So as the year trudges forward and the ominous threat of recession looms, thoughts of implementing and enhancing security seem moot. As often happens, security is viewed as a cost center, even more so during times of financial belt tightening.
But is now really the time?
This is the time to implement security or add those final pieces of the puzzle that have been missing from your environment. While it may seem daunting at first, corporations are continually weaving security into their environments pieces, particularly now that security software makers have made it easier to integrate those products.
But more money for anti-everything and the security appliances just isn't in the cards. Then consider better and more consistent security practices and procedures. While it is still a cost center for a company, it is an easier one to swallow. And these practices will help save your organization from the jaws of pesky online threats no matter how little technology you have to throw at them.
What pests am I talking about? Let's explore...
Of the major security issues and annoyances that plague businesses today, one of the biggest is spam. Spam, depending on whom you ask, accounts for about 70-90 percent of all email. Regardless of the amount, it still remains an undisputed bandwidth waster. Further, this spam often includes links to questionable sites that employees may think are legitimate, and can, when clicked on or visited, inadvertently invite malware into the corporate environment.
Quite a few good tools exist to tackle spam at the end-user level, or even at the portal of a corporate network. However, there often needs to be better controls at the internetwork level to prevent the wasted bandwidth.
But the sad truth is that unlike many sneakier threats to security, spam is usually easily identifiable. Seriously, how many pills does one need to enlarge various body parts?
Here is where the "it's not my problem" mindset rears its ugly head. Since the internetworks of the Internet are shared between major ISPs, it is everyone's problem and no one organization can convince them to work together to eliminate this. How about some cooperation then?
One thing that might help is to require consumer ISPs to freeze Internet access for those where it's determined that someone is sending spam and/or viruses. This can help reduce or eliminate the source of most of the spam. Certainly, some providers ensure that all mail relayed to a user is checked for malware before it hits the inbox, but the effect of this has yet to be seen and my not be quantifiable for a few years.
Another challenge that remains today is the set of vast email lists that are circulating among spammers. To this day, one specific email account that I have used for over 10 years receives spam email regularly, enough for me to finally disable it for the time being to see if it will settle down the volume to a dull roar.
Related to spam is my long-standing pet peeve: phishing.
It's interesting to note that the Anti-Phishing Workgroup has indicated a bit of leveling out in regards to phishing attack activity, although September 2007 did show a record high of 38,514 phishing emails (PDF).
Attackers are also getting a little savvier and realizing that they cannot continually assume the same major corporate identities. I do recall receiving such phishing emails for Canadian banks such as Royal Bank of Canada and Bank of Montreal -- unusual since prior to that my inbox was assaulted by fake versions of WaMu, CitiGroup and an assortment of larger US banks.