Opinion by Douglas Schweitzer
OCTOBER 17, 2005
So, you have the best firewall, intrusion-detection and antivirus
systems technology has to offer. Yet, despite your Fort Knox
approach, you're still hit with security breaches and the occasional
malware du jour. One reason for this may be the lack of motivation by
your workers. Unlike owners, they don't have a direct interest in the
success of the company. Or do they? How far are they willing to go to
ensure corporate success?
Usually, not very. In fact, in most cases, they don't put much
additional effort into executing their duties -- just enough to get
the work done and retain their jobs. According to Ken Shaurette,
information security solutions manager at MPC Technology Solutions,
however, "a too-often overlooked way to improve these attitudes is to
include information security in the job descriptions of employees."
When your organization makes security awareness and policy compliance
mandatory, the apathetic trend can be reversed.
When management requires security policy compliance to be a key part
of an employee's job, interest is generated. An added benefit is that
security becomes part of the corporate culture. With performance
reviews (hence, possible raises) looming periodically, employees are
more apt to fit compliance into their daily routine. Knowing that
they're being graded encourages employees to comply with policies.
Shaurette encourages employers to include a wider cross section of
employees in the interview portion of security assessment and in
compliance reviews. These additional personnel will automatically gain
a better awareness of security issues simply as a result of their
exposure to security professionals. Not only will they add their input
as to what data should be gathered for analysis, but they'll also come
away with a better appreciation of the need for assessments. When
they're a part of the compliance review, employees "will get a sense
of ownership of the final results from the assessment," says
Inclusion alone won't always solve employee-apathy problems, however.
Here are some other ways to reduce security risks created by employees
who just don't care.
Monitoring. One solution that maybe isn't palatable but certainly is
effective is employee usage monitoring. Tracking employee PC use can
result in negative repercussions for the company, but it's one sure
way to establish control over the network. Monitoring needs to be
carried out in such a way that employee dignity is protected -- a
daunting task because few tools are available to automate the process.
"Doing the monitoring can become a very heavy administrative burden or
require many application modifications that are often not even
possible because applications are vendor-maintained," says Shaurette.
Restricted access. Limiting or retracting network access can also
reduce (if not prevent) the impact of employee apathy, according to
Simon Heron, managing director of Network Box. With the IT manager in
control, "signatures for antivirus and antispam can be pushed to the
gateway and to the desktop from central company servers," says Heron.
The manager is in control of downloading the signatures, and the
manufacturer can push software updates onto the gateway to ensure that
it's up to date. "This means that the apathetic employee can't get in
the way of updating their systems; it takes them out of the equation,"
Unified threat management. Heron points out, however, that limiting
access may not prevent infections altogether. Therefore, many
organizations are turning to unified threat management systems.
Deploying this type of technology restricts employee access to the
Internet for browsing and using e-mail and instant messaging
Endpoint security. It's important to realize that careless use of
endpoint devices like laptops and handhelds is one of the biggest
causes of compromised security. Recent surveys have found that --
because of outright ignorance of or, even worse, apathy toward
security -- roughly a third of users don't even bother using password
protection on their devices. This, of course, leaves data vulnerable
to hackers and other opportunists, especially if the devices are lost
or stolen. Moreover, remote users and mobile workers have been known
to pick up viruses and worms on the road, then infect the corporate
network when they return to the office.
It's imperative that endpoint devices be checked for compliance with
your network security policy. Mandate that all endpoint devices have
the latest patches and antivirus software. In addition, your policy
should restrict the use of file-sharing and peer-to-peer applications
and require certain operating system, browser and application security
Douglas Schweitzer is a freelance writer and Internet security
specialist in Nesconset, N.Y. He can be reached at dougneak at
InfoSec News v2.0 - Coming Soon!