Security Polices – are they working for you?

jahlberg

My guess is that if you are like most users the answer will be no. I have a mantra that I often say “just because you can do it does not mean that you should do it”. This can be related to many things technology, but is anyone repeating that when creating security polices? I say this in the pretext of security polices needing to work for the policy issuer (IE: corporation, government, school, etc.) and more importantly for the end users.

Unfortunately I hear all too often about security polices being implemented that make the end user experience very difficult or almost impossible to get their job done. How come no one is looking at these policies from the end user perspective to come to an acceptable policy that works for both constituencies? When this doesn’t happen there are consequences because users HAVE to get their job done and WILL find ways around the policy.

A recent example of this was someone who works for the government. You would expect a higher than normal security policy scheme being a governmental agency, but some of the policies they put in place restricted the users laptop so much that she could not login to it from outside of the office. Her job was to meet with organizations and do presentations so the security policy pretty much made her job impossible to perform. She did go to the technology team, but was given the mandate of why the policy is enforced with no thought or concern as to what the impact would be for the user community.

So what was the consequence to the policy above? She could have quit but liked her job so that was out of the question. The easiest path around her predicament was to go out and purchase her own laptop and just email the presentation files to her home email address and load them on her non-work laptop so she could get her job done. Now she is happy with the situation, but now there is a much bigger security concern to deal with. Of course the government security czar is not concerned and will not be until something drastic happens.

My advice to anyone involved with supporting, managing, or directing technology – ALWAYS think of the end user since without them you are not needed. Oh and just because you can does not mean you should.

 

 

 

 

 

 

John Ahlberg
CEO, Waident

CIO in the corporate world and now for Waident clients. John injects order and technology into business process to keep employees productive, enterprises running, and data safe.

Related posts

Why Backups And MFA Are So Important For Ransomware

Why Backups And MFA Are So Important For Ransomware

Two of the simplest and cheapest ways to protect your company from a ransomware attack are Multifactor Authentication and a fresh backup. Here's why.   Back up everything! You are not invulnerable. Catastrophicdata loss can happen to you - one worm or Trojanis...

3 Security Vulnerabilities You Don’t Realize You Have

3 Security Vulnerabilities You Don’t Realize You Have

These days security is not something you "should be doing someday". Security is something that is critical to your company and needs to be managed every day and updated regularly. If you need a place to start (it is never too late) you can focus on the Top 5 Security...

Documentation – Your IT “Canary in a Coal Mine”

Documentation – Your IT “Canary in a Coal Mine”

I consistently hear the same technology concerns from business owners and executives: they don’t know what they don’t know. Do they have the right IT team in place (internal or outsourced)? Do they have the optimal technology solutions for their business? How, they...

Accessibility Toolbar

Share This