Education, education, education. Did I mention education?

·         Christmas Eve, 1997, it was a story of “Not a creature was stirring, except for the email administrator”. I had started a new job in October as an Applications Manager for an LLP to whom email was crucial. One of my challenges moving forward was to migrate the company from Groupwise mail to MS Exchange. The Groupwise system had been having a lot of issues, according to the CIO. He felt that the aging technology was causing undue stress on the company’s partners and, therefore, undue stress on him. Until such time as we were able to schedule the migration, it was my responsibility to stabilize the existing email system to reduce the noise about email. That afternoon, I remember reaming out an attorney for sending pictures of his daughter at a horse stable to over twelve relatives. His emails were slowing down the delivery of the dancing elves that others had sent. Stuck between those files were some crucial contracts that had an expiration date of midnight. The glut of files took time to clean out and caused mail to be backed up for hours. Thankfully, Exchange is easier to cleanup and bandwidth is cheaper.

·         In 2000, I was told by an older partner at the LLP, “You can’t fix stupid”. He in fact called the person who caused the 3^rd or 4^th outage due to an outbreak of the Iloveyou virus. I was standing in his office while he bellowed at the unfortunate person, “Are you insane or just stupid?” Although we had gotten quite proficient at our response to the breakouts, time down for attorneys meant less billable hours.  After that incident, we thought out of the box and came up with a solution to prevent a spread of the virus, before the antivirus companies came out with signatures, and over a year before we bought an email filter solution.

·         When Michael Jackson’s memorial service was streamed across the internet, we actually had to shut down streaming (possible only because of the technology we had already purchased) and access to social websites to keep end users from shutting down or slowing access to our revenue generating web-based applications.

·         Going over a corporate file server (inevitably looking for disk space), we first targeted media files. Over 30% of the directories had a variety of non-work-related music, video and photos. Before you ask, yes, there were policies that employees signed off on that notated there should be no such files saved on corporate systems.

·         Performing a social engineering “test”, employee after employee failed (including technologists who felt they should investigate a dropped memory stick in case it fell into the wrong hands) to follow corporate guidelines.

Looking back, end user behavior hasn’t significantly changed. Luckily, technology has evolved to manage these situations with more success than in the past. But is that what makes the most sense?

·         Email filter - There are multiple products and services that manage this better than any threatening phone call and far less expensive than dealing with a data breach.

·         Antivirus/Malware solutions are absolute MUSTS.

·         Disk Space management products - Data quotas can be set up at system creation but once a system is in place, it’s impossible to go back and perform cleanup without manual involvement. A good ole dos batch file scheduled to run once a week can go a long way toward keeping servers clear of media files that shouldn’t be there.

·         Patching solutions – I appreciate the simplicity and ease of patching with a managed solution but depending upon the size of a company, it may not be feasible. This has to be a cost benefit decision on the part of technology. How many hours and techs does it take to patch the environment? Can this be done manually in a timely enough basis that it prevents exploits? If the answer is no, then consider a management solution that offers sufficient flexibility so that patching can be managed in a risk adverse manner.

·         Intrusion Detection System – Consider this as a risk proposition. If you are a financial services company, the risk may be greater than the cost of reacting to a breach. With security industry prescribed firewall configurations and port blocking on subnets, it is possible to adequately defend your parameter. With other security restrictions in place, it IS possible to detect and defend against fraudulent insider behavior.

Creating a stable, structured and secure technology environment does not happen out of luck, not forever.

Taking a layered approach:

·         Begin with end user and technology team education,

·         Taylor your policies and procedures to support the risk footprint the corporation is willing to support,

·         Don’t jump to the conclusion that expensive software solutions will fix all of your problems. Without adequate processes and procedures in place, a team will fail, regardless of the tools provided.

·         Implement built-in support tools

o   Don’t ignore the value of logging,

o   Don’t ignore the value of team-led strategy sessions for issue reviews,

·         Invest in your team’s education and morale

·         Invest in solid vendor partnerships. They will be as interested in your success as you are.

 

And honestly, prayer never hurt.