined until he can look at it and make sure it’s virus-free. Employees could override the quarantine if they so chose — but they never do because they understand the risks.
2. Create an acceptable-use policy. “Some companies say that you can’t make personal phone calls, but they let employees use their computers any way they want,” Rice notes. In one case, he says, he found an employee running a “home-based” business entirely on an employer’s computer.
“Most companies have very lightweight acceptable-use policies, if they have them at all,” he says. “You need to have the mindset that the equipment belongs to the company, and should be used only for company business. If you start from there, it’s much easier to influence user behavior.”
3. Don’t assume all users have identical access needs. “Knowledge workers need more Internet access than someone in the mailroom assembling components to ship,” says Adam Hils, primary research analyst specializing small and mid-sized businesses for Gartner. “Yet many IT departments set the same profile for everyone, so they all wind up with the same access. If you have 100 people in your company, and you give all 100 the same access, but only 50 actually use it for their jobs, you’ve doubled your security exposure unnecessarily.”
4. Don’t prevent people from doing their work. “Your users are higher-order problem-solving primates,” Rice notes. “And they’re trying to get their jobs done. So if you prohibit something, make sure they have another path to doing what they need to.” Otherwise, he says, they’re likely to look for workarounds that may create worse security problems than the one you solved.
5. Accept that mistakes will be made. Ultimately, even the best-educated users will eventually make a security mistake, so make sure your firewall, antivirus, and spyware filtering are as robust as you can make them. Dirk Morris, CTO and founder of the security gateway Untangle notes that, while purchasing software recently, he himself did an Internet search for a discount coupon, downloaded it, and would have given the company a virus had it not been protected with its own product.
“You can educate a lot, and it will make a big difference, but it won’t solve everything,” he says. “There are too many ways even a perfectly well-informed user can still do something harmful.”