Apply Offline Security Lessons to E-Assets

The goal is to look good to customers, not to impress the audience at an IT conference.

Do you protect yourself against hackers by crossing your fingers and hoping for the best? Thats the strategy of choice, it appears, for more than a third of the thousands of eWeek online readers whove replied to our poll on this subject.

Even if our poll respondents (see results at ) were being flippant in their answers, we all need to apply the hard-learned lessons of the offline world to protect our e-assets. Our poll asked only about active measures, such as software-based ID systems or hardware intrusion detection appliances, but we should also look at the entire spectrum of risk-reduction measures that we use—without even thinking about them—in our other business and personal activities.

A physical storefront, for example, can protect itself against defacement of its windows with an elaborate system of infrared beams and electronic links to armed-response security services. It would be more cost-effective, though, to use storefront materials that are easy to clean, depriving graffitists of the satisfaction of seeing their work displayed. After one or two disappointments, theyll look elsewhere.

Electronic storefronts, likewise, should be implemented with technologies that resist casual attack, with facilities in place to roll over to a "hot site" backup in the event of a more determined attack. Its easy to think like a technologist and spend lots of money trying to make a site attack-proof, but it makes more sense to think like a business owner. The goal is to look good to ones customers, not to impress the audience at the next case study presentation at an IT security conference.

Physical storefronts also reduce their appeal to potential thieves by removing high-value merchandise from their windows when theyre closed for the night. Why show off whats worth stealing? It should likewise be an axiom of enterprise Internet presence that if someone isnt authorized to use something, it shouldnt even be apparent that it exists. Instead of delivering access through browsers, with or without passwords and other access controls, why not look toward application-to-application communication that conducts conversations only among known and properly privileged participants?

Attack-proofing is impossible; lets make it less important.

Share your risk-reduction strategies with me at