By now I think that we all realize that we are living in dangerous and challenging times. The bad guys know about the importance of information technology and so they spend their time trying to break into our networks and we keep trying to find ways to keep them out. You’d think that a person who has the CIO job would have to have a sophisticated set of defense measures in place in order to keep his or her network secure; however, it turns out that this is not the case. Just taking care of the basics will generally keep the bad guys out. So that brings up the question: what should CIOs be doing?
Stay Current With Patches
The software that your company uses is complex stuff. Although we’d like to think that the companies that write it have taken care to make sure that it’s secure, the reality is that it’s too complicated for them to have thought of everything. What this means is that there are always “holes” being discovered in this software that the bad guys could use to break into your company.
When the maker of the software discovers one of these holes (or is told about it by someone else), they release a patch or an update to their software. As a user of the software you need to apply the patch to your version of their software in order to secure it. The bad news here is that 33% of network break-ins occur because companies did not apply a patch. In fact, a study of all of the software running on computers has revealed that there are roughly 2.3 critical patches per computer that have not yet been applied. Make sure you apply patches when they become available.
Shut Your Online Doors
Every computer in your company that is connected to your network is potentially an open door for the bad guys to walk into your network. Having the CIO position means you need to first identify just exactly how many of these doors you have and then you need to take steps in order to ensure that they are kept firmly shut. Studies have shown that up to 25% of network break-ins were accomplished using computers that didn’t have to be connected to the company’s network.
The problem is that in our Internet based age, we often think that every computer and computing system that the company owns should be connected to the network. The answer is that this is not the case. Instead, only computers that require the resources that the company network can provide need to be connected. Keep all of the other ones offline and make sure that those doors are nailed shut.
Make Sure Important Data Is Encrypted
If the bad guys are able to get into your network, then what are they going to be looking for? The answer is data – as much data as they can get their hands on. The most valuable types of data will be things like payment card records, customer data, and corporate plans. All of these items have a value on the black markets.
What this means for you as CIO is that you need to do two things. The first is that you have to take a look at all of the data that your company has and determine what data is the most valuable. Once you’ve done this, you then need to implement a program to encrypt it the moment it enters your company. Yes, this will be an additional expense and it may slow things down, but the cost is well worth the peace of mind that it will provide you with.
Say Goodbye To Passwords
One of the biggest problems those of us who are trying secure networks have is that it all relies on the end user to keep things secure. The way that end users identify themselves to the network is through the use of a password. The problem with this scheme is that they often do a very poor job of managing their passwords.
A recent study of computer network break-ins revealed that roughly 25% of them involved the bad guys correctly guessing a user’s password. One of the biggest problems with passwords is that we tend to use the same password on multiple systems. This means that if the bad guys break into another system and discover what our password was there, then they can use the same password to break into the company’s network.
Take A Careful Look At All Of Your Vendors
In order for a company to be successful, they need to work with other companies. This is where things start to get tricky. You may do the best job in the world of securing your network. However, in order to do business with other firms, you are going to have to permit them to access your network. Have they secured their network?
The bad guys realize that if you’ve done a good job of securing your network, their best chance of getting in is to break into one of your suppliers and then using their network to get into your network. This is why you need to take the time to work with your vendors and make sure that they are spending as much time as you are making sure that their networks are secure also.
What All Of This Means For You
The good news is that it really is possible for a CIO to keep your network secure from the legions of bad guys who are trying to get in. However, the key to being successful in doing this is to have a very clear understanding of just exactly what needs to be done.
It really boils down to taking care of the fundamental security practices that we should all be doing anyway. These include making sure that we promptly apply patches that we receive from vendors when we get them. That we limit the number of ways that people can use to gain access to our network. That we identify what data is the most important and we encrypt it. That we stop using fallible passwords. Finally, that we take a careful look at our vendors and their security practices.
Securing your network is not hard to do. All it requires is that you find the time to pay careful attention to the little details that can so easily trip you up. Make sure that you have the fundamentals of network security taken care of and you will have made it so hard to break into your network that the bad guys will pick up and go elsewhere.
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: What’s the best way to quickly test patches before you apply them to your network?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!
What We’ll Be Talking About Next Time
As the person with the CIO job, you realize the importance of information technology and just how important it is to keep your company’s network secure from all of the bad people out there in the world who are always trying to get in. You make investments in firewalls, intrusion detection devices, and highly paid IT security staff. However, we all realize that if we want to keep our network secure, we’re going to need each and every employee of the company to lend a helping hand. Since in most cases they just don’t seem to care about network security, what can we do to get them to care?