Dirt Cheap Network Security

You've spent money on hardware and software firewalls, security appliances, anti-virus software, anti-spyware...the list of what you've bought can go on and on. And so can the invoices.

Do you feel safe now?

Most likely not. Network security isn't just something that you can fix by throwing a lot of money around. On the other hands, completely no-cost security may not be exactly an attainable goal, says In-Stat analyst Victoria Fodale. "But," she adds, "you also don't want to pay more than you need to."

To be sure, any organization that doesn't spend money on firewalls and secure servers will probably find itself up a very long and treacherous creek without a paddle in very short order. But all that expensive equipment means nothing unless you make an investment in security intangibles that cost little or nothing at all.

"Our research indicates that the majority of organizations tend to think about security solely in terms of technological solutions and not procedure," says Joe Greene, vice president of IDC Canada. "We think it's a combination of both."That's perhaps a common enough refrain that enterprise network managers can say they've heard it all before. The problem is that, for all its repetition, the message doesn't always seem to get through, and Greene says that's probably because you can see and touch the results of capital expenditures. But things you can't buy, like solid procedures, processes and good sense, are ultimately intangible.

They may be intangible, but they cost money as well. "There's got to be someone's time involved, and in realistic terms that costs money," Greene says, "But you see organizations that invest in an anti-virus solution and think 'okay, we're fine now.' But they aren't. The investment itself won't go very far unless you follow it up, not so much with further investments in products and solutions, but with procedures."

Indeed, maintaining a safe network is as much a question of using existing assets as of acquiring new ones. "Be proactive," Fodale says. "Formalize process and procedures. And ensure you have the proper controls in place to make sure things are happening."

That means making sure that everyone knows what they can and can't do with the enterprise network. Fodale is quick to stress the importance of user education, for example. Spyware and adware would not be so much of a problem if users could be made aware of the perils of clicking through the link on that tempting fishing message or downloading allegedly "free" software that, in fact, installs a battery of resource-hogging nasties on company systems.

For the IT department, eternal vigilance is the price of network security. At a very basic level, that just means having IT staff do what they're being paid to do anyway. Some of these things are no-brainers, particularly when it comes to defending against malicious network-borne code like viruses and worms."IT people should keep up to date with what's going on and ensure that the right people are alerted to problems," Greene says. "That's a no-brainer, of course, because that's their job."

On the other hand, it's easy to slip into a complacent, false sense of security when there haven't been recently any headline-grabbing worm and virus scares like Blaster and Slammer. However, the risks are so great and the costs so low that Greene says it's important to institute processes that keep IT staff and the enterprise as a whole at a state of readiness.

"It requires constant vigilance to make sure that employees are aware of the dangers, and to be prepared to deal with problems as soon as they emerge," he says. "And you can and should take that beyond viruses and worms to phishing and spyware."

Dealing with hackers is a bit tougher. There are fewer no-brainers, but Greene says that the same vigilant mindset can go a long way to prevent the worst excesses of the on-line criminal element. "If you have a firewall and it's regularly maintained and up-to-date, you're already a step ahead," he says. "The problem is that a lot of organizations aren't doing that. They aren't even aware of the attempts that are being made on their systems."

At the end of the day, the best security is a product of the kind of thing that money can't buy: attention to detail, a willingness to keep systems maintained and a mindset that hopes for the best by preparing for the worst. It's just common sense, Greene says, but the problem with that is that common sense isn't always that common."If you just throw money at security and do don't do all these things, you're going to be vulnerable," he says. "If your attitude is 'it won't happen to me' and 'I have all the right technology,' and you leave it at that, then your guard will be down, and you'll be hurt."