As anyone in high-tech knows, the MBLAST Worm program
made a shambles of many PCs and servers over the last month. Despite
promises from Microsoft to increase the security of their software, people
continue to find, and exploit these flaws to greater and greater effect. Among
the hue and cry that is raised with each new attack, high-tech professionals
can be heard disclaiming any culpability. “Microsoft is to blame for
lousy software.” “Hackers and script kiddies are to blame for
writing the exploits.” “Users aren’t bright enough to protect
themselves from attack.” While I don’t deny the truth behind any
or even all of these statements, I have some difficult news for high-tech
workers. Despite all these problems, protecting your systems is your responsibility.
Regardless of the culpability of any of the above parties, when you let your
systems become infected, and, even worse, infect others, you have failed in
one of the basic missions of any high-tech job. Failing to patch for known
flaws, especially when you know an attack will be forthcoming, makes you part
of the problem instead of part of the solution.
The buck stops here
Part of any high-tech job is keeping systems operating at optimal levels.
You spend hours updating software, troubleshooting problems, reading support
tech notes from vendors and much more reaching for this goal. Whether it is
implicitly stated in your job description or not, you are also responsible
for the physical and virtual security of the systems under your watch. Even
more, your boss probably believes, rightly or wrongly that you are responsible
for these systems. You can explain about the difficulties of updating hundreds
of machines, the reasoning behind the attacks, the seemingly endless parade
of flaws and fixes, but, in the end, they are only excuses.
Does this sound harsh? I admit it does, but like most harsh statements, it
is based in reality. When you sign up for a high-tech career, you need to
clearly understand the challenges you will be facing. Much like the manager
of an office in a depressed section of town understands the reality of graffiti
on the walls, a network manager should expect attacks and do everything in
their power to prepare. If you are not clear on this from the start, you are
risking your entire career. You are the “keeper of the keys”,
whether you like it or not. Even if you would like to believe that it is not
your responsibility, I can guarantee that your boss sees the issue differently.
You are the first (and sometimes, last) line of defense. If you abdicate this
role, your company, your users and you will be at risk from every attack that
comes along.
Awareness
While it may seem like a heavy burden rests on your shoulders, you can elicit
help from those around you. In fact, this may be the only way to keep your
head above water. If you are in management, every employee, not just those
in IT, need to understand the need and application of security systems. Your
workers need to be on the look out each and everyday for security problems.
As a high-tech workers you need to understand the importance of your role
in security. Finally, you need to do everything you can to allow your users
to help themselves, thereby helping you, protect their computers.
The other night, while IM’ing my sister, Denise, a fellow computer trainer
and consultant, she summed up the security situation in one word, awareness.
Making your users aware of the threats against their computer allows them
to exercise more caution when using their machine. She has been running non-stop
these last few weeks cleaning up worm and virus infections. In many cases,
her users opine, “If I had only known about it, I would have called
you first.” This lack of awareness is a failing not only on the user’s
side,. She and I both realize that when our users are unaware, we have had
a hand in their ignorance.
Start today
If you don’t have effective methods of increasing your user’s
awareness today, here are a few methods to get you started.
• Regular print/email newsletters
Over the last several months, I have produced a monthly newsletter to remind
my users about virus and other security threats, along with other information.
This never fails to elicit 2-3 phone calls or emails. Often these problems
would have gone undetected. In these newsletters I try to state the problem
in non-technical ways so that the users can clearly understand the threat
and how they can prevent it.
• Special Email Notices/Warnings
In severe cases, like the Mblast worm and others, I send out special notices
to the newsletter list. I use this sparingly, so that my users don’t
get blasé about the warnings. When they receive one of these special
notices, they know it is something important.
• Face to Face
Most important of all, whenever I am dealing with one of my users, I take
the time to reinforce the issues of security, software updates and anti-virus
programs.
While it may seem like a high-tech career is a thankless task, fraught with
opportunities for disaster, what job isn’t? There are ways to insure
that you, and your users, are doing as much as possible to protect the security
of their systems. Be aware and share this awareness with others, whenever
you can. In this way, you can protect your systems while also protecting your
high-tech career.
Book of the week:
The Art of Possibility: Transforming Professional and Personal Life
about this column.
Douglas E. Welch is a freelance writer and computer consultant in Van Nuys,
California. Readers can discuss career issues with other readers by joining
the Career Opportunities Discussion on Douglas' web page at: http://www.welchwrite.com/dewelch/ce/
He can reached via email at douglas@welchwrite.com