When looking at network security from a big-picture perspective, there are seven categories of perceived threats, but only two categories of real threats.
The real threats fall into one of two categories: vandalism or spying. Whether the threat is a virus, Trojan, denial of service attack, hacking attempt, worm or spyware, it will have one of two effects. In the case of vandalism, the company’s system will either cease to operate or will not operate as effectively as intended. This is especially true of DoS attacks. In the case of spying, someone will be able to read electronic files that are not intended for public consumption.
These are the only two threats that an IT network manager should have to focus on, and with the increasing sophistication of malware writers, it’s enough to keep a technology manager’s hands full.
The other five threats – while often referred to as security problems by vendors and service providers with products and solutions to sell – are business problems that can be addressed only by managers.
The other five threats include theft and physical danger, which are even more severe than vandalism and spying, and could result from vandalism and spying, but are not network security problems.
If a company’s physical security could be compromised by a failure of the IT infrastructure, that is a business management problem. It’s also a security problem, but it’s not an IT security problem. If a criminal could steal something as a result of hacking into a network, that again is a management problem. It’s the manager’s job to make sure sensitive information is not stored on accessible drives.
Two other problems – spam and phishing – are characterized by some vendors as security problems, but aren’t.
An overloaded inbox or a clogged e-mail server caused by spam is a problem, sometimes with results similar to those of a denial of service attack, but it’s not a security problem. Spam is just unsolicited inbound communications. If you’re interrupted twice during dinner – once by a phone call from an insurance salesman and once by a Girl Guide ringing your doorbell selling cookies – that’s annoying, but it’s not a security breach. And phishing? Well, phishing a is security problem in the same sense that a stranger wearing a mask politely asking people to hand over their ATM cards with their PINs is a security problem. It’s more of an IQ test.
The fifth issue – compliance with securities regulations – is supposedly one of the security problems with instant messaging, because some IM programs do not have an archiving capability, which would allow investigators to check every record of an employee’s correspondence.
While this may be a problem, it’s not a security problem. Letting employees communicate, without monitoring that communication, is the business manager’s problem, not the IT manager’s problem.
Distinguishing between the business management problems and the network security problems is important because it helps keep a network manager focussed. After all, there’s enough spying and vandalism going on to keep your hands full without taking on business management tasks.