Now that the dreaded Code Red worm has apparently slowed to a wriggle, talk has turned to just how big a threat it was in the first place. Critics are fingering the beleaguered FBI and frenzy-seeking news media for overstating the risk. Microsoft has taken its usual lumps, while a few pundits have aimed pot-shots at security analysts and consultants for raking in the free publicity.
There’s no shortage of blame, it seems, but what about solutions?
Obviously, “patch and pray” is not a viable long-term enterprise strategy. Nor are scare tactics.
And outsourcing? Well, carving chunks out of your business could mean a lot less control for a lot more money.
As a journalist, I tend to favour a strong communications strategy as a first line of defence.
While I don’t think panic-mongering press releases or news stories will have long-term effects, in this case, the hype may have helped cut down on the rate of infected servers.
Over time, however, folks will just chuck warnings in their recycle bins (real or virtual), as they become inured to cries that the sky is falling.
Think of all those annoying virus alerts you receive through e-mail. Do you read them? Of course not; you’ve got work to do, like reading this column.
If you’re serious about security, however, you won’t just respond every time you see a news story on computer viruses. You’ll allocate time and resources for network staff to do ongoing research and testing, and provide basic security training to all users in your organization. And you’ll share your insights with other IT users and vendors (so long as it doesn’t threaten your business).
Talk it up, in other words.
I know it sounds crazy. After all, who’s got the time, staff or money to do all those things? Outsourcers? Maybe, but even if you go with third-party protection, you’ll have to do the legwork to make sure your arrangements are worthwhile — and working.
One industry analyst I spoke with recently remarked that enterprise networks are often built without adequate staff or training. In an age when companies are told to bet their business on the Net, you’d think more attention would be paid to such basic things as security. It seems that the chorus — including analysts, consultants and journalists — knows only one tune: e-business, or else.
News media also have a role to play here. Instead of repeating empty catch phrases around “Net-enabling” businesses, we need dig deeper. We need to write stories of viruses, trojans, worms and hacks as more than aberrations or doomsday threats. This means placing them in the context of everyday business, finding out what works and what doesn’t. Fortunately for us, security issues almost always make for good news stories.
Don’t think I’m giving vendors a free ride, though. Microsoft needs to do more than issue “oopsy” press releases and software patches. I’d like to see some leadership coming from Redmond, rather than the we-tried-our-best party line.
Overall, though, I think the problem has to do more with the industry’s attitude towards security than with faulty products. Fobbing off network management won’t help your business prepare for future alerts. Talk — not hype — however, could make a big difference.