Disaster recovery and backups were deemed the most critical security strategy, a recent survey found. Few security professionals chose biometrics devices as being important to their organization.
Over three out of four survey respondents saw backups and disaster recovery as very critical or most critical to their operations. Just over one in four saw biometrics as critical (see sidebar).
The importance of other technologies and strategies falling between disaster recovery and biometrics is not really surprising. Mature, workhorse technologies ranked high while more specialized, newer technologies were lower on the list. For example, firewalls and virus prevention software rounded out the top three. Encryption and VPNs were at the bottom with biometrics.
The importance of disaster recovery and backups is pretty obvious. Should an organization lose its data, it probably wouldn't be in business for long. "Like many other companies, I believe that (backups) and (data recovery) have gained importance as a result of 9/11 and as companies have realized the inadequacy of their current plans," said Margles Singleton, security analyst at medical network First Health.
Steve Mencik, senior information security engineer with ACS Defense, Inc. and a SearchSecurity.com site expert, does daily incremental backups with weekly full backups. Backup tapes are stored in a different building than the system they are backing up.
"The theory is that while one building might have a fire, the odds of two buildings miles away from each other having disasters on the same day are pretty long," Mencik said.
Biometrics devices, on the other hand, are a tougher sell for management. Andy Tsouladze, senior Unix system administrator at UAL Loyalty Services, has found biometric devices to be a "reliable and convenient" way to control physical access to the data centers. "In fact, they are not just biometrics devices, since they also require access code," he said.
Yet other security pros question whether such devices are worth the cost. "There are other testing toys that I would try before biometrics," said Mark Hall, manager of Americas IS security and business recovery at Interface Americas, a flooring installer and distributor in LaGrange, Ga.
Mencik has tested biometrics devices but has found too many false negatives and that user reaction to them is hostile. "I do not anticipate the installation of biometrics on the production network anytime within the next few years," he said.
"We don't like to be on the cutting edge of new technologies except where necessary, and this is not felt to be a critical issue for us," Singleton said. "Exposure to the Internet is perceived as a much greater risk."
The survey's findings are consistent with the "back to basics" approach to security, said Robert Lonadier, president of Boston-based analyst firm RCL & Associates. Lonadier sees three questions that the 10 technologies and strategies address.
How do I protect my critical information assets? Backup/disaster recovery.
How do I protect my networks from outside attack? Firewalls, virus prevention, network/data access, intrusion detection, authentication, and VPN/Encryption.
How do I keep my employees from unintentionally (or otherwise) compromising security? Employee policy/awareness, network/data access, intrusion detection, authentication, VPN/Encryption.
"Keep in mind that the question asked about critical technologies, not necessarily what technology is (or will be) hot, which is what a large portion of the vendor and editorial community speaks and writes about," Lonadier said.
For Hall, attempted virus infections are the most frequent and dangerous security events. Antivirus software is an easy, affordable way to prevent such events, he said.
"Firewalls are necessary for so many reasons. However, I think the legal ramifications of operating without one are the most significant concern for firewalls," he said.