It seems to me that most of us are in the same security boat. I was recently discussing security with a large finance client when one of the executives brought up what he’d learned at an industry conference. Other large firms shared how they limit the risk of employees walking away with critical information. These companies are restricting access to PC’s DVD burner and USB drives, giving read-only and no-copy access to certain file directories, limiting remote access, and a host of other items to prevent the security sharks from preying on their systems.
The problem was that every single restriction hampered the end users’ ability to get their job done. To continue my nautical theme, they’ve so bogged down their users with safety equipment that they can hardly swim. This is largely because IT drove the security policy development without the appropriate balancing with very real business needs.
As we continued the discussion we all came to the same conclusion that there had to be a better way. Even with every draconian security policy in place, as long as the user had to access critical data to get their job done efficiently, there was always a way for them to lose it, or worse, steal it. So what is the better way?
Do the Basics — Better
Implement with excellence all the standard security measures that have little if any impact on the end users to get their job done.
- First, limit the pool that your users play in by only giving them access to the files and folders they need to get their job done. While it’s a no brainer to do this theoretically, I’ve found that over time sloppy implementation happens. People change jobs or need temporary access to information, new directories are added, new people are hired – and soon the waters are murky. To prevent this drift, we use checklists (for new hires, transfers, etc.), documentation (to clearly identify who has access to what), and on-going review (so business owners can confirm that access rights are accurate).
- Second, carefully manage the connection between your pools and the larger ocean. Maintain high-quality firewalls. Limit the users who can remotely connect to only those who need it to get their job done. Keep virus/spyware programs installed and up to date. Again, none of these actions are earth shattering, but we find that if they are not carefully managed you may find that the latest patch hasn’t been applied to your network, or not all of your PCs are protected with the most up-to-date virus program, or people change jobs but their data access rights haven’t changed to reflect new responsibilities.
Focus on Active Monitoring vs. Static Locking Down
Rather than implementing constraining but imperfectly effective rules, why not actively monitor and report instead? Let’s use a SAFE acronym to describe this active monitoring:
Sign – Every employee should review and sign the company’s security policy not just upon hiring, but annually. The technology landscape is shifting so rapidly, and the business owners need to be actively considering what is and is not allowed behavior. Consider this a training opportunity as well. Sometimes your employees will just not be thinking about what’s right and wrong; it’s your job to remind them.
Allowed Behavior – The firm should have a robust and clearly communicated set of security policies that include things like confidentiality of data, the firm’s right to access all data on all equipment, anti-theft policy for data, etc. An important note here – do not allow the IT department to create and control all of the security policies. Business needs should drive the policies with the IT team managing implementation. Too often companies have their IT department in control, and, in the end, the business suffers because users are hamstrung. Further, often they are no more secure than the business-needs driven firm. That loss of user efficiency is a high price to pay for phantom increases in security.
Follow Activity – You should also let the employees know that you have a system-wide monitoring and logging platform that allows for logical alerting. The monitoring tool records employee actions on their machine (yes, this will be a lot of data, but the goal is to not review the data in any real-time scenario). The goal is to set up rules that will alert you to unusual activity (e.g., if a user accesses certain files and prints or copies them, you will be notified).
Enforce Issues – An important component of the monitoring is letting employees know this system is in place, and then following up on inappropriate behavior. Policies are for naught if users know that violating policy has no ramifications. When users know their system usage is being actively monitored that is a deterrent in and of itself.
This type of environment won’t be a complete solution for every company, but it is a great place to start for companies that need a higher level of functional security. Protect yourself from security sharks without sinking productivity.