Education is the key to defending your IT systems

I attended a round table on Information Warfare, hosted by IBM recently. The "men in blue" are about to push out a television...

I attended a round table on Information Warfare, hosted by IBM recently. The "men in blue" are about to push out a television advertising campaign, alerting business to the threat posed by hacking, and with the not-so-hidden message that you will sleep better if you ask IBM to advise you on your security policy, all for a small consideration of course.

IBM appears to believe that the threat of information compromise, whether as a result of a virus attack, a deliberate hack attempt or the mess left by an ambitious script kiddie, can be greatly reduced by better education at all levels of the workforce.

This is not a profound discovery. Only this month, the Confederation of British Industry produced a report which clearly showed that, overall, business is being hammered by hackers and viruses and, where having a good information security policy is concerned, the penny hasn't dropped yet.

I have met some of the more skilled and necessarily anonymous hackers. Sitting down with one and playing "where would you like to go today?" one quickly realises that keeping "elite" hackers out of your network is an expensive and serious exercise and that only luck protects a business from being "mapped" for weaknesses and worse.

With cybercrime and hacking growing exponentially, does IBM have any real answers to this problem outside of encouraging education and a firm security policy?

I don't think it has. It is much more of a confidence-boosting exercise. So much of our technology is vulnerable to exploitation but business remains reluctant to invest more than it feels it has to on security measures with no visible return-on-investment proposition. Sometimes, the finance director can be persuaded to sign-off another expensive box, and often this is where the problem begins, rather than ends.

I call this "the Gabriel Paradox". Buy some expensive intrusion detection system tools, an anti-virus suite and a firewall and relax into a false sense of security in the belief that you have employed a guardian angel to protect your business from the imps of Satan. Unless your network administrator is as sharp and tenacious as the people he is trying to defend your company against, the risk of compromise remains high.

Two new books should be added to the required reading list for anyone who takes the threat to their network security seriously. Both by John Chirillo, they are Hack Attacks Revealed and Hack Attacks Denied. Both are part of the education process that IBM is so keen on and the latter is full of good information on how to better secure your infrastructure from the attention of unwanted visitors.

There is no silver bullet to use against the hackers. There is only common sense and a sound security policy. You may not even know that an invisible someone out there "owns" a network near you.

Simon Moores is chairman of the Research Group

Read more on Antivirus, firewall and IDS products