Rethinking Security

I had the opportunity to spend some time with Don Codling, unit head for the FBI’s CyberCrime Division, talking about the state of computer and network security around the globe. It was an interesting conversation, not because there was any real news in the current trends but because the state of cybercrime makes it clear we have to re-think our entire approach to security.

To be honest, I’ve always treated computer security lightly. If you take a few sensible precautions, don’t cruise the porn sites on the Internet and use a good email filter, security software for a PC seemed more a way to separate fools from their money than anything else. To prove the point, a few years ago I ran a server wide open on the Internet without any protection at all for more than two years … without a single problem.

But things are different now.

It’s not just that organized crime and terrorist organizations have turned to online crimes to fund their operations. It is not even that a legion of hacker wannabees tries to find and exploit weaknesses in just about every piece of software released today. And it is not that computers are in some way more vulnerable than they used to be. The biggest problem is that there are more than two billion people online today. And by definition, at least half of these have subnormal tech skills. Or intelligence, for that matter.

Two billion people means that there are more people who will open any email attachment that features hearts or nude pictures of Brittany Spears, no matter who the email is from. More people who just have to play games on Facebook, no matter how many viruses infect them. More people who are clueless about the dangers to their cell phones and other computing devices. Two billion people who will log onto your accounting portal without a second thought about what they do to your system.

So it is time to re-think how we do security, building it around five simple steps.

1. Choose your Internet Service Providers for their filtering. In the good old days, ISPs were loathe to filter anything that came toward you, preferring instead to be a simple information pipeline and let you choose what you wanted to look at. Today, competition in the broadband marketplace means you can also choose an ISP that has a higher level of security. So the first step is to actually interview your service providers — not only the primary ISP, but your email and web hosting services if these are separate. While you’re at it, the accounting software vendor that provides you with your portal or online access should be interviewed for their security measures, as well.

2. Get some filtering software. The days when protection cost an arm and a leg are over. From Microsoft to AVG, there are free options for computers. In addition, there are other products we have discussed here in the past — like Lavasoft’s Ad-Aware and Spybot’s Search and Destroy — that are free and should be run on a weekly basis.

3. Turn off your computers at night. Old-think said that there was no need to turn off computers when you left for the day; that it was actually better to let them run. But “botnet trojans” that install on your machines and use them for criminal purposes generally do so in the middle of the night, when no one is using the machine and might notice the unusual level of activity. A machine that is turned off can’t be infected as easily.

4. Separate work and play. It may seem churlish to tell employees that they can’t check their Facebook page during work hours, or do a little shopping. But it’s the only way to stay safe. Make the policies, and make them stick. No software installed on any office machine unless approved. No visits to websites that are unnecessary for work. No kids using business machines … not even in the home office.