Secure Behaviors Beat Secure Technologies Every Time
BackBy Carmi Levy — October 2008
There’s a certain appeal to buying the latest and greatest firewall, the world’s best virtual private network (VPN) and the ultimate anti-malware package. After all, the companies that developed all these products hire only the best security minds in the business. Their offerings are second to none, and they’ll doubtless let you sleep at night, knowing that your IT infrastructure, your data and indeed your company and its clients are perfectly protected against the latest security threats.
It’s a nice ideal. Too bad it all blew up when Martha from the accounting department copied an unencrypted database onto a USB thumb drive to catch up on some work at home, and the USB disappeared from her briefcase somewhere on the subway.
The scenario is all too familiar: Companies invest deeply in leading-edge security technology, only to have it unravel due to human error. If security is going to work, employee behavior needs to be front and center when IT builds out its security road map.
That’s easier said than done in the world of enterprise IT, in which intangibles such as processes and policies often take a back seat to stuff you can buy and install. It is, after all, easier to build a business case for something you can see than for something you can’t. Plus, getting everybody on-board with security can be a challenge, as most employees — whatever their level in the org chart — tend to see it as a hindrance to productivity.
But as an IT professional, you can get everyone on the security bandwagon — you just need to give some structure and guidance. If you don’t already have the following in place, it’s never too late to get started:
- “Acceptable use” policies: Define in writing proper and improper behaviours, and make sure every employee signs off on them. Have specific acceptable use policies for Internet use, mobility, e-mail/instant messaging, external devices and removable media. Ensure they emphasize the right behaviours — using secure VPNs and trusted wireless access points while traveling, for example — and specifically outline what is not allowed, such as using unsecured, Web-based e-mail services for company-related work or shuttling data on personal USB drives.
- Incentives and consequences: Documenting what’s in and out of bounds is a great start. But what happens if employees cross the line? If there are no consequences for breaching security, then your policies have no teeth. Work with HR to outline incentive programs to reward employees who play by the rules and impose penalties on those who don’t. It need not be onerous, but it should be visible. Integration into performance management ensures ongoing compliance and reduced risk of deliberate and inadvertent exposure. Market your successes internally to further drive retention and adoption.
- Training: Security is a complex, fast-moving area that easily can overwhelm even the most motivated employees. Include security-specific training in your ongoing educational programming. Effective training ensures users don’t just make up processes that suit them, reduces the risk of a breach and positions your people to get more out of their technology. Maintain this effort over time, and make all training material easily available online.
- Accountable personnel: Every company needs at least one person to be responsible for implementing and developing security-specific policies. Even if your firm isn’t large enough to justify a full-time chief security officer, consider implementing a part-time role to maintain security visibility over time.
When coupled with appropriately secure technologies, these behavioral tweaks create a security-minded culture that can identify areas of risk sooner. As the bottom-line costs of security breaches continue to skyrocket, companies of all sizes and in all sectors need to make these investments to minimize their exposure. Fortunately for them, behavior-based improvements to security infrastructure are relatively inexpensive and straightforward to implement.
Martha from accounting certainly would approve.Carmi Levy is a technology journalist and analyst with experience launching help desks and managing projects for major financial services institutions. He offers consulting advice on enterprise infrastructure, mobility and emerging social media. He can be reached at firstname.lastname@example.org.