It shouldn’t come as a shock that in a recent CIO.com study on What Keeps CIOS Awake at Night, security planning is listed as the lowest priority for budget cuts in 2015. Here’s why: it seems that every time I turn on the global news, I am hearing about yet another security breach or cyber-attack. Whether it is Sony who was hacked, releasing thousands of emails, or Morgan Stanley where a rogue employee allegedly stole account information for the wealthiest 10% of clients, security – or the lack thereof – is a hot topic.
Security – Playing the Odds
Security risks vary in source, size and breadth, leaving organizations to ask, “What security breach would do us the most damage? And how can we either prevent it, or mitigate its impact?”
Security investments are traditionally about playing the odds: it’s an endless game of “what ifs.” So to help you determine where to invest next, I’m going to share with you what I believe are five security “truths” – just some things for you to consider as you continue securing your increasingly digital workforce. This blog series is a complement to our recent whitepaper…
Now let’s get started with truth #1…
Security Isn’t Just About Things. It’s About People.
An ITIC Security Deployment Trends survey discovered that “80% of survey participants said the carelessness of end users pose the biggest threat to organizational security.” I find that in many organizations there is big investment in building firewalls to protect the IT infrastructure, securing the desktops through anti-virus software, and other defenses from hackers who are targeting physical devices. But isn’t it even more vital to secure against the very thing that generates the most risk?
How about people? That’s right. Your own fellow workers just might be your Achilles’ heel.
Think about your own home for a moment. You can have the best home security system, video cameras at every key vantage point, and the most impregnable locks money can buy. But what if your kids don’t set the alarm when they leave home? And can you be certain your house cleaner doesn’t share your garage door code with anyone else? What happens to all that security when simple human carelessness intervenes?
You’ve got the same problem in your organization. Employees share passwords trying to “do the right thing” save the company a few dollars on software licenses. People are temporarily granted elevated privileges for a specific project – but their rights are never revoked. Employees introduce malware by opening executable files they think are printer drivers or “safe” software.
It Starts with the Best of Intentions
All too often – while your fellow workers may have the best of intentions, and are just trying to get things done faster and more cheaply – they’re putting you and your company at risk through sheer carelessness. And with the workforce becoming more mobile and more independent (after all, consumer-oriented cloud solutions are just a credit card away), your risk of exposure is growing by the minute. Employees don’t think about security first. They think about business productivity and their own individual performance.
How People-focused is Your Security?
So how are you securing your organization from your people? And are your current measures good enough? Here are a few questions to think about:
- How many people have full administrative rights over their workspaces?
- Do we whitelist the sites our employees visit or the executables they open?
- Are there limitations on 3rd party devices (like USB drives)?
- When someone leaves the company is their access to services and apps revoked? Immediately? Even from cloud-based services?
- Can people access privileged apps and information from any device, from any location, and with any Wi-Fi connection? How about from that Starbucks down the street, for example?
These questions will help point to gaps in your security – gaps that can be created by any one of the people who pull into your office parking lot each day. So ask yourself: can I protect my organization from my fellow workers in each of these scenarios?
When it comes to security, “people first” doesn’t mean “let them do what they want.” But it doesn’t have to mean “lock them down” either. Soon we’ll take a look at truth #2: Security can’t come at the cost of user enablement. And that’s when the need for the organization’s security can come into serious conflict with that most basic of organizational imperatives: productivity. Join me next time for that blog post. In the meantime, you can always read more about securing the user at www.ressoftware.com or by following Security on the RES Software blog.