Speaking at Ziff Davis Media's Virtual Tradeshow on security, panelists said teaching employees to recognize and report security threats is a necessary component of a sound strategy.
Analysts, law enforcement agents and corporate IT managers focused on surprisingly nontechnical security solutions Tuesday as they discussed the latest risks to corporate networks as part of Ziff Davis Medias online "virtual" tradeshow
"Management support at the highest levels of an organization is critical to the success of any security initiative," said panelist Stephen Doty, a manager at BearingPoint, a systems integration services firm based in McLean, Va. "You need to look at policies and prevention that support the organizations IT and information security needs."
Bill Mallick, a vice president at analyst firm Aberdeen Group, agreed, stressing the need for senior management buy-in and understanding of security issues, as well as an increase in employee training on both awareness and reporting of security threats.
"A big portion of getting information security out there is really informing your employees," Mallick said. "If they know how to respond to and report security issues, then youve already won."
"A lot of times, companies just throw money at the problem without having the security strategy in place," said panel moderator Elliot Markowitz, editorial director of Ziff Davis Media eSeminars.
And according to the panelists, particularly in this era of scant additional funding for security technologies, training and management buy-in are major keys. Education is a low-cost way to alleviate risks within an enterprise network, and once organizations have internal knowledge and capabilities, additional technology down the road can only serve to advance security.
"Technology doesnt replace those capabilities," Aberdeens Mallick said. "It enhances and enables them."
Still, the panelists noted the onslaught of technology risks facing companies and consumers, particularly with the increasing complexity and sheer number of computer attacks, including phishing scams, denial-of-service attacks, malicious code and worms.
Christopher Painter, deputy chief of the computer crime and intellectual property section at the Department of Justice, said hackers no longer need tremendous knowledge to cause severe damage. Instead, theyre able to use tools developed by others in the hacker community for their own purposes.
According to BearingPoints Doty, the greatest threat is a "zero-day" attack, where malicious code is released for which there is no fix or patch available. He said he expects that more of such attacks certainly will appear.
The solutions to these problems mainly revolve around people, who are often the weak security link, panelists said.
Painter, who prosecuted notorious hacker Kevin Mitnick while in Los Angeles, also urged organizations to work closely with the FBI and the Justice Department to report cyber-attacks and help track down perpetrators.
"We can do more than you can as an individual organization," Painter said.
The panel discussion will be archived at www.securityshow.eseminarslive.com. The Security Virtual Tradeshow continues tomorrow at 11 a.m. EST, 8 a.m. PST, with panel discussions, keynotes and sponsor exhibits.
Editors Note: The Ziff Davis Media Security Virtual Tradeshow is run by eSeminars, a division of Ziff Davis Media, parent company of eWEEK.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.