IT Security Can Be So Inconvenient...
The onus is on IT to make sure security is as usable as possible while keeping danger at bay.
Balancing security and usability is not easy. IT security staff, when developing security implementations, can in many cases actually produce barriers -- barriers that end up compelling users to bypass security in the name of productivity and reduced frustration.
This, of course, flies in the face of security goals. The aim of IT security is to protect corporate information assets from insider and external threats. It is about preventing problems, and about discovering problems and implementing solutions. IT can select from a variety of security products, both hardware and software, deployed on premises or in the cloud. Internal problems can be negligence, poor policies, malicious behavior, and mistakes.
I have encountered people who believe they follow security procedures. But some of these people avoid certain security policies because they cause slow or blocked access to information and websites. Some blur the line between internal security policies and procedures and their private lives, and end up crossing the boundary. They may do so with deliberation or just negligence. I know when I worked in classified DoD positions, security was very important while also being inconvenient.
Some internal employees and contractors set up their own wireless LAN access points. Others use their personal technology for business functions, without a formal BYOD policy. I have even discovered rogue users of cloud services. In one case, a CIO learned of rogue cloud use by reading about it in a press release the cloud service provider issued! In another situation, a nurse using Skype video sent patient information between a remote clinic and a hospital, against HIPAA rules.
In an information security trends study, CompTIA found that "companies are not fully addressing a critical component to IT security: IT security skill levels within IT departments and IT security education for the entire workforce." More than 55% of the companies participating in the study cited the primary cause of their security incidents as human error, while only 45% cited technology error (see my related post, Security Mistakes: Technology or Behavior?). The conclusion is that internal staff and contactors are primary security issues.
Keeping Workers Involved
IT, therefore, needs to monitor workers to ensure they are following security policies and procedures. Monitoring technology must continually look for illegal and rogue devices on the network, and capture information about improper behavior.
This is where training becomes important. Producing a return on investment for user security training is difficult, but the training investment is a must. And the training must be ongoing.
As a best practice, I suggest that IT send users a security terms and conditions notification once quarterly. This notice should entail a series of statements or questions the user must answer, and not just by checking an "I agree" box. The statements and questions need refreshing each quarter so that the user cannot just use the last version he or she has stored away for reuse. This quarterly reminder serves not only to re-educate, but also to reinforce the security policies and procedures. This makes pleading ignorance harder for the worker to do.
Of course, IT security comes with a cost -- even if most employees do not know the cost or consider the cost just part of doing business (see a related post, Cyber Crime Economics). The costs include:
- Security staff
- Hardware and software
- Monitoring for problematic behavior
- Discovering illegal/rogue devices
- End-user time spent supporting the security discovery and analysis
- Investigation of real and imagined security breaches
- Reduced or blocked productivity
- Loss of revenue and profit
- Legal actions and penalties
One major financial institution spends $250 million per year on security and still encounters unanticipated problems.
Hunting Down the Culprits
When a security issue surfaces, then the work to discover, analyze, repair, and prevent the problem or problems generates considerable effort for the IT, security, and user staffs. These three No Jitter posts can help to learn what needs to be done during a security investigation:
- Digital Investigation Dos & Don'ts
- Collecting Internet Evidence, Part 1
- Collecting Internet Evidence, Part 2
Not only will the investigation affect several budgets, but also potentially delay ongoing projects.
A security incident is an embarrassment for C-level executives on down, as well as stockholders and customers. Regaining a good reputation may take years, and will not come for free. The marketing department will have to expend effort to spin the problem to the satisfaction of the customers. Sometimes the C-level executives are so concerned that they intrude on the investigation and can cause more problems. Finding the problems and implementing solutions quickly can reduce or even stop C-level intrusion.
Formulating a Plan & Execution
The most critical piece of any plan is validation. Do not assume that your approach is best. The approach should be the result of a group effort involving technical IT and security staff, plus non-technical marketing, sales, financial, and production personnel. Sometimes the non-technical participants can have insights that elude the technical staff. Plus, including non-technical departments makes for an easier time of getting user buy-in compared to when IT dictates a solution.
Consider these factors in your planning:
- Look for high-value assets most in need of protection from legal, compliance, and business perspectives.
- Understand what requirements the business needs to satisfy to be successful. Security cannot impose limits on them.
- Design a security strategy that meets the business goals while implementing a reasonable level of security.
- Have users help validate the solutions, then fine-tune the resulting design.
- Remember, you are never done. New security problems will surface while old ones may re-emerge. Technology continues to improve. Even the best design is periodically revisited.
In its study, CompTIA also discovered that companies want to improve their security skill deficiencies. The deficiencies cited include cloud security (cited by 58% of respondents), mobile security (48%), data loss prevention (46%), and risk analysis (35%).
Security without business is meaningless. Business without security is a problem waiting to explode.