Discounting internal security threats

IT managers who focus on external threats can easily fool themselves into feeling a false sense of security. According to Gartner, 70 percent of security incidents that cause real harm are actually internal operations, which put the most vulnerable at risk for the business.

Of course, not all internal threats are created with malicious intent. In September 2004, HFC Bank, one of the UK’s largest banks, sent an email to 2,600 customers — with all email addresses visible to others on the list.  When users scrambled to unsubscribe, all 2600 users were inundated with hundreds of emails.  The problem escalated when messages from out-of-office users – including home and mobile phone numbers – responded to this email.

Even the vicious cyber threats are done with very little technology. In a joint survey released this year by CERT and the U.S. Secret Service, the majority of security breaches came from internal sources, such as former employees who still have access to sensitive corporate data. Organizations need to be careful and take effective measures to protect themselves. Managing IDs and permissions can help.

Ignoring security for handheld devices

Although inexperienced IT managers see the need for network resources and username/password authentication on desktop and laptop computers, many IT stores use the “wild west” when it comes to mobile devices.

Here is a scenario: The company’s wireless company Chief Technical Officer tells us about a businessman who lost his iPhone on a business trip while closing a very secret deal. The business iPhone was not password protected, so anyone who found the lost iPhone could read any received emails.  The company’s IT department could do nothing in this case, and it leaked sensitive company data.

In this case, the small inconvenience of using login credentials had significant consequences.  Neglecting the safety of sensitive devices can be destructive.

Mishandling change management

A former CTO of a computer equipment manufacturer has described a situation where a capable, but perhaps overly ambitious, program manager made the seemingly simple changes to a set of sensitive servers during day-to-day maintenance. 

When this person made the changes they had all already agreed to, he took it upon himself to take additional steps without consulting the team.  He decided to upgrade BIND (Berkeley Internet Name Domain), open-source DNS software used to enable multi-site accessories.

Within hours, the entire business was brought to a halt, as all DNS operations failed. It took hours for a minor change, which resulted in the loss of millions of dollars of revenue. The lesson is that even skilled workers can cause a significant problem if they do not follow proper management practices.

Remember that change management is a tradition. It all starts with this central idea that when IT managers cut corners, the IT staff does the same.

Mismanaging software development

Fred Brooks writes in his book, “The Mythical Man-Month,” that because of the unique nature of software development, planning for software development projects based on each of the “human” units does not work.

Although software architecture can easily be broken up into manageable, time-consuming components, the big production gap between the best and average code editors means that IT managers are less likely to work, but are more skilled, than programmers.  This means that, when they do work, they can be more productive.

Since its publication 30 years ago, The Mythical Man-Month has been a mainstay of software finance. However, many IT executives are still planning and executing projects based on this prohibited parable — implementing this approach can help an IT manager for a project staff that can have the right number of people for a certain amount of work.

Developing Web apps for IE only

Unless the leading apps continue their march in the web browser, and Windows dominates the compact desktop, web developers should avoid the temptation to build IE applications. IT outlets that insist on using IE for web applications should be prepared to deal with malicious code attacks like JavaScript.

Relying on a single network performance

When it comes to network performance, no one can judge the health of the network in terms of a single metric.  Douglas Smith, vice president of network analytics for network vendors, points out that it’s wrong to assume that network usage can be classified in a simple way. 

Successful network analysis means taking a step back and looking at the details of your business operations. Some features of the network, such as port usage, link usage, and user activity, can be tracked and measured, to determine whether your business operations are on the right track. 

Throwing bandwidth at a network problem

One common complaint facing IT is simple: The network is running slower than usual. A knee-jerk reaction is to add more energy. In some cases, this is the correct solution, but can also be the wrong plan of action. Without proper analysis, development potential can be a costly and unwise decision. Network Tools’ Smith describes this approach as, “I’m in the basement, so I need a new home.”

Permitting weak passwords

On the Internet, new threats are constantly emerging which are at the forefront of IT professionals’ minds. Still, a fundamental and archaic flaw in IT remains the use of poor credentials, such as weak passwords.  User accounts with well-known passwords or physical display; administrative accounts with weak or well-known passwords; and a weak or well-known password hashing algorithm can be either well-protected or visible to anyone. Avoiding weak authentication errors translates into simpler IT restriction and handling by restricting access to only those trusted members who have access credentials. A clear, detailed, and always-effective password policy that works to address authentication vulnerabilities, as detailed in the SNS report, is an effective strategy to promote the greatest internet security.

Ruining your outsourcing strategy

Outsourcing issues can quickly fill our Top 20 list alone. There are two distinct flavors of this type of problem. The first is the sin of the commission: outsourcing important IT tasks to avoid the difficult task of understanding them. It can be challenging to stop or change outsourced tasks, and they can cost companies a lot if things go wrong.

Dismissing open-source — or bowing before it

For better or worse, most IT stores are based on evangelization or avoidance of specific technologies or platforms.  This is no truer than in the open-source world.

On the other hand, most conservative IT stores reject open source solutions as a matter of policy. This is a big mistake, as it eliminates low-level, stable, and inexpensive solutions like Linux, Apache, My SQL, and PHP. On the other hand, emphasizing the open-source features of your IT operations can delay development, as developers are forced to consolidate open or unapproved source solutions in the presence of commercially viable software solutions.

 

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*