There is no shortage of people who are prepared to offer you gentle, painless, feel-good advice about what you should do to help improve your company’s computer security posture and minimize opportunities for someone to make off with your hard-earned corporate riches. What’s decidedly lacking in the security advice business is “tough love.” Let’s be honest: you don’t care about security as much as you care about profit, and that’s OK…until a security issue means there won’t be any more profits.
- Focus on Being a Business. Are you in the sports business? No? Then why do you let people surf ESPN.com? Benign surfing on company time seems like a small thing given the boost in morale it supposedly gives people in between tasks, but by allowing any more than the essential types of traffic through your systems is inviting trouble. Action: Don’t let anyone do “fun” stuff online at work, but let them go home once they’re daily tasks are done. People can still goof off online – on their own time – and you’ll probably learn a lot more about your company – and how you can increase profits - than you thought you did.
- Walk the Walk. If you've decided that computer security is a company priority, back up your public pronouncement with concrete and public action. It doesn't matter what size business you’re in, everyone who works for you takes their cues from what you do, not what you say. If you say “computer security is a priority” but don’t increase the security budget, find or upgrade your existing talent, etc. no one is going to take you seriously. Action: Make security the first thing you talk about at every staff meeting, not something you address at the end as everyone is standing up to leave.
- Go Retro: All those technological wonders your business uses in its operations work just as well for the bad guys once they’re inside. Think of some process that is vital to the life of your business that is completely automated for the sake of convenience; now think about how an attacker could leverage those same processes to bankrupt you in the blink of an eye. Action: Replace one of those optimized steps with a task that must be completed in meat-space. You've just added a few minutes to the process, but you’ve also made it more difficult for an outsider to disrupt your operations via purely technical means.
- Make It Rate-able. People only care about things if they’re evaluated on. Do you base bonuses on how many more widgets above a minimum people make? Are you surprised your people pull all kinds of weird and even unsafe tricks to increase their widget output? Action: Tie rewards and/or advancements to maintaining a record of zero security violations; reward people on-the-spot who point out security problems. Watch how much people suddenly care about doing the right thing when you invoke the power of Benjamins.
- Fire Someone. If you truly believe that computer security should be a priority in your company then you should treat egregious and/or repeated violations of security policy as you would any other policy related to the viability of your business. Nothing gets people’s attention like watching Alice or Bob do their best Chuck Connors impression. Action: Work with HR to build a legal, supportable policy and procedures designed to either put violators on the right track, or show them the door.
You’re probably not going to any of these things, but whatever you are doing; make sure you review it on a regular basis for efficacy. Nothing says you really don’t care about security more than doing the same thing year in and year out and wondering why you still keep getting owned.