Security starts before you even turn on your computer?
Information security starts well before you even turn on your computer. Its success relies upon many elements stretching far beyond the technical controls and buzzwords like firewalls and encryption that have become the call signs of our industry. For this reason, no information security program can be successful without developing the three P's of security - perimeter, people, and policies.
Most people picture mischievous hackers sitting in their darkened basements searching for ways to infiltrate vast corporate and government networks in search of thrills and money. Just as real, however, is the professional con-artist posing as a repairman or a client in order to gain illegitimate access or fuel someone else's attempts to do so. Moreover, many of the most costly attacks come from within, perpetrated (naively or purposefully) by members of your own workforce.
These incidents cost millions of dollars in damages and lost revenue to large and small businesses alike. Furthermore, nearly all of these losses are caused or aggravated by failures in the victim's organization to ensure a proper physical perimeter, to educate and train their employees, and to implement and follow good security policies and practices before, during, and after the attack. Of those three, I would argue that the most critical single factor affecting an organization's information security is a corporate environment of awareness. Such awareness flows from practical and well thought out policies embraced and funded by management through an "all-for-one" mentality. The result is an environment in which employees actively question new people and report unusual activity through well known and practiced incident reporting mechanisms (you have them, right?).
We get many requests from companies to conduct "social engineering" tests to help identify their weak links. In these "tests," our professionals have obtained vast amounts of sensitive and critical information by exploiting misplaced trust and lack of concern. Stories of these infiltrations provide both humor and a glimpse of the sobering reality facing each and every organization. We have too many pictures of ourselves inside wiring closets and too many screenshots taken on executives' computers, which more often than not were obtained through the friendly and unsuspecting assistance of an employee.
Although this Secure Notes does not contain a single hardware or software recommendation, it seeks to illuminate a crucial foundation upon which any successful security program must be based. In the Secure Notes to follow, we will explore the three P's in more detail. Until then, ask questions, be aware of new people, and report unusual phone calls or activity through the appropriate incident reporting channel in your organization. Good security requires vigilance at every level.