Biggest security threat? Your users

How to protect against naive, careless or malicious users

Whether it is the FBI's sheepish acknowledgement that at least 10 of the 160 agency laptops that have gone missing in recent years contained "sensitive or classified information" or the drama of retailer TJX's February admission that the incident that put its customer credit card information in the hands of thieves impacted more people than originally thought, security incidents keep making headlines and vexing organizations.

Unfortunately, even the best security technology in the world can't completely protect a company from the biggest vulnerability it has -- its own end users. Security researchers repeatedly label end users the biggest threat to enterprise security. Unlike applications that can be patched or systems that can be hardened, end users -- whether through naivete, carelessness, or malicious intent -- continue to expose IT resources to serious security threats.

"Security is fundamentally a human issue," says Scott Crawford, an analyst at Enterprise Management Associates in Boulder, Colo. "Human nature can be totally unpredictable, so when it comes to IT, the risk posture changes every day."

And as enterprise data becomes more portable and thus more vulnerable to an evolving list of threats, both the dangers and the costs associated with these risks continue to rise. Companies face serious economic consequences from data breaches that can damage their reputations and result in remediation expenses, fines and other costs.

A study conducted by the privacy think tank the Ponemon Institute and funded by security vendors PGP Corp. and Vontu Inc. pegs the cost of a breach at an average of $182 per lost or exposed record. And costs can rise beyond that, depending both on the business the breached company is in and how critical the records are to that organization. For example, data aggregation vendor ChoicePoint Inc., which delivers risk management and fraud information to clients in the insurance industry and other fields, watched its market capitalization plummet $720 million after news that 145,000 consumer accounts were compromised after a breach of its systems.

But while safeguarding networked information in a time when data is so mobile is a challenge, businesses that apply the right security techniques and technologies can successfully protect their resources. This starts with having the best first line of defense possible: an effective set of enforceable enterprise security policies that address how and by whom information should be accessed, stored, transferred and handled. Organizations need to communicate policies to staff members, contractors and partners that have access to this information.

A culture of control

"What you want to do is create in your organization a culture that has security in its core," says Robert Lerner, an analyst at Heavy Reading, a New York-based market research firm. "When you create that, you immediately have a much more secure organization."

Lerner says communicating the policies that control all points of data contact -- both incoming and outgoing -- is really what forms the foundation of this security-focused culture. To be effective, these policy communications need to be ongoing, rather than just a one-time monologue that takes the form of a page in the manual staffers receive on their first day and never review again.

In reality, security education and continual reinforcement of policies and procedures can turn out to be the most powerful weapon businesses have to protect themselves. Lerner says organizations that institute, communicate and enforce effective security policies not only can minimize the risk of data loss or exposure but also can potentially eliminate the need for some costly security products.

"Technology isn't going to solve everything," Lerner says, "But that doesn't mean you can't supplant technology with other controls -- human controls -- to secure your organization."

Yet some businesses still balk at putting the proper focus on making IT security policies a priority. There are myriad reasons for this hesitation, including the fact that many businesses have thus far escaped major damage from a security breach.

However, many organizations are simply overwhelmed at the prospect of setting corporatewide IT security policies to protect data that quite literally travels both within and outside the firewall. With end users moving data across the enterprise network and the Web, on laptops and other mobile devices, and to printers and storage devices, IT security policies have a daunting amount of ground to cover.

Laying the foundation

But analysts say that organizations don't necessarily have to boil the ocean to conceive and execute successful security policies. Instead, companies can take a pragmatic view of IT security that gets them started on the road to defining polices based on protecting their highest-priority and most-vulnerable assets.

Crawford suggests that one route companies can take is to determine which information would put the business at risk if it were abused or stolen and then outline policies for safeguarding that data.

He recommends that companies create a sliding scale of security policies based on categories of information. The stringency of the data-handling policy for a particular category would depend on the sensitivity of the information in that category.

Only a few categories are necessary. "You don't have to have hundreds or thousands of elaborate categories for an information or data security policy to work," Crawford says.

Information that could be publicly disclosed without putting the business at significant risk would require no special handling.

Information that, if breached, would have an impact but not a serious impact might require only minimal controls.

Data records that, if compromised, would have a serious impact on the company and thus should never be publicly disclosed, should be subject to very special control policies. And finally, information that should only be confined to the company should be locked down completely.

Businesses can then outline policies in accordance with these categories. For instance, they might require that data that needs maximum protection must be encrypted and stored only on hardened systems.

Educate and enforce

Of course, the best conceived security policies are useless if end users don't adhere to them and if the business can't enforce them. Thus, success depends on the security organization's ability to educate employees, contractors and partners that have access to corporate IT resources. This should involve a combination of written and oral communications that come both directly from the security organization and from supervisors

Automation is another critical tool for enforcing security policies. Whether it's something as basic as removing the manual work associated with distributing antivirus software updates to end user computers or something as sophisticated as restricting what data can be printed or stored on a USB drive, Crawford says without automation, the task administering corporate security policies becomes unwieldy.

There are a number of categories of security systems that can play vital roles in policy enforcement, including established technologies such as encryption and cutting-edge options such as information structure and classification management tools that identify information records and take the appropriate actions with respect to policies to protect it.

Yet even though systems such as these can help organizations improve information security, there are many organizations that are behind the curve when it comes to setting and carrying out security policies.

"I am appalled. I don't think things have really changed even after all the high-profile losses," says Heavy Reading's Lerner.

He suggests that companies that don't enforce solid security policies are playing roulette with their most important commodity -- their data -- and their futures. He says that companies that wouldn't operate without a firm policy on Internet use also need a set of policy definitions to guide end users and administrators on how to handle corporate information.

"The cheapest thing you can do to protect your information is to hold employees accountable," Lerner says. This not only provides the organization with a fall guy to point to if something goes wrong but also provides the guidance employees need to use technology more wisely and handle data more responsibly, he explains.

The result: Companies can lower their risk of exposure and maintain a more protected and productive business environment.

Amy Larsen DeCarlo is a freelance writer with 14 years of experience covering business and technology. She has held staff positions at a number of publications, including Data Communications and InformationWeek. She has also served as an analyst at two firms -- Enterprise Management Associates and Current Analysis.

Join the discussion
Be the first to comment on this article. Our Commenting Policies