I have been in the IT field for more than 30 years. I have been in the field long enough to see the change from mainframe systems to servers on Local Area Networks (LANs) which connected to Wide Area Networks.(WANs) I also saw the the word play changes, the words of technology transition from hosted to cloud, Antivirus to Endpoint Protection, and my latest one Unified Threat Management to Next Generation Firewalls and so forth.
So, I had my share of conversations as of late about network security and it's nuances. How it affects the basic functionalities with computer systems and applications.And makes our lives difficult because of all these security controls, policies, and procedures.
What can you do? The point of security is to keep you (the user) safe. I had recent discussions about security with both residential and commercial customers. To my surprise, people still complain about security. Only some people get it after numerous discussions.
Here are some examples of the discussions I have had with residential and/or business clients;
We add security to only please the auditors - I had to say this was my most recent favorite and it was during a discussion with a financial institution executive.
- My Response - Auditors checking on your systems security to ensure that you have security controls in place is actually a good thing. The paperwork is tedious but don't let that deter you. The external review would be good for your organization. Normally I find people that don't want external audits or reviews are folks that don't want to apply security plain and simple. The excuse is always money related and the other is the infamous quote "That will never happen with our users."
We don't need to apply security - I was also informed that we don't need security because someone will always break into the system(s). The first few minutes of this discussion was interesting as it was with a financial institution executive.
- My Response - Just because someone breaks into your house does not mean you don't replace the locks. You get better locks, add a security system, security cameras, get a gun etc... It's amazing that people don't apply the simplest logic or will not accept that security has been increased because the threats have increased. The basic network security controls include Endpoint protection, policies, procedures, network firewalls/IDS/IPS web filtering, logging. alerts etc.. and these should be simple items of interest for any business owner. It's a response to a genuine concern. That part of the conversation was interesting as it seemed to turn on the light bulb.
Everyone should get admin access - That part of the discussion was out of this world. And the thought of it was extremely painful. Again, this was recent and with the same executive.
- My Response - Give the lawn maintenance or utility meter consultants access to the house by providing keys and/or the security code. While what I said was a bit harsh, I want to dive into this a bit more for understanding the thought or idea. A normal user of an organization is really a stranger to the system. They may have a userid and password to access resources but they won't get the key to access the entire kingdom. I explained to the executive that the lack of security controls on any network or system is a system primed to be hacked.
No one should have to change their passwords - WHAT? Get this.. an IT admin said that one.. Truly crazy!! This was a crazy conversation. This was from a troubleshooting call and we were discussing a user that has continuous lockout issues.
- My Response - WHO DOES THAT? Even commercial organizations that provide services with credentials are now evolving to training their customers to change their passwords. Some are sending notifications in your email or text, others are flat out making you change them. (I received a notification from my bank stating it's time to change your password)
The discussions were in some cases up to 1 hour. Others were continued conversations through email and phone calls.
While the networks security effort seems unacceptable to some business owners I find these discussions very disheartening. I always state that you need to train your users and/or customers on security and it's issues. And as owners you need to address your system flaws, policies, procedures, and mechanisms that provide the capability to maintain them.
The issue for business owners always ends up being lack of understanding and education. Not understanding why you are securing your network is as dangerous as not providing the security controls to protect the organization, it's information, and it's other pertinent resources. Not understanding or at least being a bit familiar with network security is a serious risk to any position within an organization. All outcomes were not positive as some people will not accept the inevitable. (RESISTANCE IS FUTILE)
The possibility of owners that do business with the federal, state and local governments getting penalized for not have their security controls configured and managed properly will soon see their business with these organizations shutdown. So, buckle up folks it's going to be a wild ride.
THE PLUG (YOU KNOW THERE IS ALWAYS ONE)
Rebnetik offers a basic security assessment for small business owners. This assessment is done within one week and the deliverable is a report that provides insight of your current network security posture. While you may not purchase anything from our organization, we want to provide your organization with the most accurate information possible to ensure that your IT specialist has implemented some basic network security controls. The most basic controls are way more advanced than that of two decades ago. Technology has evolved and we as owners need to adjust to that constant evolution.
Share this post