Everyone Must Take Responsibility for Network Security

News Analysis: The discovery that massive amounts of data was stolen from the U.S. government, corporations and defense contractors in a pervasive five-year cyber-spying campaign likely initiated by China shows that everyone is potentially the weakest link in the corporate security chain.

The fact is that as chilling as Alperovitch's report may be, it doesn't tell the whole story. While the victims of many of these attacks eventually found and remedied the malware intrusions, little has been revealed about this publicly. No general alarm was apparently raised in the halls of government or industry at least before McAfee discovered the command-and-control server. One of the primary purposes of the report was to make public the breadth and depth of this single set of related attacks.

What's perhaps the scariest part of this whole situation is people targeted people in this attack all enabled it by doing one of the things they should be teaching the employees in their companies never to do. They opened a suspicious email to give the malware access to their computers. It's hard to overstate how important it is to instill the proper level of suspicion into employees. Surely by now the amount of damage that's been caused and the amount of loss that's been incurred by careless actions on the part of employees sould motivate companies and agencies to train their employees not to do this.

Perhaps an equally scary revelation is these attacks all happened to unpatched Windows-based computers. In other words, the attacks were enabled through exploits that could have been prevented simply by updating Windows and the installed Windows security software.

None of these preventative steps is expensive or even difficult. Updating Windows is free. Updating security software is free, except for the annual subscription. Taking care of both these tasks isn't hard. In most cases it's automatic.

Training your employees isn't free, but it's not hard or expensive. Neither is managing the right level of access to your network. You can't have a secure network if everyone is a system administrator, even on their own machine. And while it does take an investment in time and money buy the right enterprise security software, the right firewalls, and the right encryption tools, that investment is relatively low compared to the risk of losing your most precious information.

Ask yourself whether you want to be the cyber-patsy chosen by the agents of a distant foreign government who want  to steal your organization's most strategic information. But that's exactly what you will be if you happen to be the weakest link in your organization's security cordon with an unpatched PC and a lame password that provides easy entry to the network with the right level of access. Then all they have to do is send you a cleverly disguised spear-phishing email that with your single mouse click opens the back door to your employer's data riches.

As an alternative, think about whether you or your company take security seriously. Do you actively train your employees about the dangers of email? Do you ensure that your computers at all levels are kept updated? Have you made sure that your security software is in place, properly configured and updated? A quick look around any office is almost certain to reveal at least one computer running an unpatched version of Windows XP. That alone could open the door to a massive security hole that could give away all that your company has worked to achieve.