I recently had a shocking conversation with an IT professional working as the sole IT professional at a company in the US. I encouraged him to apply patches to his network and his response was, “I do not need to patch the operating system or applications—I have anti-virus and that protects the network from all security risks.”

At first, I thought he was joking with me. He wasn’t! I asked, “What if a user writes the password on a sticky note and the cleaning crew logs in as them to access secure files—does anti-virus prevent that?” The IT pro said yes he was protected.  Several of his “IT advisors” told him anti-virus was all he needed.

I attempted to get through to him for almost 10 minutes with other examples, sent him links to articles on news sites showing reality, and he kept going back to “his trusted advisors told him not to worry about it.” I asked who the “trusted advisors” were and he didn’t want to divulge their identities but assured me “they are really smart.” I even offered to have a conference call with the IT professional and his advisors, but he felt that wasn’t necessary.

This poor IT professional totally believes his reality. He probably will until something bad happens—and at what expense?

I experience this to varying degrees fairly often with “IT professionals,” and frankly I find it unsettling because executives trust their IT professionals with the safety of their business. Executives need to trust their IT professionals.

Executives please make sure your IT department’s advisors are trustworthy as well!

Executives at companies who have never experienced a breach are the ones who feel they cannot enforce their policies.

After a breach or a lawsuit, I see the executive iron fist slam down and things start happening like:

• Forcing employees to sign an acceptable usage policy that forces them to agree to safe data practices.
• Training for employees on security training.
• Technology protection like web site filtering, data loss prevention, and computers that force users to follow the rules by restricting unauthorized behavior as much as possible.

Isn’t it sad that many companies have to go through the “bad thing happening” before they take action?

The IT professionals can use tools like anti-virus, firewalls, application and OS patches, etc. Many IT professionals are not using the tools as effectively as they could, and frequently aren’t using them at all on one or more computers. None of the tools are “set and forget”—all of them have to be monitored.

I feel the executive’s real challenge is, “I don’t know how to help my IT professional fight viruses.”

Responsible executives:

• Provide enough uninterrupted time for the IT professionals so the IT professionals can get their work done.
• Allow ongoing training for the IT professionals to keep up with ever changing technology.
• Hold the IT department accountable for fixing issues discovered during an audit.
• Provide managerial support for policies that support security—such as forcing computer screen savers to lock after a period of inactivity.

If you make your passphrase something like “remember to finish the security project by next month,” you can write it down on a piece of paper and stick it on your monitor. If someone sees that stuck to your monitor, they will think it is just a reminder note (which it is). Another example of a passphrase that would be hard to break is “take the family to go snow skiing in Colorado at night.” That password is much more secure than “@ppl3E5.”

Of course, if you save a file on your hard drive with all your passwords, nothing can help you if a criminal, or even a worker in your own office, finds the file.

Think about it, look in the news at the latest breaches, and make sure to get secure ASAP!

The top executives often get special treatment on the network. Maybe they asked for it, or maybe the IT professional gave it to them “just because.” Some of the biggest offenses I witness repeatedly when auditing companies include:

1. Domain administrative access. In other words, some executives are essentially unrestricted on networks “because they are the boss.” That unfettered access means the executive can easily destroy the entire network. For example, if a virus enters through an e-mail sent to the executive, and your anti-virus system does not catch the virus, the virus will now have unrestricted access to your network. Restrict the executives to the least access privileges they need to do their jobs.
2. Poor password management – such as the same password they use for everything and it is written on a yellow sticky note stuck to their monitor. Consider using password management.
3. Executives sometimes demand exceptions. They want to be able to install software on their own, access any web site they want to, use their office computers for personal activities, and fall for some of the oldest phishing tricks in the book. The executives can be examples by following the safety rules too. Just make sure the rules still allow your employees to be productive!
4. Fixing their own computers, or letting their “brother in law” work on the network. Rely on your own qualified IT professionals please!
5. Bad habits while traveling including connecting to the nearest WiFi network, losing important data, and bringing infections back to the office. Ensure everyone uses secure remote connections and practices.
6. Plug in anything and everything USB into the office computer causing an infection or data loss. Check with your IT department before using any USB device.
7. Sending private information via e-mail or storing it on removable media. Email is like a postcard, not a letter – anyone along the way can potentially read what you send – even the attachments. If someone steals your USB memory stick, they own the data unless you are using robust encryption.

With a little care, the executives can set the excellent example of how to protect your company!

This article from the Washington Post has more details: http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html

The reason criminals keep using the same old tricks is that the tricks work. Warn your fellow executives and other workers about the importance of never opening attachments you were not expecting even if they appear to come from a trusted source. When in doubt, contact the sender to see if they really did send you an attachment.

Your IT department can help you scan the attachment for viruses, and some of you have services that scan all of your attachments. Just remember that the scanning may not catch the virus. Some viruses have new code every four hours so the anti-virus programs cannot keep up with the changes.

Practice many levels of protection and be wary!

First, there was the problem that Twitter’s server had a password set to “password.”   Executives would find news of their own server passwords being so weak as inexcusable!  Then, there was another breach that was caused by several user blunders including using the same password at both gmail and hotmail.

Do any of your users, or you, use the same password at more than one site?  Change them. Get a password manager such as RoboForm or MyPasswordManager. A password manager remembers all your passwords for you – all you need to remember is your password to the password manager. Not perfect security, but a whole lot more secure than using the same password at more than one site! Protect yourself.

There is a wonderful product on the market that will make backups of your computer quickly and easily. The problem is, a criminal can use this product to steal your information. This is supposed to be a short sales video, and I want you to consider how you would feel about the video if a criminal used this to steal your computer’s information: http://www.youtube.com/watch?v=S-aHtWOYGvg

And, in their support, I see this as a very useful tool for home users who never back up their computers – and risk losing years of precious photos of their family. I bought one for myself to show to executives and recommend for people who do not make backups because they feel backups are too much trouble. This is a great tool in your hands for use on your own computer.

There are other ways cyber criminals can steal your data, but you can slow them down if you never leave your computer unattended and logged in if you store any private information such as credit card numbers, banking information, social security numbers, etc.  In Windows, you can use the key combination “windows-L” to lock your screen. You need a secure password.  That makes it more difficult, though not impossible, to steal your data.

Summary: Great tool in your hands; horrible tool for hackers to use against you.