IT security is like insurance: a foolish waste of money — until disaster strikes.
Still, businesses need to be intelligent about planning and deploying IT security technologies and practices. Just as a driver wouldn't insure a rusty 1971 Ford Pinto for $1 million, a company shouldn't adopt security measures that, in the long run, wind up costing more than they're worth.
Many businesses are tempted, however, to skip key security measures and simply pay to fix things if and when a problem occurs. Is this a good idea? Let's examine several worst-case security scenarios and see what effect they would have on a business.
Drop Malware Protection: Why spend all that money on software and filtering? Let all the world's digital effluvia flow into your employees' workstations.
The Worst That Could Happen: Expect crippling infections that bring work to a halt and expose systems to external attacks and data thieves. Sadly, all the money in the world isn't going to help your company retrieve stolen business secrets. On the other hand, some would argue that many systems, such as Linux, Macintosh and Windows Vista machines, don't really need malware protection thanks to built-in security measures and/or a lack of attacker interest. The choice is up to you.
Skip Spam Filters : Like malware protection, spam filters are costly. They can also cause employees to lose legitimate email.
The Worst That Could Happen: Employee workstations become overloaded with spam, raising tempers and slowing productivity. If you can live with this situation, go ahead and skip the filters. On the other hand, you can pay for the filtering technology and fine-tune the software so that it won't snag legitimate messages.
Eliminate Passwords: Passwords are tough to remember, annoying to use and hard to manage.
The Worst That Could Happen: Actually, if you approach this proposition properly, your company's security will improve. That's because simple passwords are easy for attackers to crack, and employees tend to write down — and lose — complex passwords, creating a very real security peril. Instead, consider dumping passwords and using dual-factor authentication technologies such as biometrics (like a fingerprint reader) or smart cards .
Halt Employee Security Training: Training is expensive and time-consuming, and it often annoys employees.
The Worst That Could Happen: Untrained employees will inadvertently expose your business's systems to various types of attacks. Training, fortunately, can take many forms, ranging from manuals and Web sites to formal classroom sessions. Determine which approach best fits your business by analyzing your work force and its security knowledge level, as well as by conducting a cost-benefit analysis.
Laptop Data Is Left Unencrypted: Data encryption can be an awkward and time-consuming process. Plus, if encryption keys are lost, important data could be gone forever.
The Worst That Could Happen: Laptop thieves could gain access to confidential business data. On the other hand, if employee laptops don't contain any critical data, encryption isn't needed. Consider limiting remote access to critical data to secure network links. Also, you may want to forbid employees from carrying any sensitive data on laptop drives, discs or portable storage devices .
Pull the Plug on Wireless Security: You decide to wave bye-bye to wireless encryption and stop searching for nearby rogue access points.
The Worst That Could Happen: Your wireless network is exposed to snoops, data thieves and service freeloaders . Attackers could also use your company's unprotected wireless network as an entry point to access data on its wired network. Given these multiple threats, and the relative simplicity and low cost of wireless security , you really don't want to scrimp in this area.
Disable Network-Perimeter Security: Who needs technologies like firewalls , intrusion-prevention systems and VPNs (virtual private networks) anyway?
The Worst That Could Happen: Attackers run amok over your network . While some form of perimeter security is necessary, most businesses don't need all or even most types of perimeter controls. Choose your network defense safeguards wisely and make deployment decisions based on your network's design and protection needs.
Ignore IT security at your company's risk. A sensible strategy is to carefully choose the technologies and practices that make the most sense for your business.