New ways of working bring new security threats, but
measures to defeat them must apply to everyone throughout the
organisation
The biggest threat to security is the internal threat, although
many organisations still don’t want to believe it. Employees need
access to the network and to applications to do their jobs, but
this can make it easy to steal confidential information.
Corporate e-mail can be tracked, so anyone trying to e-mail
information out of the company would hopefully be spotted via an
e-mail audit. Of course, there is always Hotmail and Gmail to use
instead, unless such facilities are blocked.
The likes of USB memory sticks enable users to carry around
their work documents and quickly and easily transfer data from the
network to a pocket-sized device. Again, a very useful business
tool, but one that can allow the unscrupulous to remove huge
amounts of data with ease.
Some employers have banned the use of any portable storage
device, with a policy that no digital camera, USB stick or MP3
player can be connected to a company PC. Going further, some
suppliers sell software that disables the USB port to prevent
unauthorised connection.
But for every security measure, users will find a workaround,
even perceiving the IT department as so restrictive that it
prevents them from doing their jobs properly. Clunky, obtrusive IT
security measures help no one. Remember: if it is too difficult to
use, no one will use it. If your corporate IT security policy puts
too many restrictions in place to secure the network, staff won’t
bother using it.
It is not only lower-level staff who may be at fault when it
comes to security. For instance, it was the executives at the top
of the hierarchy who brought Enron to its knees. So firms should
ask whether it is really necessary for a senior executive to have
full access to every piece of data on the corporate network.
It may not be the best way to win friends on the board, but the
IT ¬director must take a lead to ensure network security policies
comply with company regulations.
The IT director should also use the IT team as an example of how
IT security can support, not restrict, operations. Sadly, this
rarely happens. Far too often IT people find workarounds to save
time or simplify a system’s configurations. W
hy bother changing the admin user name when everyone uses the
same system login, or the database administrator has access to the
crown jewels and is entrusted with the key to lock them away?
It is not unusual for users to be asked to give their passwords
to IT helpdesk staff in order to fix a problem with their PC. This
is ludicrous.
On the one hand, IT is forcing staff to use complex
authentication systems to access the corporate network, while on
the other they appear to disregard these policies when it suits
their purposes.
Everyone must understand that there is a potential risk when
database administrators, system administrators and back-up
administrators are given such a high level of trust within the
business.
It does not need rocket science for dishonest systems experts to
cover their tracks. But it would take a brave IT director to block
software developers from installing new software utilities and code
off websites, or prevent them from plugging in their MP3
players.
In fact, any restriction on what IT staff can do will be hugely
unpopular and is likely to lead to an uproar within the IT
department.
There is no easy answer. Both the IT department and the business
need to sing from the same IT security hymn sheet. This will take
time. But don’t leave it too long. New blood means new risks: each
generation of staff, whether from the business or IT, will bring in
new ways to work. Have you got a policy on wikis yet? Or
blogging?
Network security must constantly evolve to adapt to changes in
the way staff and executives communicate and use IT. Whatever
security policy is used, it must apply to every employee, including
IT staff and the senior management.
What is your biggest security headache? Are there any easy
answers? Let us know at
computer.weekly@rbi.co.uk
Read article:
Network security: Altered attitudes
Comment on this article:
computer.weekly@rbi.co.uk