Is Security Getting Too Complex.
Leaving passwords in email or dropping all the company passwords into a single document are both laughable errors in any security person?s eyes but to the eyes of end users, many of them view it as a necessary evil to helping them get their jobs done.
So why do it? In a business realm with double and now triple authentication methods, securing business data requires more and more participation of end users. And while those methods are effective for keeping out unauthorized users, they?re also increasingly difficult for employees who might need access to specific information and don?t currently have it.
Managers might give their password to an employee who just needs the employee to get the job done. That password gives the employee access to a whole different realm of documents, confidential documents and more. And thus, the potential for an insider threat increases.
Can IT administrators stop it? No but they can take steps to minimize it. First, administrators should do simple searches on their networks and environments for the simple words like ?password? to see if there are any files that disclose or give access to information that with a single level of authentication.
Second, managers can?t be two places at once. Performing an information audit that looks at how a user with higher level security can get to documents from the IP of one of their staffers is an area where admins need to ask the difficult questions.
Third, develop a security-first response to all requests for access to information. When end users see a 24 hour turnaround time for IT to grant them access to information they need immediate access to, they are more prone to circumvent security. Such breaches need to be dealt with accordingly. But the long tail solution is to be more responsive to such requests so that managers and end users see such request as not only necessary but as less of a productivity roadblock. So if your IT ticketing system leaves ?access to area? as a lower level request, imagine what that means to end users. Elevating such a request from a 5 to a 2 means that it won?t only get done faster but shows them that their work is a priority.
Fourth, education should be a huge part of your 2015 security planning. Make that education a two way conversation with each department. End users need to understand the security threat and the cost it has for the organization. Make it real, talk about things that you?ve found on the network that either violate security or have the potential to be deemed as insider threats. Then ask what difficulties are end users having with security? Is it too hard to get to areas, gain access to stuff they need or are their ways that you can help remove potential barriers without belittling security? While there are reasons for security, listening to end users is an effective way to understand their use cases and their pain points. Devising better solutions with their needs in mind helps create a better first line of defense against insider threats and cyberattacks.
And lastly, develop a cyber-defense whistleblower program. Many governmental and government contracting firms already use such programs to help administrators spot potential areas of concern. Such programs need to be built with executive buy-in but can help give IT more eyes into ways to better secure their systems.
One of the many reasons why we create tools such as ControlPoint, Replicator, StoragePoint and Diagnostic Manager for SharePoint is because we believe that it is an amazing platform for businesses to consolidate their content and collaboration processes into a single platform that administrators can use to manage and secure content.