Every year or two, we face a new unstoppable IT trend that threatens the way we handle network security. Think instant messaging, USB keys, social media sites, and mobile computing. There are more on the way, as I wrote about last week, including Web 2.0 and cloud computing.
Tracking these new computing trends is important for IT admins: They represent a potential swath of new opportunities for attackers to breach systems, steal data, and spread malware. Early recognition and management are essential to get a handle on the situation.
[ Tomorrow starts today -- find out Roger A. Grimes's predictions for five security trends for 2011 and beyond. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Just as there are five recognized stages of grief, I see a series of stages in the life of a security IT admin coming to terms with a new IT threat. Those stages are as follows: ignorance; peripheral awareness and recognition; denial or casual acceptance; strong opposition; and formal acceptance, followed by the creation of a solution or system to manage the potential threats the new trend creates.
When we first see a new trend emerging, we typically ignore it because it isn't widespread enough to garner hacker attention. As it gains popularity, it usually becomes an avenue for exploitation and spreading malware, and we, as security professionals, have to take notice. In most cases, our natural tendency is to fight the new thing's use. Typically, we feel there is already an existing, managed, "better way" for the same task to be accomplished.
For example, I still don't see the big need for instant messaging over email. As an old fart, I'm still trying to come to grips with the societal importance of Facebook. Nevertheless, if a technology has infiltrated the organization, we need to accept it and come up with a defense strategy.
One security policy to rule them all
One strategy to ease adoption of new technologies is to build into our official standing policies a general process for embracing them, rather than examining each as a separate aberration and treating them as ad-hoc one-offs. For exxample, your policies pertaining to digitical communications should be written to cover such technologies in all forms, no matter where they exist, as opposed to specific brands of software or even types, such as email and IM. If users are allowed to install any software they want, they should understand the safeguarding of company assets and data no matter where they exist. That means if your entity has a policy that confidential business data and business-related communications (email, IM, and websites) must be encrypted, end-users should understand what that means and where they apply.