 October 18, 2004
Rob Enderle: Your Employees Are Your Worst Security Liabilities
Your employees are probably more of a security liability than asset. And it's your hindquarters on the line. Analyst Rob Enderle provides tips and web resources on how to maximize your most valuable security defense: the two-legged kind.
By Rob Enderle, the Enderle Group - As Published
in Security
Pipeline
Back when I did security audits the vast majority of failures were due to human error. We gained access to confidential documents and systems, not through the use of some type of high technology spy gear but by looking in unlocked drawers for keys and passwords, listening to conversations in open places like lunchrooms, hallways and restaurants, and by pretending we were someone else on phone calls.
We got access to secure buildings by following others through doors and, generally, by going around, rather than through, security. We found that intimidating or confusing a $5 an hour outsourced security guard wasn't particularly difficult.
Executives who participated in security audits were better prepared for the outcome of those audits. Those who slept through the audits found themselves rudely awakened when their confidential documents and pictures (and yes there were some really interesting pictures) were presented to them in audit review meetings questioning their competence.
What was most apparent in these audits was that Network security managers need to officially recognize that employees are the first line of defense.
Multi-Layered Security
To protect against attack we often refer to security as being multi-layered. Each layer reinforces the layer before and after it.
The system may have vulnerable components. In fact, often security systems have point failures designed into them. But they are virtually invulnerable as a system.
An unlocked office is an example of a security system with vulnerability built into it. The door is the first layer of physical security, and it is easily bypassed during the day. It's also easily bypassed at night, when cleaners leave the door open while they are working.
But while the door is open, the overall system is protected. PCs are secured by cables to desks, and networks are protected by authentication. If all security components are in place and functional, most thieves will pass on protected firms and hit someone else.
Employees are an essential part of this security system. Cleaning staff and employees need to be trained to challenge anyone in the office they don't recognize. I've personally seen situations where just the practice of challenging visitors was enough to protect the firm from theft. I've also seen situations where hardware, containing sensitive information, was stolen despite a massive attempt to secure it, because employees let strangers wander around the building unchallenged.
Perimeter Approach Outdated
Perimeter security doesn't work anymore. The airwaves are filled with rogue access points, people are bringing infected laptops in and out of the enterprise. Employees are attaching keychain memory drives and iPods to USB connectors, and using those technologies to transport onto and off the network.
In a typical company you have contractors and vendors working at almost all levels with easy access to information, materials, and resources. You are probably at war with employees who use desktop and laptop hardware in unsafe ways and install unapproved access points.
Your perimeter, regardless of the technology or physical security, is indefensible. If you were to suffer a loss, it's likely that your decision-making and expensive technology would be found wanting.
In short, your employees are likely more of a security liability than an asset. And it's your hindquarters on the line.
The New IT Metaphor: The Employee Is The First Line Of Defense
Security must start with your employees and there are a number of resources that can be used to get you where you need to go to protect your organization.
In the health care industry, security is core to HIPAA compliance, which has driven the need for security home to companies. The New Hampshire & Vermont Strategic HIPAA Implementation Plan provides compliance tools for issues including employee training. The organization even provides a draft Security Awareness Training Policy.
The Institute of Internal Auditors provides a massive report, "PC Management Best Practices—A Study of the Total Cost of Ownership, Risk, Security, and Audit." and it is probably the best $30 you'll ever spend if you want to keep your company out of the headlines. Another report, "Managing Desktop Security in an Insecure Environment," focuses on your Sarbanes-Oxley exposures and both help you focus your resources.
There are a number of specialized resources that can help as well. Companies specializing in employee training include Digital Security Co., located in California, Santa Fe Protection Services, located in New Mexico, and Techguard Security, located in St.. Louis and Maryland. There is a nice article on employee security training in the Technology Journal. Perhaps the most powerful training service is from Symantec, which is aggressively trying to be the Microsoft of the software security market and launched the Symantec Corporate Security Awareness program, with employees the primary focus.
Whichever your path it is time to move away from the failed concepts of perimeter security and embrace the new world where security is everyone's responsibility.
Rob Enderle is an analyst specializing in emerging personal technologies. He heads the Enderle Group, and has been an IT analyst since 1994. He spends his free time building computers and playing with personal technology prototypes. He can be reached at
renderle - at - enderlegroup - dot - com.
|
