I am amazed at how many companies and organizations I run into where computer security is lax and nobody seems to care very much. Just this morning I heard from a business associate who is just getting started in a new position. He told me that this company's System i is connected directly to the Internet with no protection at all, not even a firewall. He demonstrated to his new boss how he could quickly hack into the system, track down the ID and password of a security officer and then sign on using that profile. I won't tell you how he did this, but it was not rocket science. They are shopping for security protection for their System i now, but how did they get to this point to begin with?
What these organizations need is a "security evangelist." Someone who knows what the problem is and really believes in the message. The dictionary contains several definitions of evangelist, and the one I'm thinking of is "a person marked by evangelical enthusiasm for or support of any cause." If you don't believe the message, then you can't sell it to your organization's decision makers.
I then thought back over my 40+ year career to try and pinpoint those places where I bought into the computer security message. I can think of three events that really convinced me that this is a legitimate issue.
When I started in the computing field in 1965, computers were new and companies that had one liked to show it off. It was not unusual to have a glass-enclosed computer room with open access to the public to walk by and watch the computer in operation. Then there was a Vietnam war protest bombing of one of these computer centers and, overnight, they were boarded up and physically secured.
Around the same time, in 1973, came the Equity Funding fraud. This was a computerized fraud scheme where a financial conglomerate engaged in fraud on a huge scale to maintain a high stock price and fool Wall Street and investors. At its height, the scandal involved as many as 100 employees who used their computer system to create fictitious insurance policies. At one point during the fraud, someone estimated that if the insurance policies being written continued at the same growth rate, they would end up writing more policies than there were people in the US.
These two events, which happened quite close to each other, got me thinking that computer security was a real issue, not just something being touted by IBM to sell more of their services.
The last event that turned me into a security evangelist was reading the book The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll. This book, published in 1990, starts with a college IT guy from Berkeley, Calif., trying to track down a 75-cent billing error. His search leads him into the then-new world of computer hackers on a global basis.
If you don't believe in the computer security message, you can't convince others. I became convinced by just keeping my eyes and ears open to what was going on around me. If you're working in the computer security field, you need to be an evangelist and get everyone at your organization on board. If you don't believe the message, how can you expect everyone else to? I think this is what's needed today. There is still just too much laxness in the field.
If you have security was stories you'd like to share, let me know. All email messages will be answered, and I might even use some of your stories in future articles.
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.