6 Signs You Need to Re-evaluate Your IT Security Strategy

Updated: May 05, 2009

We all know that the Internet is a dangerous place to do business. And we all know the basic drill for protecting our irreplaceable business assets: anti-virus software, anti-spyware, security devices, firewalls, the latest Microsoft security upgrades and so forth.

Precautions such as these fall under the umbrella of defensive tactics, securing your network behind a protective wall of hardware and software. Yet small armies of hackers spend all day, every day, looking for ways to break into your network, so it's no surprise when we read about systems being compromised. For instance, an employee's kid might use her dad's work laptop to download the latest Kanye West hit — and catch Conficker with it.

Maintaining a secure network requires more than the right hardware and software. It calls for an effective, flexible security strategy. If any of the following high-risk scenarios are familiar in your business, have a serious conversation with your IT security team. And do it first thing tomorrow morning, if not sooner.

1. You have the latest firewall. Your anti-virus software updates every 10 minutes. You're totally safe, right? Wrong! Depending on any particular security device or software suite, no matter how capable, can be a huge mistake. Firewalls can be bypassed by a hacker with the right hardware and zero-hour code, and clever worms can disable AV updates. You must think strategically, which means talking to your IT security team.

2. You changed your system passwords six months ago. You keep a list of them in your desk drawer. And to make them easy to remember, you use simple variations of names of family pets, kids and cars. Look out! You have set yourself up for a bad wake-up call. There's a well-established science of password-cracking, and hackers are expert in deploying it against you. You must follow best practices when it comes to passwords, and anything shorter than six characters changed every 90 days is unacceptable.

3. You haven't had a company-wide meeting on the subject of social engineering techniques in months. Or ever. Remember the 2004 tsunami in Indonesia? Remember the 2008 earthquake in China? Remember all those emails you got the next day including links to exciting photos of those disasters? Maybe you were smart enough not to click on them (thereby downloading some horrible worm), but are you confidant that every one of your employees was equally paranoid?

4. Your IT security team has been too busy to store data backups securely off-site — and too distracted to test those backups by performing regular restores. Malicious software attacks derange or corrupt business-critical databases every day. And there is no worse feeling in the world (trust us on this) than turning to your backup only to discover that it's damaged. You are doing full, daily backups, right?

5. Laptops that travel outside your place of business are not fully encrypted. You wouldn't believe how easy it is to crack simple password protection on a lost or stolen laptop. If your employees use their laptops to store private information (like customer credit card numbers), proprietary data or anything else you wouldn't want to see in tomorrow's newspaper, that information must be encrypted. Remember, under current laws and regulations, you may be legally responsible if confidential information is compromised due to your negligence.

6. You haven't had a serious conversation with your IT security team in months. Paying attention to security issues is the single most strategic move you can make in developing and maintaining an effective risk management plan. It's like keeping a watchful eye when you walk down a deserted city street. Security is a process, one that must be revisited repeatedly as new threats emerge. Every day.

This is just the beginning, a way to get you thinking about your IT security strategy in a new way. Are there another six danger-scenarios? Another 12? Only your security team knows for sure, so ask.