Taking the complexity out of IT security

Wisegate, a membership body for IT professionals, recently polled a group of its CSO members to see what they thought the top threats facing businesses would be in 2013. Among the most prominent vulnerabilities were ones that IT security managers have been warning about for years, such as the dangers associated with bring your own device (BYOD) policies and the proliferation of social media and cloud computing.

Despite the threats posed by hackers and other outside elements, it is generally an organization’s workforce that poses the greatest risk to network security. It’s not that a majority of these insiders have malicious intent, but rather a lack of awareness about how usurping what seems like the smallest security procedure can lead to devastating consequences.

"It needs to be ingrained in all of us of what’s right, what’s wrong, what’s okay to do and not okay to do, and the consequences that could result to the company and you," said Steven Lentz, a member of Wisegate who serves as security manager for Samsung Research America-Silicon Valley. "Possible termination or even being sued depending on what (is compromised), or if it’s a government, you could go to jail because of it. I think we need to highlight these areas a little bit more to get the awareness out there because no matter what, we always hear people are the weakest link and that’s still true."

One thing that Lentz said people can do immediately to improve their security posture is create stronger passwords. Ironically, Lentz says even when stronger passwords are implemented throughout an organization; top executives sometimes still want exemptions.

"They want easier passwords, they don’t want to use uppercase and lowercase, whatever it is," says Lentz. "We can’t keep allowing these guys to have exemptions because who has the most critical data that could be leaked? It’s not me, it’s an executive. We’ve got to really educate these guys, get them onboard with us on security awareness at all levels so we don’t have any of these backdoors."

According to Lentz, the reason many people turn to taking shortcuts or using unapproved applications is because IT has made the security environment so complex.

"We’re putting too much complexity into these systems," says Lentz. "A lot of us have tools in place that we can leverage… they just may need to be configured correctly."

Rather than putting so many resources into preventing employees from taking shortcuts, Lentz believes companies would be better served to create a comprehensive security awareness program.

Lentz says the key to building one of these programs at your business is about more than giving a monthly or yearly speech to employees on the importance of following procedures, but having a "distinguishing factor" that sets you apart from others in the organization so that everyone knows about security or is at least reminded of it. For example, Lentz said he wears a Hawaiian shirt to work everyday of the year without exception.

"There’s so many employees that I don’t know everybody, but I guarantee everyone knows me," he says. "I talk about ID badges and not holding the door open for somebody unless you see their ID badge. I will be walking in and someone holds the door open and they say 'see Steve, I’ve got my badge.' I don’t know who they are, they may be a new employee, but they remembered that because they remember my signature shirt. You see me walking around with these colorful shirts and maybe that gives you that afterthought or second thought about 'maybe this isn’t the right things to do' or 'oh, I meant to ask Steve about this.'"

Regardless of what people in security can do to build awareness, however, Lentz said that companies themselves still have to take these risks seriously.

"There are a number of companies that still do not have a head of security," says Lentz. "A lot these companies, what they’ll do is have an IT person that does (security) part time. You can look at any IT shop, they’re already understaffed, and they’re just busy doing other things… so they’re just going to do the simplest thing. You have to have a dedicated security staff."

It’s astounding to me that so many organizations haven’t woken up to the security realities of the 21st century. While cyber criminals and various "hacktivist" groups like Anonymous are a serious threat, more often than not, it’s the careless employee who is responsible for data leakage or the infection of the network with a virus. Just last week, we reported that two U.S. power plants were infected with malware as a result of the use of infected USB drives. In one of the incidents a power plant employee was to blame, while the other was caused by a third-party technician. These types of network intrusions will continue until both companies and their workers take responsibility for cyber security.