ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

The five reasons you're not secure

John McCormick Tech Republic

Published: 05 Apr 2005 10:55 BST

5. Expecting too much from technical skills
The fifth biggest mistake — and this is one I see all the time — is an unhealthy reliance on the IT staff's technical skills for security planning.

When choosing someone to head up security, most managers see nothing but the incredible complexity of networks and software, and they then assume the best person for the job is the one with the most technical skills. However, while technical knowledge is necessary, a gut feeling for security along with a healthy dose of paranoia is far more important for the head of security, provided someone on the IT team has the knowledge and skills related to the technical side of software and hardware security.

Having a strong security background from a stint with a university police department and more time with a detective agency, I can often walk through a company and spot a dozen critical security errors, which render all the best software security practices completely useless. If I wanted to compromise some company's IT security, I would either get a job with the cleaning company or fake a UPS or FedEx uniform. I could walk in carrying a big package and simply walk out with what I wanted in the previously empty box. Think about it: Would that work at your business?

Final word
Last week, I listed some recent security breaches in California. Since then, details of yet another information theft have come to light, and this incident points out just how much security depends on an old-fashioned cop mentality.

On 11 March, someone walked into a University of California Berkley office and walked out with a laptop containing personal data about more than 98,000 people, including Social Security numbers. This theft not only highlights the need for simple and basic physical security, but it also emphasizes a misplaced reliance on technology. Apparently, the university had instituted encryption technology. However, while they had scheduled the laptop for encryption, no one had yet encrypted the notebook's hard drive at the time of the theft.

This theft, as well as the data theft incidents at other California universities, are even more striking when you consider that California State University is presenting the third annual Information Technology Security Conference in San Diego this month.

The irony abounds, especially in this quote: "Major sponsorship from The California State University highlights the commitment of the higher education community to understanding and addressing the issues surrounding information security... " I was thinking of attending, but I balked at the idea of providing registry information online!