Our Product Marketing Manager, Aaron, and I had a watercooler chat the other day about taking a fresh approach to a corporation’s IT Security in the likes and regularity of spring cleaning. An approach like this would be ideal – you would have an up-to-date inventory of your hardware, you would have up-to-date software, and a complete 360 view of your organization. After completing what might be an onerous task, you would be able to identify the robustness of your environment, where your gaps might be, and where you have room to improve. In general, one might argue you would feel ‘in control’.
But is this enough to feel as confident in your IT security as you might feel in going to work and knowing that the lights are on, or perhaps your internet access works? The answer is not black and white. And please excuse my directness – stuff happens.
New threats, new technologies and the sheer creativity of the attacker force us to be prepared and knowledgeable, and to always remain on guard. It’s almost as if the magnitude of a breach is dependent on the most untechnical component – the human factor. I have been iterating throughout my contributions to SecureSpeak that at the end of the day, it is the people and their productivity we are protecting – not the technology. And, we must be respectful of that.
When we discuss the business requirement of implementing various IT security platforms, we are discussing and creating a strategy for something that must be taken for granted, seamless and un-interfering in the daily lives of your corporation’s resources. For example, how does data travel from peer to peer? Many organizations allow their employees – rather do not restrict their employees from using their own USB keys. Since these USB keys are extremely easy to purchase and not expensive, they fall under the umbrella of permissible devices, and overlooked when it comes to security. However, consider how easy is it for a USB key to fall out one’s bag, or even be borrowed by a son or daughter who wants to simply transfer a document from personal computers to print? Equally, for the more computer savvy resource, DropBox and Google Doc are free and extremely easy to use cloud platforms on which the user creates their own account, creates their own password, and feels confident that this is a reliable tool. But does the resource fully understand that these are extremely unprotected means of sharing data? Does responsibility really fall to the resource to be knowledgeable enough to know that password protected and encrypted are not synonymous? Or, is it the responsibility of the organization to ensure that the tools they use on a daily, weekly, or monthly basis are all safe and easy to use?
If your organization has adopted VPN or the use of tokens, or mandated monthly scheduled password changes, then you are already with some of the more advanced IT security practitioners. But before you jump into establishing compliance and regulatory guidelines procedures, consider this – too many companies haphazardly simply ‘check the box’ in hope of avoiding fines and monetary recourse. The bare minimum when it comes to compliance. When you purchase an Apple, you are forced to learn about their native encryption as it walks you through the process of securing your drive. Equally BitLocker is now included in Windows latest OS. Clearly device encryption is a feature of your home computer – so at the enterprise level should it not be taken as seriously, or diligently?
At the enterprise level, control, reliability, and flexibility are the three most driving requirements of security. You must be able to take control of your end-points, whether that is simply knowing how many end-points are out there in circulation, or knowing who is logging in and if they are logging in with authorized credentials. Your solution must be reliable and trustworthy – if it’s a government grade encryption – then it’s tested by the best, and used by the best. And, it must be flexible. In 2017, it is a limitation to provide your employees with only one type of machine and device – if people are different, should you not consider their individual needs and permit them to use the devices that allow them to be the most productive? And of course, have a solution in place to easily secure those?
Checking off a box is no longer an acceptable standard. Education is a must. Know that your hard work is protected, and demand that ‘spring clean-up’ occurs on a regular basis. It’s in the best interest of the company, and it’s comparable to knowing how to type in this day and age.