Recently, when I visited a client, I was asked to check my laptop at the door. The guard was somewhat surprised at my stated value of my system. "Is this computer really worth a million dollars?" he asked. "No," I replied. The information on it is worth that.
If you're an IT manager, it's time to do something worthy of the value of the information you're protecting.
First, remember that a tough information security policy is a double-edged sword. On one hand, you may have a CEO demanding policies that maximize system security, so as to protect corporate assets and the stock price. On the other hand, you have users who will bypass any procedure that overly complicates their work. In the harsh post-Sept. 11 reality, the emphasis is to err on the side of the former. But that can easily lead to wasted time with policies that don't really work and gaping vulnerabilities if you're rushing to tighten up procedures without considering how they'll affect the end user.
No one wants to work for an organization that resembles something out of Orwell's 1984. While it's important to secure information and systems, it must be done in a way that maximizes its implementation and won't make users rebel against draconian measures. The more secure your environment, the greater the inconvenience to end users and the greater the likelihood they will find ways to defeat your measures and widen your exposure.
For instance, while 30-character, randomly generated passwords are difficult to break, they're impossible to remember. So let users create passwords that mean something to them and can be applied to the multiple systems many corporate users must access. That way, they'll be less likely to tape them to the bottoms of their laptops (next to their business cards, so thieves can return them after purging the data).
Second, prevention hurts less than cure. Forget things like antivirus software as the sole means of preventive measures, and focus on data backups. Most antivirus software is a waste of time, and the fact that their vendors depend on new viruses for their livelihood is disturbing. (Some vendors even pay "bounties" to users who "discover" new viruses or strains.) So instead of hassling users who need to sit through boot and virus scans, implement cohesive data backups, such as a master file for PC users or CDs for laptops. That way, if disaster strikes, users can be back up and running quickly. You can't argue with the savings in time and money.
Finally, wherever data lives, know your risks. Laptops carry great risk and often hold sensitive material that's unsecured and susceptible to theft and industrial espionage. But with increased PDA and smart-phone use, your data and sensitive corporate information are traveling to new places never foreseen. PDA policies should reflect those of laptops, and the anemic protection on PDAs and smart phones should be replaced with robust third-party software that allows data to be encrypted.
Given the value of the data on your systems, what are you doing to protect it? The answer to that question has as much to do with your users' willingness to work with you and comply with policies as it has to do with procedures. So get tougher on security, but be gentle with your end users.