Sunday, November 26, 2006

Who Is Deciding Your Information Security Policy?

If the answer to that question is that your management and your corporate security professionals are setting the standards, then you need to read no further. Have a great day, and check back soon for my next article. However, if you don’t know, or your answer is that you don’t implement in-depth security practices because your users find them too hard – in other words, your users are making your information security decisions - then read on.



First, let me say this: Implementing in-depth information security practices is hard work. In a large enterprise, it takes dedicated, trained staff, and even then your users will still find it cumbersome and inconvenient. Let me also say that most people expect things to be easy, they don’t want to be inconvenienced, and they want it when they want it, without being tied to having to wait for this, that, or the other, and without having to click on any more things than necessary. They don’t want to be bothered by their computer slowing down a little once a week while the scheduled virus scan runs. People don’t want to have to take the time to decide whether to answer “yes” or “no” when their personal firewall prompts them when it thinks something suspicious is happening on their computer. All too often, IT support staffs are saying that they don’t want to make their users do something because the user says it is inconvenient, they don’t know how to do it, and they just don’t want to have to take the extra time to learn how to do it. This is a classic example of how information security practices take a back seat to security unaware users who don’t want to make the effort to keep their company’s data safe. In other words, the end users (security unaware end users) are making the security decisions, like it or not.



Information security involves a variety of safeguards, all the way from perimeter devices guarding your network, right down to the user at the desktop. This is called “defense-in-depth,” the idea that if an attack or other malicious activity gets past one safeguard, at least one of the others will catch it and stop it. Your data is at the center of a bull’s eye surrounded by subsequently progressive outward rings. These protective rings are made up of the user, operating system patches, personal firewalls, anti-virus/anti-malware protection, server access control lists, and perimeter devices such as routers and firewalls. The user plays a very integral part in these defensive layers of information security. You can have all the firewalls, access control lists, anti-virus programs, and computer patches in the world, and still not be safe. Because if your users are willing to give away the keys to the kingdom, either through laziness, ignorance, complacency, or just plain arrogance, then nothing you can do will keep your data safe.



I have actually heard IT support people say that main the reasons why they don’t do certain things is because the procedures are too hard for their users, their users have no clue how to do these things, they have no clue why they are necessary, and that they (the IT people) don’t have time to train them. Back in my customer service days, I would listen to customers as they would go into rages about this stuff being too hard, and that they didn’t see why they had to do it. Let’s face it, people are busy, there aren’t enough hours in the day, and people often get set in their ways. Change represents a scary thing, even if it means learning a new way to keep data on a computer safe. A thing like locking a screen when the computer is going to be unattended is a habit that has to be learned and ingrained into behavior. Much of what this article is about is related to behavior and how to change that behavior. The technical part is easy. It’s changing people that is the real challenge.



Let’s take the first one mentioned above – too hard for the users. If something is too hard, it means that the user hasn’t been trained or is too lazy to learn – or both! I will repeat it again here: security is hard work. So that means that the IT support structure has to get on the ball and provide training and awareness for their users. Conversely, the end user has to get of his or her backside and realize that it is their responsibility to learn how to use the tools of their trade. The computer, after all, is a vital tool that is in use by the vast majority of people in the work force today. I don’t care if you are a doctor, lawyer, biologist, or just a clerk. The fact of the matter is that regardless of your primary specialty, you still have to use a computer to get your work done.



And I’m not even talking about people having to learn in-depth or complicated security principles. They simply have to learn what to click on, what not to click on, and when their personal firewall is telling them about a risky event. Is it really so hard, that if a user gets a message saying that some software is trying to be installed, for them to make a conscious decision that either “yes, it is OK because I am installing software” or “no, this is not OK because all I was doing was checking my email”? Make an educated decision, and click on the appropriate answer. This takes a few seconds at best – is that really taking too much precious time? If they wish to continue to do their jobs, computer users must learn how to operate them and how to interpret simple messages. It is not enough to know how to fire up Outlook and whip out an email, you must know how to interpret your environment and act accordingly.



On to the second idea previously mentioned – users have no clue. No, I’m not saying that people are all a bunch of clueless drones. Well – actually - yes I am. The average computer user doesn’t know much about computer security, and quite frankly, they don’t want to know. All they know is that they have to use the darn thing (the computer) and if anything goes wrong it isn’t their problem. It is IT’s problem to fix. If the computer lets sensitive information get away, then that is the computer’s problem, right? Wrong! The people in IT didn’t click on the malicious link in the email joke that they just received, and the IT staff didn’t leave the user’s computer unlocked when the user got up to go to a one hour lunch break. Not only is it just too hard to resist the temptation to click on that link, but it is also too hard to press the Windows key and the “L” key to lock the screen when they get up. And quite frankly, most people just don’t understand why it even matters. All that hype about computer security, malicious links in emails, and spies wandering the company looking for unlocked screens is just a bunch of rubbish, right? Wrong! The threats are very real and present. Users need to get a clue that they fit in to all this in a very important way. The why? That’s easy – the data they are working with is not theirs. It belongs to a company who can suffer embarrassment, loss of business, or loss of trade secrets of the information gets out. Companies can suffer from loss of business. Governments can suffer from the loss of sensitive information. In either case, it can be disastrous. Even if just a user at home – would the normal person want to risk having their personal and bank account information getting loose on the Internet? Certainly not! Care in computing must be exercised everywhere. The good security habits that one gets into will be useful at work and at home.



Hmmm… so finally, the last point - no time to train the users. All of the problems discussed up to this point can be boiled down to training. Not knowing how to do something or being clueless is not entirely the end user’s fault. Sure, the user has to get over their own laziness and arrogance, but they have to have knowledge to be able to act on it. But I have seen too many IT staffs who think they are protecting their users by not exposing them to complicated or extra tasks. Well – they are just making themselves feel good by trying to make their users like them and trust them. But sometimes good security practices involve a bit of “tough love” and forcing people to do things that seem hard at first. The IT staff can either make the choice to take the time to train their users, or take the time to clean up after their mistakes – it’s a clear choice in my mind. Take the time up front to train users, and keep them knowledgeable through constant awareness activities. Eventually, the training and awareness will sink in. By that time, your users will know what needs to be done (or what not to do) and they will now have a clue why this is all so important.



This may seem like one of my typical rants – you’re right – I’m busted. But how many more times do we have to hear in the news about breaches of corporate information security because of someone who lost a laptop or gave away information. You will notice that most of these events are due to someone doing something stupid – not being aware, not following directives and policies, or being just plain lazy. IT Staffs: train your users, keep barraging them with tid-bits of security awareness, and make them do the things that will keep your company’s data safe. End users: Get off your @$$ and learn why you are the most important link in information security. Security is everyone’s business. The management and security professionals in your company have the education, experience and know-how to make policies that will keep data safe. Don’t second guess them with your lack of knowledge – follow the directions. It’s not that hard!