Web of Security

››› DON’T exclude end users during your security planning and implementation processes. Everyone on your staff will have to live with the security policies and tools you decide on. Get their feedback about what will work for them instead of deploying a solution unilaterally and having it backfire later.

“How will your solution affect end users?” Garlock asks. “Do you intend to put internal e-mail or Internet-use policies in place? Will your end users still be able perform their job requirements? Ask them. You’ll avoid future pitfalls and improve user acceptance when it’s time to implement.”

››› DON’T fail to monitor a plan after you’ve put it in place. That means external as well as internal audits and progress reports of your security plan, not simply implementing it and hoping for the best. “The ‘set it and forget it’ approach is the biggest pitfall,” says Bil MacLeslie, CEO of ipHouse, a Minneapolis-based Internet service provider.

››› DON’T look at short-term fixes as the answer. Failure to approach security with a dynamic, long-range solution means lots of Band-Aids on cuts that will never heal. Consult with experts to try to determine what your security needs will be in the coming years, and avoid what MacLeslie calls a “lack of understanding of the potential vulnerabilities” of an Internet presence that’s visible to anyone. Holes in your company’s firewall might leave you open to viruses and other hacker mischief.

“To effectively address security in your business, the security solution you choose must be flexible, intelligent, and reviewed frequently,” Garlock agrees. “There are no quick-fix solutions in the security arena.”

››› DON’T neglect to address internal threats. Just as many accidents happen within a mile from home, many of the nastiest security threats can come from inside your own company walls. To that end, be sure to change administrative or Web authoring passwords when employees or consultants leave your company.

“Risks to your network and intellectual property don’t only reside outside of your domain,”  Garlock says. “Internal threats such as disgruntled employees can wreak havoc on your business,” by deleting files, distributing private information, et cetera.

MacLeslie also suggests giving employees access only to the network applications they absolutely need to do their jobs. “Many IT managers allow all and restrict few for internal services, and restrict all and allow few for external services,” he says.