No matter how much money your company spends on security solutions, your most important defense is almost always the vigilance of your own team. The errant click on the malicious link, and the thumb drive found in the parking lot carrying malware have become almost cliché in this day and age. But the knee-jerk reaction can still be, “Somebody dropped their memory stick, so I’ll plug it in, see who it belongs to, and save the day for whomever lost their data.”
These exploits are designed to look legitimate; to get people to act before they think. It can happen to any one of us in a moment of weakness — and I want to make sure I’m on the record with this merciful attitude in case it ever happens to me!
In addition to technology solutions, most Trusted Advisors are likely to recommend that companies require their employees to attend IT security related educational programs. A number of companies are already requiring such participation on an annual basis, frequently in the form of a third party-designed webinar that focuses on human behaviors such as identifying the characteristics of a likely phishing attack. The extent to which these initiatives are effective can be somewhat debatable, but most experts agree that if they prevent at least one person from compromising the IT infrastructure, then at least some value has been delivered.
“User education is critical to preventing phishing attacks, but you have to assume that you’re not going to get 100 percent effectiveness across your entire user base,” said Lee Pallat, vice president of cloud and security strategy at Stratacore, an IT consulting broker based in Seattle. “The phishers are getting more and more sophisticated, so even a well-educated user can fall victim to a well-crafted spearphishing campaign. So, it’s just as important to put some additional email security in place to either sandbox URLs or provide that extra layer on top of what’s already available.”
While security technologies can go a long way towards protecting your company, a comprehensive education campaign for employees is almost always the necessary next step.
There is one other important “people” aspect of IT security worthy of consideration. While security professionals play a crucial role in protecting the company and its data assets, they are often viewed by their colleagues in a less-than-favorable light.
“There’s a battle between the security and the operations people because security tends to make things more difficult, and Operations’ goal is to get things done,” said Ben Thornton, CTO of Opex Technologies, a Trusted Advisor that offers managed security and “SOC”-as-a-service. “The security guys are seen as the “no” guys. So we try to find out what their concerns are, change that impression and accomplish security goals in less obtrusive ways. This helps to build credibility and good will with other groups within the company. This way, when you do have to say no about something, they don’t just try to work around you. They need to see that you have solid reasons. Don’t be the “no” person or the “yes” person. Be the “solutions” person.”
Both technically and sociologically, effective IT security requires a balance that provides solid defense while also allowing your people to do their jobs with minimal obstruction. The exact location of that balance point depends on a variety of factors, including the nature of your attack surface, the overall value of the assets you are trying to protect, and your relative speed of business. Your Trusted Advisor can help you determine how to keep your business safe while also enabling you to focus more fully on your value proposition and the needs of your customer.