Last year, as we headed into 2002, visions of terrorism and thoughts of how to brace ourselves against the worst of times weighed heavily on us all.
We worried about the physical security of the workplace, disaster recovery, cyberwarfare and securing our IT infrastructures. That won't go away entirely, but I think 2003 will be the year of security practicality. I think we'll see more focus on security policies and enforcement.
My editor's note to you last year suggested that 2002 would be the year for security management. I predicted the biggest problem facing IT security professionals would be the daunting task of getting your arms around all the security issues that cross all departments in an organization -- viruses, firewalls, intrusion detection, VPNs, infrastructure, passwords, user education, e-mail, etc. The list seems endless. I felt that security pros were more or less in a reactionary mode versus a preventative one.
I still believe that will hold true for 2003, but I think that we'll see IT security professionals dealing with security management by focusing on policies and the enforcement of those policies. This is practical and tangible. If you have strong policies for all of your security issues, you'll gain a stronger grip on the problems. And people will (and should) be held accountable.
Your user community needs to follow a stringent policy, too. How many of you have seen a shift in how your users are handling attachments, for example? If I use myself and some of my colleagues as an example, I'd have to say I've seen a huge change. When I receive a message with an attachment I'm not expecting, I immediately message that person back to verify that they had sent it to me. Just the other day, a colleague asked me about a Hallmark e-card I had sent. He wanted to know if it was legitimate. It was. Recently, my husband asked me about this message he received from a relative telling him how to remove a virus from his system. I smelled a rat and verified that it was indeed a hoax through our very own IT guy Joel Johnson. Small steps, but in an encouraging direction. There's hope for us users.
Our own organization has a policy for us to follow now. The only problem is that I never had to sign anything. I believe if you create a policy for users, you should make them sign their name to it with the knowledge that they'll be held accountable. This is practical, reasonable, and it makes you think twice.
Other policies are equally important. According to security expert Mandy Andress, there are several policies you need to have in place that can be combined to create a single corporate security policy: Acceptable Use, Remote Access, User Account/Password, Firewall and Network Policies. To read more about what Mandy has to say on this, read her article.
A recent poll of more than 400 SearchSecurity.com users seems to support my theory: Security policies and user compliance topped the list as the most pressing issue at their companies. Read SearchSecurity.com news editor Michael S. Mimoso's article, which explored the results of this survey.
Enforcement of policies is another story. This is the most difficult part of all. How do you hold your users accountable? Next year, we at SearchSecurity.com promise not only to provide extensive coverage on creating policies, but we'll try to address how to implement and enforce them. In the meantime, I welcome your thoughts on whether you agree that policies are as big an issue as I perceive them to be. Or, if you have any policies you've created and implemented with success, send samples along to me. We'll post them to our site and share them in our newsletters.
Stay tuned for 2003 predictions from our team of site experts in an upcoming Featured Topic! Best regards and warm wishes for a happy New Year from the SearchSecurity.com editorial team.