Saving Users from Themselves

by Jim Fulton

Even with the strongest technology safeguards in place, in many cases, IT administrators still only have a limited amount of control over what their users do over the Internet. They'll go to unknown Web sites, open e-mail and attachments that might contain dangerous content, and sometimes even upload files or data into webmail or blogs. They'll download unauthorized digital music. Mobile users might turn off their firewall or antivirus software in order to connect in from the field.

With the advent of spyware and adware, all users have to do is go to a website - even a corporate approved website they go to in the course of doing their job -- and in doing so, unknowingly download some sort of malware. In the best-case scenario, valuable IT resources are spent cleaning up, re-imaging and patching infected or dirty systems. In the worst-case scenario, the broader organization is put at risk for data theft or compromise.

Users aren't always to blame for the problems that browsing and e-mail bring. Hackers are giving way to professional criminals who are using increasingly clever tactics to steal confidential information and infiltrate private data. It's no wonder that the security arms race is never-ending. However, be that as it may, it is the responsibility of the organization to ensure that users remain safe and don't place themselves or the organization at risk in the course of doing their job.

Add into the mix that Internet and e-mail communications are, more than ever, essential to getting the job done in today's business world. Employees and the organizations they serve have come to regard Internet access and email as a necessity -- meaning that imposing heavy restrictions doesn't necessarily serve the needs of the company. In fact, such restrictions can become more of a hindrance than an asset, creating a drag on productivity and ultimately, the bottom line.

And let's not forget the increasing mobile workforce - more laptops, telecommuters and remote access means more vulnerability to the enterprise. While these improvements all allow for greater productivity and collaboration, they also create an increasing checklist for security.

The challenge becomes even more onerous for small and medium-size businesses. With scarce resources and significantly less IT infrastructure than large enterprises, SMBs often have little or no time to manage and configure every desktop, let alone establish and enforce strict security policies. Unfortunately, however, IT security is like a boat: it takes only one hole, anywhere, to sink it.

The reality is that for the most part, users are unaware, uneducated or frighteningly unconcerned of these risks and their associated consequences. Need proof? Recent findings from the Deloitte Touche Tohmatsu (DTT) 2005 Global Security Survey found that the increasing sophistication of threats (63 percent) and the lack of employee awareness (48 percent) contribute to an environment of exploitable vulnerabilities and weak operational processes.

It's no secret that an effective strategy must include provisions for people, process and technology. And no matter the size of the company, regulations and internal compliance also affect the way that IT operations are managed.

The trick is to understand how to map the right technology and processes to the people. The growth of mobile and remote workforces along with the need to make electronic assets available to business partners and customers has made obsolete the idea of implementing security technology to create an impenetrable virtual fortress. Attackers have learned to sneak through, disguised like legitimate content and applications.

Today, IT security is becoming more and more like that in a hotel. There are guards at the door keeping obvious threats out, but rooms are always kept locked, safes are sometimes put in the rooms and guests are warned to be aware of what's happening around them.

Those responsible for managing IT security must not only consider how to protect the company's assets, but to enable the mission of the organization safely and conveniently for users. Without convenience, users are tempted to look for bypasses which inevitability becomes a problem. Similarly, it is easier to recognize the habits of the user base and adapt to them rather than imposing radical changes or policies.

While there is no silver bullet for IT security, IT administrators should demand strategic accountability from their security vendors. Vendors should be on the hook to create technologies that take the reality of user behavior into account to effectively mitigate risks and fit within the operational network environment. This isn't to say that vendors aren't stepping up to the plate - there is plenty of innovation happening. But it's not so much about building a better mousetrap. Better security is not solely about a multi-functional security agent, having more signatures, more scanning, or a completely locked down desktop. It starts with changing the way you think about security in the first place.

In the end, smarter "proactive" solutions that complement the cultural and social elements of how users actually interact with the Internet will streamline processes and support people's effectiveness to do their jobs. Such an approach will also free up security managers to think and act strategically because they are no longer dedicating all their time to repetitive, tactical (yet essential) activities, such as cleaning, re-imaging dirty machines or patching. Once this recalibration of people, process and technology occurs, security managers will truly be able to save users from themselves.

Additional Information
Outsmarting the New Malware

Maintaining Email Security and Availability

Securing the Information Workplace: Managing Threats to Enterprise E-Mail, IM, and Document Sharing Environments

About the Author
Jim Fulton is Vice President of Marketing for GreenBorder.

Article © Copyright 2006 GreenBorder Technologies, Inc. Used by permission.