Given the numerous security breaches that have been reported in recent times, the need to secure and protect corporate networks and sensitive data is becoming increasingly clear to senior management. That development is certainly a welcome silver lining to the dark cloud of network compromise, facilitating the enactment of more strict security policy and the deployment of tools such as intrusion detection or identity management systems.
Unfortunately, these measures often don't bring about the promised added security, or immunity to unauthorized access as intended. One contributing factor is certainly that security measures are often implemented piecemeal and allow gaping holes to remain. Simply installing an intrusion-detection system at the primary Internet gateway to increase monitoring capabilities, while helpful, will not eliminate exposure to potentially harmful attacks without taking other necessary precautions, including hardening web/database servers and host operating systems, and restricting internal access to sensitive information.
Another and often more common reason for the failure of security measures to provide real protection is that employees of an organization are not made aware of the security policy, or of what they need to do to comply with that policy. Firms often forget this step, or skip it completely.
Sometimes information security departments try to force security measures on end users, attempting to use technology to achieve compliance. For example, rather than training users to use strong passwords and protect them, IS departments use tools that force all users to follow the password policy—but these tools do nothing to stop users from writing down their passwords or sharing them with colleagues. Employing user provisioning tools to implement access control throughout an organization can help restrict users to only the information they're authorized to view. But these tools can't stop users from being careless with documents once in hardcopy, or prevent them from keeping insecure copies of the information in their machine's cache.
For employees to change their activities, they must be convinced of why being more security conscious is important. In other words, beyond being able to say that being hacked is an unwanted occurrence, do employees really know the potential consequences of an outsider having access to the organization's data? There's no reason to assume that a given employee would have this understanding—especially if he or she is not privy to the full spectrum of information the organization maintains. And if your employees don't comprehend the consequences, you can't expect them to adopt security measures thrust upon them.
Users must understand that the actions they perform have an impact on the firm's security posture that in turn affects the firm's bottom line and their own job security. Cases such as these exemplify the need to make all employees and end users aware of the need for security and to train them to do their part in securing the enterprise.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment