IT manager slumber party
The IT manager who's convinced his or her network is totally secured is just that much more likely to be the next headline, in the tradition of Monster.com, TK Maxx, Barclays and Nationwide to name but a few, writes Alex Raistrick, director Northern Europe at ConSentry Networks
The clamour from the House of Lords and throughout the UK for data breach disclosure laws is just one piece of evidence that people have lost faith in companies to protect their private data. In view of this rising concern and the rising breaches, enterprises need to do everything they can to reduce the chances of being a victim of such breaches. The key to this? Implementing internal controls.
Companies have long protected their perimeters but the perimeter is now long gone and protection from within is now the essential security frontier. IT managers need to find a way to control from within the campus, by ironing out who can get onto their networks, and more importantly, what users can do once they’re already on the LAN. They also need to protect against malware being unleashed – either accidentally or intentionally – that can aid in breaching privacy.
IT managers who think that passwords, anti-virus software, firewalls, or other security techniques already in place are sufficient should speak to those who lost their jobs at Barclays, Nottingham Hospital, and TK Maxx.
In this day and age of contractors, outsourcing, joint development projects, and remote working, companies can be far less certain of who’s on their LAN. As a result, they need technologies that can help them segment the users, identify the users and their roles, and limit their LAN access based on that role.
In one recent case, a LAN assessment showed what a worker coming in on a Saturday was actually doing. The worker had requested permission for overtime work because he was too overloaded to complete a project. The request was approved, because the project was time critical, but it turned out that he spent many hours that Saturday copying his recent vacation pictures from his laptop to an internet-based photo-sharing web site, adding captions along the way.
The reality is that businesses have had very limited resources for learning about user activity on the LAN. Typically, a company can at best authenticate whether a user belongs on the LAN. But only recently has IT had the ability to track and control what users can do after they’re on the LAN. Businesses shouldn't despair that they don’t have these controls in place now – they just shouldn't delude themselves that they don’t need them.