November 04, 2008
Editorial

Pondering IT security basics

Illena Armstrong, editor-in-chief, SC Magazine
Illena Armstrong, editor-in-chief, SC Magazine

In this month's View from the Top feature, we get some insight into what a panel of 100 CEOs thinks about information security. What we found was that while many respondents are quite optimistic about information security risk planning, showing intentions to bolster their security practices in the next five years, they also seem to underestimate the IT security risks they face in a corporate world resting on a technological backbone.

Worth reviewing a little more, a majority of respondents don't have an official written information security policy, and 47 percent do not actively train employees on information security risks. After recently speaking with a CSO of a long-standing enterprise, I was troubled to find out that as the economy continues its downward spiral one of the first line items his company cut was IT security awareness training. Yet, given that social engineering, phishing and other end-user focused attacks are alive and kicking, it helps to address one of the more worrisome security problems with which he must struggle.

Another IT security leader at a large university just shared with me a phishing attack that is making the rounds in his college. Making requests of faculty, staff and students for webmail account information due to an impending website upgrade, the scam prompted some end-users to pass along their information to avoid any possible hiccups in service. He's now trying to determine the extent of the problem to ensure that no account holders gave up information that potentially could expose personally identifiable information. Meantime, he's sent out a note to all members of the college, explaining what to look for in official correspondence from university officials.

Although a few CEOs may indeed view some IT security practices as superfluous, the fact is there are fundamentals that just can't be underestimated. Policies, training and simple awareness campaigns that keep employees updated on risks and solutions can't be overlooked. Even if money's tight, these basics often can be executed inexpensively and can have a great effect on how employees think about IT security threats to corporate and their own personal information.

Speaking of employees, please help me to welcome our new Reporter Angela Moscaritolo. With a strong newspapering background, Angela's got a nose for industry news and is ready to hear from you.

 

 

From the November 2008 Issue of SCMagazine »
Similar Articles
close

Next Article in Opinions

More in Opinions

Follow me on this, your security team includes non-security people

Follow me on this, your security team includes ...

A successful security professional will tap into an organization's entire employee base to get results. And the benefits will go both ways.

Me and my job: Marty Edwards, ICS-CERT

Me and my job: Marty Edwards, ICS-CERT

Marty Edwards' job is to coordinate efforts between the government and the private sector.

Debate: Is advanced malware no longer a problem when administrator rights are ...

In this month's debate, experts discuss if advanced malware is still a persistent challenge after administrator rights are removed.