Give users an alternative to breaching security controls

Unless you believe everything depicted in the TV show 24 , employees are not recruited by foreign intelligence services, and data exfiltration is due...

Unless you believe everything depicted in the TV show 24, employees are not recruited by foreign intelligence services, and data exfiltration is due to mistakes rather then malicious intent, writes Raj Samani, vice-president of communications at ISSA UK. For example, the USB stick found with sensitive material is not a result of a failed drop off to Agent X, but merely an attempt to continue working, but from home.

The normal reaction is to enforce disciplinary procedures due to policy violation, whereas the better question would be to ask whether the policy (and its subsequent controls) is fit for purpose. All too often draconian measures are enforced without consideration to what it takes to get the job done. Such measures reinforce the negative image that the security department has throughout the organisation as simply blockers who stop productivity. Of course, the disclaimer is that there are times when such an image has to be upheld!

So it was refreshing when at a recent conference the speaker presented some alternatives to simply saying no. The proposal was to provide the things the users want but in a safer environment.

For example, many corporate policies do not allow access to social networking websites such as Facebook. The alternative suggestion was to offer an internal version of the social networking site, which allows employees to collaborate and build strong relationships with employees in the same organisation. Admittedly it can be argued that employees do not want to talk to each other but want to communicate with friends outside the organisation. But such an approach aims to bridge the gap between what they want and what is allowed.

The user base for the organisation is changing. A new generation of employee has arisen, whose use of technology and risk perceptions towards the information they disclose are continuously challenging the corporate policy. Is it not better to understand their needs and provide them something which can satisfy them (or at least appease them), rather than providing them with the 21st century Rubix cube - the 'challenge' of circumventing security controls.

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close