IT Security Lesson Learned
I was recently reading an article about the biggest aspect of information security and the article took a poll of people from large enterprises to small businesses and the answers were mostly the same. They all wanted to rely on some sort of application, appliance, or coded system policy to ensure security. In the article, the author articulated that it is everyone’s responsibility to know and do their part to ensure information security and talked about education and awareness among other things.
I totally agree with this—although I think it's easier said than done—I recalled an experience I had when I was the head of IT for a company in 2011. I was asked by the CEO if we were secure and safe from hacking. I told him that we had all the pieces in place, including extensive external testing by an outside party, but that doesn’t guarantee that we are safe. He gave me a funny look and said: how so? I cited an incident where a process engineer at a company site in California brought a thumb drive from home to load some code for a program he was developing. I can hear IT professionals sucking in air as I write this! He assumed he was exempt from company policy—which required a device like that scanned and approved by IT before using—because their engineering network was isolated from the company network. It wasn’t. Someone sometime or other had connected this stand-alone network to the business network to copy files.
The virus immediately began changing all the network system policies and replicating users. Fortunately, one of our System Administrators caught it right away and isolated the other site from the rest of the company and immediately found a fix for the virus and cleaned it up with no loss of services. Unfortunately, the other site soon lost all network services and prevented the company group from accessing important files and applications. The tough part was actually finding the source of the virus, which took the better part of a day, and then updating and patching the system to get rid of the virus as well as cleaning up thousands of replicated users.
Yes, I agree with the article that each person in an organization must know the risks and take personal responsibility for information security. As you can see it takes one seemingly harmless action to create havoc in an organization no matter how large or small. For me, this type of incident was recorded and susceptible to audit. It was embarrassing, and I had to explain it to the CEO, the IT Steering committee, and auditors why this happened and how we would be preventing it in the future.
So what was the solution? Awareness really. Having every employee aware of security threats and how to proactively avoid them. Of course, we took care of the problem at hand; however, it was clear to me that not everyone was aware of the policies and procedures in place nor were they aware of how severe the implications of not following policies and procedures could be. At that point, I took it on myself to launch an awareness campaign using several forms of media to get the information out. Did this work? Well, as I was discussing the incident and solution with the CEO I wasn’t so convinced. Would-be hackers and creators of information security havoc are always at work coming up with clever ways to get our information. However, I had an enormous amount of respect for this CEO when he addressed the issue of security and awareness at a corporate management meeting. I learned a great deal from this experience about security, awareness, and how effective it can be when a leader takes responsibility making it not an IT issue but a company issue.