Peter Sandilands, Australian regional director of virtual private network (VPN) and firewall vendor, Check Point Software Technologies, said an overlooked threat to information security is frustrated users working around security measures they believe affect their ability to complete a task.
Sandilands said: "Too many e-security policies and technologies are inhibiting user performance. If users need to get information in a timely fashion, they go home and download the information, and maybe suck down a virus in the meantime and take it back to work."
"It's like having an armed guard at reception and all the doors locked and issuing all the staff passes, only to have someone prop open a door with a phonebook. A lot of people will take advantage of the open door," he added.
Simon Hackett, managing director of Internode, an Australian networking technology company, agreed that a common occurrence is the worker who takes home a laptop and dials into a local ISP, then returns to the office unknowingly armed with a virus on the laptop.
"This is what happened with Nimda," he said.
Sandilands said the problem is in a company's security policies.
"At its most basic level, security is a prevention tool designed to stop things from happening. But IT is a technology that allows thing to happen, information to become available, communications to open," he said. "Companies need to switch to security as an enabling tool not a prevention tool. Instead of putting in place a slapdash security policy, companies need to think carefully about how to help users work, not prevent them from working."
Security measures should not just be an add-on, said Sandilands. They need to be an integral part of IT strategy and to be carefully planned.
Hackett agreed that tight security is a question of policy. "Rather than just whacking up a firewall, companies need to tell their staff what the rules are and what the firewalls are there for," he said. "Otherwise it becomes a game and the staff play it. If a firewall seems to stop a user getting the job done, they'll go around it. Security measures are secondary, but policy is primary."