Get the small things right, then move on

Last month, I was invited to speak at a small gathering on the subject "Are we winning the war in information security?"

This was a rather nerve-racking prospect, because I knew the audience would consist of some of the country's most important and competent heads of security. What could I tell them that they didn't already know?

But it was a good question to consider, and so I accepted the challenge and started looking around for evidence. Luckily, Symantec had just produced its latest half-yearly Internet Threat Report, which gave me a pretty comprehensive picture of the current state of the internet. The numbers are not encouraging.

Nearly every type of threat is on the increase, from spam to phishing. Viruses and worms are produced at breakneck speed, while software companies struggle to get patches out. New threats are also on the increase, with spyware, adware and keyloggers finding their way on to unprotected systems.

Then there is organised crime, running botnets and DoS attacks, stealing credit card details and using the internet to launder money earned by even more sordid means.

These are the outside threats. Adding to the general gloom is the inside threat. We talk of user awareness programmes, which are supposed to solve this. But these programmes rely fundamentally on employees having the good of the organisation at heart.

But how does a company keep everyone onside when it needs to be constantly seeking cost reductions in a competitive world?

For instance, if you outsource the work of department A, staff in department B will have just cause to fear for their future job prospects. The B team might then worry less about protecting company data, arguing that if the company won't look after them, why should they look after the company?

So the picture looks grim, outside on the internet and inside the organisation.

But does that mean we are doomed to lose the war?

Not necessarily. The good news is that most of the problems are easy to fix, either by the judicious use of technology or through improved procedures.

The secret of good information security is to get the simple things right, rather than getting worked up about the latest sexy subject, such as podslurping or cyberterrorism.

Get identity management under control for a start, because if you don't know who's on the system, you are wide open to attack.

Here's a simple litmus test to tell if you're on top: when someone leaves your firm, long does it take to kill all their accounts? If it can be done as you print their P45, you're probably winning. If it takes weeks, you need to try harder.

Ron Condon is editor-in-chief of SC Magazine