They really are out to get you

The first thing you should know is that while you’re reading this in your office, at work, I’m relaxing on the French Riviera with my daughter. And I’m not even thinking a little bit about security, except maybe the part about keeping my daughter safe from the charms of suave Frenchmen. So send your comments to letters@infoworld.com, because I won’t be reading e-mail until after I get back.

While I sip fine Bordeaux and my daughter savors foie gras, I won’t be paying attention to the depredations of the groups of hackers who were planning to launch their series of attacks at a variety of high-profile Web sites worldwide this past weekend. As this is written, the evidence that they were successful was scant, and since most of the attacks were supposed to emanate from Europe, the likelihood is that they were unsuccessful.

But, of course, I really don’t know that. What I do know is that there’s every reason that they should have failed. If all of you, dear readers, have been reading what we’ve written in InfoWorld about how to protect your enterprise, it should be nearly impossible to deface your Web server — and if that did happen, you’d know about it instantly. Considering the products we’ve reviewed and the advice we’ve offered, you should be reasonably satisfied that breaking in won’t happen.

And understand, I’m not taking sole credit for this advice. P.J. Connolly wrote many words in this space before January, presenting a long history of solid advice. So if you’ve listened to us, you know that you need more than just an enterprise firewall to protect your enterprise. You know that you need application firewalls, Web server firewalls, and application and server monitoring. This sort of multilayered approach will make it so difficult to penetrate your enterprise that most won’t try. And for those who do try, the tools exist to instantly remove their vandalism.

But as we’ve said many times, the real secret to protecting your enterprise isn’t hardware, specialized software, or dedicated appliances. As important as those products are, they pale in comparison to the need to train your employees. You need to teach your IT staff how to manage those products, of course, but more important is to instill a belief in security.

The employees who need to become believers most are those outside of your IT staff. Your senior executives must make the critical buy-in needed to bring the rest of the company along. Other employees need to believe that their efforts make a difference, and that security is at least as important as convenience.

How do you do this? If you’re lucky, you can find a hapless company with a Web site defaced by the bad guys this past weekend. Make a copy of that. Pass it around. Ask if anyone wants your Web site to look like that.

Maybe they’ll pay attention. If they don’t, cut off their access to eBay until they cry uncle.