Whenever Possible, Take Security Out of Employees' Hands

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A new survey from Cisco offers interesting, but not especially shocking, results. The big takeaway from the expansive survey -- it features input from 2,000 people in 10 countries -- is that intentional and accidental user actions are responsible for a good share of data loss.


More specifically, 20 percent of employees changed settings to bypass to bypass IT and reach unauthorized sites. Seventy percent used unauthorized applications. During the past year, the survey said, 40 percent of IT professionals dealt with the issue of employees visiting unauthorized sites. The survey provided many other results that followed these trends.


This leads to an inescapable conclusion: In any case in which it is possible, IT departments should employ default standards that take decision-making out of employees' hands. For instance, the survey said that 44 percent of employee devices were loaned to others. To combat this, companies shouldn't just tell workers that this isn't approved. They should employ biometric controls to directly confront the practice. Leaving security up to employees when another path exists is in almost all cases the wrong choice.


In most cases, IT departments will install and guide users on the security software on their machines. However, workers can sometimes find themselves on their own, such as when they are telecommuting or their employer doesn't have an IT department. Taken in this context, the Steganos survey described in this release is bad news. It paints the picture of PC users with little knowledge and/or little concern about what security software is installed on their machines. Thirteen percent, for instance, had no antivirus software and 9 percent didn't know whether they had any. Nineteen percent didn't know whether the machine had a firewall installed.


The primary goal should be to configure security to keep users out of the equation. The second step is to implement the best possible policy. There are a lot of good suggestions in this piece. Elements that should be used include 802.11 encryption; personal firewalls; strong access-point (AP) passwords, IP Security virtual private networks (IPSec VPNs) and 802.1x-based authentication. APs should be disabled when not in use, Service Set Identifiers (SSIDs) should not be broadcast, radio propagation outside the office should be limited and deployment of wireless local-area networks (WLANs) should be coordinated.


This is another look at putting together policies, but taken from a slightly higher viewpoint. The suggestions in this Citrix Community Blog post are more structural and less about individual technologies. The writer suggests limiting physical access to assets, separating duties between people wherever possible and only providing "least privilege" access. The final section defines good password creation. Again, we would add another step: Wherever possible, make the more secure setting or status the default.


There will be many cases in which the organization can't fully implement security standards. In these cases, employees must be willing and able to do what needs to be done. The emphasis, according to this Tech Republic piece, is on "willing." The writer suggests that creating security awareness before instructing employees on what to do. They then would be willing to participate more enthusiastically, this thinking goes, if they more fully understand why protecting data and employing strong security will help their organization -- and protect their jobs.