Menu
Dr Crime's Terminal of Doom

Dr Crime's Terminal of Doom

Most computer attacks come from the outside. But the costliest ones come from the inside. Here's how to manage the risk without making honest employees feel like crooks.

2 Build Security from the Inside Out

These access controls are only the first step toward a decreasing emphasis on what's known as perimeter protection - security's equivalent of the moat around a castle. Surprisingly, more than half of companies that responded to one CIO (US) survey last year don't have critical information restricted to a confined area, separate from other information that requires less security. In other words, once an intruder gets over the moat, he won't even need to pick a lock to get the crown jewels."Some corporations run hard on the outside and soft on the inside: once you get in, you have free access," says Larry Bickner, vice president and information security officer at Nasdaq in New York City.

To protect its trading floor, Nasdaq takes the opposite approach, and one that experts recommend: progressive hardening from the inside out."We break our world into various trust zones, and we control who's within that zone or space," Bickner says."I don't have access to human resources servers or systems. It's not part of my job. We have a completely different trust space for the market system, and where those overlap, we control those connections very strictly . . . Even if one layer isn't set correctly, the other layers compensate. That layering gives you hardening. Our architecture is hardened to the point that when you're on the inside, it's not much easier to get at things, frankly, from being on the outside."

3 Make Security Part of the Culture

Another key element is establishing a culture that values security. That helps keep the honest people honest and makes it easier to deal with people who cross the line. At George Washington University in Washington, DC, the CIO and his information security officer, Krizi Trivisani, have made computer security part of the university's code of conduct that students, faculty and staff have to read and sign once a year."Policy is a great vehicle," says CIO Dave Swartz."Of course, you have to be ready to enforce the policy, and that's the problem. What's the hammer?" Swartz's department forwards people who break security policies (including students who try to test hacker techniques they've learned in class) to the appropriate disciplinary organisation, but they prefer to focus on prevention. The IT department hosts regular security forums and invites members of the legal department, compliance office, and audit, policy and student groups."Education and awareness is a very powerful tool," Swartz says.

CIOs who decide to implement stricter policies for employees should be doubly sensitive to educating users about reasons for the changes."This is a classic situation where what your culture is and what you've done in the past lays a foundation for future efforts," says Mitchell Marks, an organisational psychologist in San Francisco."If you don't explain why you are [increasing security], then people will talk about it at the coffee machine, fill in the information voids with perceptions that are probably more negative than reality [and conclude]: leadership doesn't trust us."

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Access360ACTAPLAppleAvis Budget GroupBindviewBMC Software AustraliaBMC Software AustraliaCounterpaneCrownFBIGiga Information GroupGlobal CrossingHarrah's EntertainmentHISIBM AustraliaInternet Security SystemsInternet Trading TechnologiesIT PeopleNetegrityNetsupportOmega EngineeringOmega TechnologyPentasafeSecurity SystemsSonyTivoliVIA

Show Comments
[]