New ways of working bring new security threats, but measures to defeat them must apply to everyone throughout the organisation
The biggest threat to security is the internal threat, although many organisations still don’t want to believe it. Employees need access to the network and to applications to do their jobs, but this can make it easy to steal confidential information.
Corporate e-mail can be tracked, so anyone trying to e-mail information out of the company would hopefully be spotted via an e-mail audit. Of course, there is always Hotmail and Gmail to use instead, unless such facilities are blocked.
The likes of USB memory sticks enable users to carry around their work documents and quickly and easily transfer data from the network to a pocket-sized device. Again, a very useful business tool, but one that can allow the unscrupulous to remove huge amounts of data with ease.
Some employers have banned the use of any portable storage device, with a policy that no digital camera, USB stick or MP3 player can be connected to a company PC. Going further, some suppliers sell software that disables the USB port to prevent unauthorised connection.
But for every security measure, users will find a workaround, even perceiving the IT department as so restrictive that it prevents them from doing their jobs properly. Clunky, obtrusive IT security measures help no one. Remember: if it is too difficult to use, no one will use it. If your corporate IT security policy puts too many restrictions in place to secure the network, staff won’t bother using it.
It is not only lower-level staff who may be at fault when it comes to security. For instance, it was the executives at the top of the hierarchy who brought Enron to its knees. So firms should ask whether it is really necessary for a senior executive to have full access to every piece of data on the corporate network.
It may not be the best way to win friends on the board, but the IT ¬director must take a lead to ensure network security policies comply with company regulations.
The IT director should also use the IT team as an example of how IT security can support, not restrict, operations. Sadly, this rarely happens. Far too often IT people find workarounds to save time or simplify a system’s configurations. W
hy bother changing the admin user name when everyone uses the same system login, or the database administrator has access to the crown jewels and is entrusted with the key to lock them away?
It is not unusual for users to be asked to give their passwords to IT helpdesk staff in order to fix a problem with their PC. This is ludicrous.
On the one hand, IT is forcing staff to use complex authentication systems to access the corporate network, while on the other they appear to disregard these policies when it suits their purposes.
Everyone must understand that there is a potential risk when database administrators, system administrators and back-up administrators are given such a high level of trust within the business.
It does not need rocket science for dishonest systems experts to cover their tracks. But it would take a brave IT director to block software developers from installing new software utilities and code off websites, or prevent them from plugging in their MP3 players.
In fact, any restriction on what IT staff can do will be hugely unpopular and is likely to lead to an uproar within the IT department.
There is no easy answer. Both the IT department and the business need to sing from the same IT security hymn sheet. This will take time. But don’t leave it too long. New blood means new risks: each generation of staff, whether from the business or IT, will bring in new ways to work. Have you got a policy on wikis yet? Or blogging?
Network security must constantly evolve to adapt to changes in the way staff and executives communicate and use IT. Whatever security policy is used, it must apply to every employee, including IT staff and the senior management.
What is your biggest security headache? Are there any easy answers? Let us know at firstname.lastname@example.org
Read article: Network security: Altered attitudes
Comment on this article: email@example.com