At the RSA Security conference recently in San Francisco, the big news was a new set of cybersecurity best practices, a new application vulnerability description language and a push for Web services security, along with the usual collection of new IT security products. Considering what a messy, continuously changing security picture we face, it's all worth digging through when you get the chance. Piling more security technology onto your networks and servers and desktop PCs is usually a useful thing.
But while you're upgrading your security technology, don't forget to upgrade security in your users, too.
Not for your users. In them.
Look, you've got firewalls and virus filters and intrusion-detection systems. You scan logs and tune settings. You go hunting on a regular basis for unauthorized wireless gateways and off-the-network modems. You've built a security fortress, and as long as your users are inside that fortress, they're pretty safe.
But they won't stay inside that fortress. Inexpensive technology lets office workers take the office with them wherever they go -- or at least it seems that way. Maybe it makes them more productive, but it also exposes all that office activity to the world outside the protections of their real office.
Cheap wireless access points make home networking easy. But they can also expose access to your networks and data if an office worker connects from home while still hooked up to his wireless network.
Cell phones make it easy for outsiders to eavesdrop on business conversations. Laptops with big, clear screens make it easy for people even a few seats away to read confidential documents. An enterprising snoop can even copy hundreds of megabytes of information from a laptop with a CD burner left running on an airplane seat while its owner waits in line for the lavatory.
Laptops are thief bait in airports, parked cars and even overhead bins in airplanes, and they're typically stuffed with confidential business information. But so are handheld computers, which can easily hold documents, spreadsheets and databases these days -- and are much easier to steal than laptops.
And that's just the tip of the iceberg. There are endless ways users can compromise the security of business information once they're outside the office, and there's not much you can do about most of them. They're outside your security perimeter -- beyond your reach.
Yes, you can add more security technology. You can try to chase down and block off every security hole in each user's portable office.
But none of that will be as effective as improving the security in the user.
Because in the end, security is a set of disciplines practiced by users, not just a set of technologies implemented by IT. Security awareness, good habits and common sense on the part of users won't replace firewalls and intrusion detection. But the technology alone won't be much use without security-smart users.
So, what can you do to upgrade your users' security? These days, you don't have the budget to send them to security classes. But you can send them reminders to be security conscious. Point out specific risks of wireless hubs, laptops, handhelds and other technologies outside the office. Make specific suggestions for avoiding those risks. And offer help if users have questions or problems.
And when they do call for help, don't just tell them, "No, don't do that!" Work with them. Look for options and alternatives. Find solutions that you and they can live -- and work -- with.
Build real security into your users. Then you'll find out just how useful all that security technology can be.