It’s a possibility, depending on the network security policies that your company has in place, and the computer sophistication of your company’s employees, among other factors.
“One thing that I find very scary is that lots of times, you don’t know when you have been compromised,” says Merike Kaeo, a network security consultant and author. When malicious hackers are able to gain access to a personal computer—either by convincing its user to click on an e-mail attachment that launches a virus, or by some other means—they sometimes place a piece of code on the PC desktop, and just let it stay there, maybe for months, Kaeo says. “Then all of the sudden, on some certain day, there’s a coordinated attack that’s launched, and your desktop may be part of that.”
Worse yet, a hacker who gains access to your company network may use that access to damage your corporate systems, deface your company’s Web site, steal sensitive information or even shut down your network. A variety of technologies are available to help stem the tide. But often, says Kaeo, some of the best lines of defense against nefarious network activities can include basic employee education and a well-defined and documented network security policy.
Kaeo, based in Santa Cruz, Calif., has spent more than 15 years in the networking industry, including seven years at network equipment powerhouse Cisco Systems Inc. (www.cisco.com), San Jose, Calif., where she was a lead member of the Cisco security initiative. In the Second Edition of her book, “Designing Network Security” (Cisco Press, November 2003), Kaeo covers the fundamentals of network security for technical readers, including several chapters on developing a corporate network security policy.
Surprisingly, perhaps, Kaeo notes that most companies still don’t have written security policies, but instead handle network security on an ad hoc basis. “A lot of companies mostly leave it up to the technical folks to, ‘Make sure our network is secure,’ ” she says.
But that approach can have dangerous and even career threatening ramifications, not only for management, but for information technology (IT) personnel as well, Kaeo warns. Without a written security policy, technical staffers may come up with security methods they consider to be reasonable, only to be made scapegoats for their efforts when a breach does occur. That’s been known to happen, says Kaeo, “especially if there’s a large company involved and there’s lots of publicity.”
No network is immune to penetration. And every security policy should contain specific incident handling procedures, Kaeo notes. Who talks to the press, for example, and who has decision authority? When a breach occurs, a written policy might provide a network administrator with authority to take steps he or she deems necessary—including actions that might cost the company money, such as disconnecting from the Internet—without fear of later retribution. “I always say that if you’re a technical person and your company doesn’t have a security policy, go to your manager, and try to get the company to create one,” Kaeo advises.
The creation of an effective security policy requires participation by a company’s top management and legal staff, as well as technical personnel, says Kaeo. “The best policy is a really fat document, like 200 pages, that covers all the legal aspects, so that if you ever want to prosecute, you’ll actually have this nice document in place that doesn’t have any loopholes,” she notes.
A shorter, three- to four-page version of the document “that everybody will actually read” should also be developed. The shorter document should concisely state the company’s policies, such as prohibitions against downloading copyrighted music from the Internet, for example, or against placing unauthorized modems or other devices on the network.
In addition, employee training is key. “Corporations need to train their staffs—and I mean everybody in the company—about social engineering and security issues,” Kaeo declares. An administrative assistant must know not to divulge the boss’ network password to someone who claims to be from corporate IT, for example, without first verifying that person’s identity. Likewise, employees at all levels must know “not to click willy-nilly” on attachments on incoming e-mails, Kaeo says. Sometimes the simplest precautions can head off a network disaster.
Wes Iversen, [email protected]
