When IT Security Advice Goes Overboard

In IT circles, bad security advice abounds. Just ask the administrators at Pennsylvania's Lower Merion School District who somehow became convinced that it would be a good idea to use Webcams to keep tabs on students. The district says it uses the software only to track potentially stolen devices. A student is suing the district, alleging that school officials used it to spy on pupils such as himself.

Whatever the administrators' motives, everyone in my neighborhood is up in arms about violations of our children's privacy. (Me, I'm more worried that my two high school-aged kids spend too much time on taxpayer-funded Apple (AAPL) Macbooks, updating Facebook profiles and watching video on YouTube (GOOG), rather than doing homework.)

However you slice it, the school district got bad security advice.

We small business owners get our share of bad security advice, too. Some of us have been told to get software to spy on our employees. IT consultants have told us we should track employees' online activities. Other "experts" tell us tales of terror about managers who do not encrypt their data or restrict employee access and fell prey to theft and business interruption. Much of this advice and scaremongering can be taken with a grain of salt.

don't hold most sensitive information

Consider the Webcam software that secretly videos the user, which the school district installed on students' Macbooks. Or software that tracks a stolen laptop's location. This reminds me of the Seinfeld episode in which Jerry's car gets stolen and he calls his car phone, only to have the thief pick it up and ask when he last got a tune-up. What sense does this stuff make?

What about sensitive information? Most shouldn't be stored on a computer's hard drive in the first place. Case in point: customer credit-card information. If someone gets hold of that data, you could be subject to lawsuits. Good security advisors recommend online services such as eBay's (EBAY) PayPal or AcceptPay from American Express (AXP). They not only process payments, but store the credit-card data out of your employees' reach.

If you're still concerned about sensitive information falling into the wrong hands, consider tools that remotely eliminate the contents of a hard drive after it's stolen. Better yet, encourage employees to save and access important data through a password protected Virtual Private Network and store it on a corporate server. Worried about losing hardware? Equip remote employees with less-expensive laptops or netbooks. Some companies even ask employees who are issued laptops to place a deposit to be returned when the device is handed back.

Some experts tell us to install software that would track what an employee is doing online and block undesirable Web sites. Besides being a little creepy, who has the time to do this? If we suspect that an employee is wasting company hours surfing the Web, there are other ways to reach that conclusion. Try comparing his or her output to that of others. Better yet, walk around and see what staffers are doing.

a sensible step: Antivirus software

Do we really need to "block" certain Web sites from being visited at the office? Last time I checked, my employees were adults who should know which sites are appropriate. We shouldn't have software to monitor what a manager should be able to discern through other means. Monitoring employees is not only a waste of time, it can upset people and create an atmosphere of distrust.

A good security consultant will also tell you to get basic antivirus software. This has been hard for me to swallow in the past. I still feel that a lot of this stuff unnecessarily slows performance of servers and workstations. But I've done some work for McAfee (MFE) over the past year or two and through this I've learned that there's a lot of screwed-up people sitting at home, sending out malicious files just for the fun of it so that they can wreak havoc on an unsuspecting business owner. Having software installed—and updated—that finds and destroys viruses and worms makes sense.

Some technology dudes I know who sell software go way overboard with their billable hours "securing" the software application's data so that some users can see data but others can't. Other than human resources stuff, if your company's culture encourages hiding customer information from the people who are selling and servicing your customers, you've got more than just a security issue. And your IT guy is feeding this problem.

So no, I'm not worried about security for my small business. That's because I've taken the good advice from those security experts and ignored the bad. Nor am I worried that my school district is spying on my kids' activities. At least someone around here is giving them good adult supervision.