It's a potential nightmare for any small business: A new vulnerability or worm threatens computer systems in the dead of summer, when IT staffers are vacationing. But companies that manage people wisely, patch systems regularly and plan for emergencies needn't worry, most IT managers agree.
"You need to have the right tools, train people to use them and have backup staff in place during busy vacation periods," said Robert Sherman, IT security manager at American Tower Corp., a wireless communications provider in Boston, which has about 1,000 employees, including 60 IT staffers, three of whom deal with security.
"You need to make sure someone can step up to the plate during a shortage," Sherman said. "While there are three people who deal primarily with security in my company, 12 have security training. That's the No. 1 priority."
To implement a summer information security plan, according to Sherman and others, companies should ensure that firewalls and antivirus software are in place, monitor security warnings, apply new patches, prioritize systems most vital to doing business and train people in areas outside their normal responsibilities.
The last factor is particularly important, said Kathleen Held, senior network support specialist for Great Lakes Gas Transmission Co. in Troy, Mich., which has up to 200 employees, including four IT staffers.
"You want to make sure you don't pigeonhole someone so much that they can't handle issues outside the area they specialize in," Held said. "It comes down to having good people with good knowledge."
Keep your information security plan simple
Gordon Corzine, principal of Corzine IT Consulting of Marblehead, Mass., provides network security for businesses that typically have only three to seven employees. In a unique twist, he turns to the competition for emergency backup when he goes on vacation. The situation works for one-man shops that are comfortable with such an arrangement.
"One competitor has arranged for me to cover for him when he takes vacations," Corzine said. "When I go away, I leave my clients a list of suggestions and telephone numbers of competitors if there's a problem. I think it's important for my clients to feel free to go to competitors in an emergency. If they trust me and are happy with my services, they're going to stick with me."
Corzine said most of his clients don't have complex systems because of their small size and use outside companies for email and Web access. He said the simplest networks are easiest to secure.
"Clients who tend to have the biggest problems are those who try to use their own independent server for their website and other functions," Corzine said. "I'd advise businesses of the size I deal with not to use an independent server. Don't try to run your own website. Keep it simple."
An ounce of prevention
Ian Hameroff, product manager for Microsoft's security, business and technology unit, said the best prepared IT staffs know how to prioritize.
"You have to manage your resources appropriately according to what the greatest risks are for your business," Hameroff said. "You know a hurricane is going to come some day. Do you wait until it's off the coast, or do you put procedures in place ahead of time? The most important thing is to keep your systems up to date, take note of the free updates and tools available, have your firewalls in place and sit your IT staff down before holiday periods to hammer out a plan in case of emergency."
Corzine and Hameroff also have advice on what not to do when leaving for vacation: Don't use automated e-mail messages that tell people you're away.
"They're a bad idea," Corzine said. "Just select a list of people and send them the message of who they can call in an emergency. You don't want to let strangers know you're not there."
Hameroff said: "At the least, you want to be careful of how much detail you put in an automated message. Attackers can use details to their advantage."
All agree summer vacations aren't something they worry about. After all, IT security is a 24x7 job.
"Even when you're on vacation, you're on call in case something major happens," Sherman said. "That said, we've been lucky, because attacks seem to come on the Friday before a three-day weekend. We're usually here anyway, because that's when we can get system downtime to do upgrades and other work."