Frankly Speaking: Secure Your Users

Computerworld - At the RSA Security conference last week in San Francisco, the big news was a new set of cybersecurity best practices, a new application vulnerability description language and a push for Web services security, along with the usual collection of new IT security products (see story). Considering what a messy, continuously changing security picture we face, it's all worth digging through when you get the chance. Piling more security technology onto your networks and servers and desktop PCs is usually a useful thing.
But while you're upgrading your security technology, don't forget to upgrade security in your users, too.
Not for your users. In them.
Look, you've got firewalls and virus filters and intrusion-detection systems. You scan logs and tune settings. You go hunting on a regular basis for unauthorized wireless gateways and off-the-network modems. You've built a security fortress, and as long as your users are inside that fortress, they're pretty safe.
But they won't stay inside that fortress. Inexpensive technology lets office workers take the office with them wherever they go -- or at least it seems that way. Maybe it makes them more productive, but it also exposes all that office activity to the world outside the protections of their real office.
Cheap wireless access points make home networking easy. But they can also expose access to your networks and data if an office worker connects from home while still hooked up to his wireless network.
Cell phones make it easy for outsiders to eavesdrop on business conversations. Laptops with big, clear screens make it easy for people even a few seats away to read confidential documents. An enterprising snoop can even copy hundreds of megabytes of information from a laptop with a CD burner left running on an airplane seat while its owner waits in line for the lavatory.
Laptops are thief bait in airports, parked cars and even overhead bins in airplanes, and they're typically stuffed with confidential business information. But so are handheld computers, which can easily hold documents, spreadsheets and databases these days -- and are much easier to steal than laptops.
And that's just the tip of the iceberg. There are endless ways users can compromise the security of business information once they're outside the office, and there's not much you can do about most of them. They're outside your security perimeter -- beyond your reach.
Yes, you can add more security technology. You can try to chase down and block off every security hole in each user's portable office.
But none