Power User: Ounce of assessment is worth pounds of missed security cures
- By John McCormick
- Apr 16, 2003
My central Pennsylvania county's emergency management coordinator recently asked me and other volunteers how the county would spend a windfall grant to fight terrorism.
In such a rural area, computer security doesn't top the priority list. But we do have computers in virtually all police, water and emergency departments, municipal offices and hospitals. Local doctors and pharmacies would find it difficult to keep working if their systems were under attack or down for lack of power or backup.
I suggested the county use a small part of the grant to pay a security expert to gather basic information about these vital local systems. The expert should assess whether:
- Vital systems with always-on Internet connections have firewalls.
- Access is password-controlled.
- Regular backups are stored off-site.
- There are uninterruptible power systems, preferably ones that can recharge in an emergency from a car battery.
In the long run such things don't cost very much. Cybersecurity is more a matter of attitude and planning than of big bucks. In fact, an expert could tell a lot just by how easily sensitive system information was uncovered.
Could be, the county ought to decide to spend some of the bucks on a quick course in computer and data security.
I got no response to these suggestions from anyone at the county or state level. The only tangible change I've seen is a requirement by the Pennsylvania Emergency Management Agency that townships must change to a new emergency plan reporting format.
If it were a template in Adobe Portable Document Format or Rich Text Format that users could update and resubmit periodically, I could see real benefits. But no such luck'it's just more paper to fill out, and I don't see how a new form makes anyone safer. I hope other localities and government agencies are taking more constructive action.
Unless your agency does nothing whatsoever to foster citizens' safety or quality of life, any disruption of its work represents a victory for terrorism.
Think about simple, low-cost changes at your agency that could reduce the risk of interruptions to daily work. Are your managers open to such ideas? Have they even asked the staff for suggestions? Or is all the emphasis on security only an excuse to shuffle more paper?
Drop me a line with your ideas or comments, and I'll include the good ones in a future column.John McCormick is a free-lance writer and computer consultant. E-mail him at firstname.lastname@example.org.