Gary Bronson wrote: |
Security is about more than just technology. Sure, you have to use secure products, but building an environment where data is safe means ongoing diligence, both in the use of technical best practices and in confronting social engineering threats through changes in individual and group behavior. With this in mind, I decided to organize a security conference at the Boise, Idaho, headquarters of my company, Washington Group International, a construction and engineering firm. We brought in industry experts, featured speakers, panels and discussion groups. Here are the lessons that emerged:
Ensure that visitors are escorted in and out of the building. It is too easy to walk into a place of business, sit down and get on the network. Do not give out log-in and password data to anyone. Default accounts should not be used. Passwords for administrators need to be sophisticated and include a variety of alphanumeric characters. Special characters are also recommended. Follow strict procedures when employees are terminated to prevent them from gaining unauthorized access. With the introduction of features, there is a risk of introducing security flaws. When we push for an immediate implementation and do not follow appropriate testing, we open ourselves to security risk. Don't give hackers too much credit. They often use old exploits. Keep current with your security patches. It's a good idea to keep news of security incidents within your company. Sharing knowledge in a community works for some technical areas, but publicizing such information might expose you as a target. The bottom line: Plan security from the beginning so you don't have to wonder why you didn't in the first place. |
Quote: |
If everyone were to keep this info quiet those in charge of the money may simply ask why should I spend all this money on security, the hard data of companies falling victim doesn't show that bad a picture? |
thllgo wrote: |
Good point. It could be rather problematic, particularly for a company that provides e-services. Could not a system be established where a company can submit the info anonymously? |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours