Terminated Employees are a Security Risk
Janco is warning companies laying off staff should think about possible security risks from disgruntled ex-employees and ex-contractors. The reason for this warning is as enterprises respond to the downturn in the economy employees and contractors become disgruntled and have lower morale. This in turn can result in internally generated data breaches.
At Fannie Mae, a software developr contractor targeted Fannie Mae's servers after his contract was terminated. Malicious code found on the servers that was set to execute on at month end. He was able to put the code in place due to his password and access privileges not being revoked immediately following his dismissal.
Password and access privileges are one of the primary concerns of many Chief Security Officers. For many users there just are too many systems. Many enterprise users have between 10 to 15 user names and passwords. This in turn results in the fact that password and access issues account for up to one third of all helps desk calls. In some enterprises over 80% of help desk time is devoted to password and access issues.
Security Should Not be Sacrificed for Convenience
In this economy Many IT functions are under funded as enterprises drive for improved productivity and expense reductions. Decisions are made on in a spirit of making do. For example, if communications bandwidth is too narrow for encrypted traffic? Send it in clear - problem solved, for now...
It is not hard to understand the logic behind such actions: making systems work means no explanations to the boss, no struggle for extra resources, no difficult decisions to close down important services on which large parts of the organization depend.
When an organization is in survival mode, resources are being husbanded and everyone's working flat out, it takes a strength and leadership to say "no, not good enough" to something that is apparently working well. It is also difficult to justify more spending with no direct effect on revenues, and to demonstrate that something that seems optional is in fact required.
In an audit of the United Nations' 2 billion dollar logistical system, it was found that network links were insecure, no mechanisms existed to detect security breaches, and authentication information was unsafe. In addition, backup systems were co-located with the main systems.
A natural disaster or a hacker could have done a great deal of damage at little risk. With IT skills and equipment now widely available even in the remotest part of the world, the UN had placed itself at considerable risk - a risk to which it was seemingly blind.
Responsibility for security and disaster recovery planning cannot be abdicated. It is hard enough for an organization to recover from a serious security breach at the best of times. These are not the best of times. Argued from the context of minimizing risk, the value of doing it right is clear. Make sure you're equipped to win that argument.
Reducing Costs a Survival Skill
In the downturn, enterprises are looking for ways to reduce expenses some eliminate staff others look for areas where usage costs are reduced. Areas where many successful companies focus are:
- Reducing power/cooling costs - IDC, the research firm, estimates that for every $1.00 spent on new servers today, an additional $0.50 is spent on power and cooling. In 2010, that ratio is expected to be $0.70 per $1.00 spent for new servers. Begin by turning off servers not being used and replacing older high power consumers and high heat producers with newer more efficient ones.
- Reducing complexity - Consolidate multiple operating systems onto fewer servers. This will reduce operational risk and operational costs that are linked to managing so many servers. Clustering will benefit by having the option of "failing over" workloads to virtual servers, reducing the operational costs of deploying standby physical server machines that run in a "passive" mode rather than an "active" mode. Taken together, these approaches improve the responsiveness of IT systems and of the people who access them across the business, ensuring high levels of availability, reducing business risk, and operating expenses.
- Improving the management of physical and virtual servers - Reducing the total number of systems simplifies IT operations and affects IT staffing requirements. Importantly, downtime is impacted by having fewer individual points of management. Going green across the infrastructure is one way to accomplish that.
- Going Green - The process of IT transformation brings the opportunity to change the IT infrastructure, supporting "go green" initiatives by reallocating workloads to the sets of server and storage devices on which they can run most efficiently and reducing total server footprints through workload consolidation.