Security

Because we host a web application, we are focused on web security. We've locked down the perimeter. We can see from our log files that there is a great deal of malicious activity out there.

Internally we have centrally controlled anti-virus. We have automated patching. We have an intrusion prevention system and we even have a remote security monitoring service.

But technology is not enough. We have to instill a culture of security in all our staff.
Consider these scenarios - which is more likely?

1. Someone breaks through two locked steel doors watched by surveillance cameras. They then break into a locked server cabinet and unbolt computers. They have time to get away with massive heavy servers.
   
2. Someone nicks an unattended computer bag in the food court.
   

1. A file is infected at work on a fully patched fire-walled and virus protected computer.
   
2. A file is infected while taken home and used on an unsecure computer shared with teenage children.
   

1. Confidential data is stolen by sophisticated hacker geniuses that break into the network.
   
2. Confidential data is disclosed on 'draft' paper copies sent out with the recycling.
   

People's behaviour can jeopardize security despite the best technology. Security has to be everyone's responsibility. People can be the biggest liability but they can also be the greatest defense.

Without the full support and engagement of staff, the IT department risks building a Maginot line of defense that can simply be walked around. Here's a map of the original pre-WWII Maginot line. Where do you suppose the attack came?