October is National Security Month and while not a sexy topic, network security does include ample intrigue, betrayal, and high emotion. Unfortunately, no one cares about security UNTIL something happens, but savvy business people know they can’t fall asleep at the wheel or risk heavy damages and loss. Network security is two-thirds business approach and process and one-third technical. You start with what is acceptable for business risk and then weigh against prevention and tracking.
Most security risks come from employees, either inadvertent or malicious (and not external hackers). While an organization should have employee agreements and an employment manual, the easiest and most common thing overlooked is a logon banner. For no cost, this legal notice may be displayed at each logon and accepted by pressing Enter or clicking OK. The legal notice should state simply that computer use is for the business of the organization, may be reviewed at any time by the organization, inappropriate use may have administrative, civil, and criminal consequences, and to log off if the user does not agree. Without this regular affirmation, all the money spent on attorneys and HR consulting can easily be nullified by the employee by claiming ignorance and simply stating nothing else was ever said again about organization policy after hiring.
Similarly, most organizations practice limited prevention or tracking and often don’t know when to employ each. Utilizing web filtering to block all non-business related activity (yes you can have different rules for lunch or after hours) enforces policy with minimal management. The days of trying to run a report of Internet activity is nearly impossible due to the variety of applications that are always Internet connected. Further, meaningless reports that no one has the time to review are a waste of time and worst demonstrates indifference.
Among other benefits of cloud computing, many organizations are reaping the rewards of document access tracked by user and date/time and any e-mails are journaled for record keeping purposes, regardless of what an employee deletes from their mailbox. Versus expensive on-premise systems and storage, organizations can now not only add productivity while enjoying lower technology costs, but have proof information access and transmittal for regulation, compliance, or legal matters.