By Wayne Spivak,
Contributing columnist
Var Business Web Site, March 16th, 1998
If one were to take a straw poll and ask 100 computer users what the number one major computer security threat was, the Internet would likely be at the top of the list.
But that perception is wrong.
The number one computer security threat facing a business today is employees and contractors working at the company. Many companies don't have administrative passwords, and if they do, those passwords are so easy to crack a 3-year-old could figure them out.
Take a look at a recent incident reported in all the major trade magazines, as well as in the general press. A former System Administrator was charged in a Federal indictment of planting a Logic Bomb in the computer system of the company where he was employed. This bomb went off, causing an estimated $10 million in damage. The only unique fact of this case is that the public found out about it; employee malice is a daily event.
What can VARs do to protect not only their clients, but also their companies? And why do I say protect your company? Because when that security breach happens, everyone in sight is going to be sued. Moreover, since you are the VAR, you will be the first in line. So what can you do?
Insist that as part of the services you provide, a security analysis is undertaken. Perform a preliminary security analysis, and don't forget to charge your client. Odds will have it that you can find at least 10 security breaches.
Make written recommendations to the client on how they can fix those breaches (e.g., selling them more Value Added Services). One of those recommendations, if deemed necessary, is for your client to hire a security consulting firm. At the same time, you should have the client's principles sign off on the report. Add a paragraph stating that you have informed them of security breaches, including your recommendations and noting that no system can make their computers breach proof. M ake sure that the client knows that you can never bullet proof a computer system, but with a disaster recovery plan you can do every thing necessary to prepare for the disaster.
Wayne Spivak is president of SBA Consulting, an IT consulting firm in Bellmore, N.Y., and SBA.Net.web, an Internet and Web consulting firm.