Unless you believe everything depicted in the TV show
24, employees are not recruited by foreign intelligence
services, and data exfiltration is due to mistakes rather then
malicious intent, writes Raj Samani, vice-president of
communications atISSA
UK. For example, the USB stick found with
sensitive material is not a result of a failed drop off to Agent X,
but merely an attempt to continue working, but from
home.
The normal reaction is to enforce disciplinary procedures due to
policy violation, whereas the better question would be to ask
whether the policy (and its subsequent controls) is fit for
purpose. All too often draconian measures are enforced without
consideration to what it takes to get the job done. Such measures
reinforce the negative image that the security department has
throughout the organisation as simply blockers who stop
productivity. Of course, the disclaimer is that there are times
when such an image has to be upheld!
So it was refreshing when at a recent conference the speaker
presented some alternatives to simply saying no. The proposal was
to provide the things the users want but in a safer
environment.
For example, many corporate policies do not allow access to
social networking websites such as Facebook. The alternative
suggestion was to offer an internal version of the social
networking site, which allows employees to collaborate and build
strong relationships with employees in the same organisation.
Admittedly it can be argued that employees do not want to talk to
each other but want to communicate with friends outside the
organisation. But such an approach aims to bridge the gap between
what they want and what is allowed.
The user base for the organisation is changing. A new generation
of employee has arisen, whose use of technology and risk
perceptions towards the information they disclose are continuously
challenging the corporate policy. Is it not better to understand
their needs and provide them something which can satisfy them (or
at least appease them), rather than providing them with the 21st
century Rubix cube - the 'challenge' of circumventing security
controls.
Read more expert advice from the Computer Weekly Security Think
Tank >>