Enterprise security professionals are left trying to manage a plethora of problems that stem from a few key issues. Of course, if security could be completely transparent, then we wouldn't face these problems. Instead, we're often at the mercy of complex, poorly written information security policies that users don't understand. And it's not rare for half of the IT workers responsible for adhering to and building systems that comply with the policies to not fully understand them, either. With policies not designed for the layman, it's no wonder employees are regularly violating them.
But it's not just policies that are to blame. During the InformationWeek and Dark Reading "Strengthening IT Security's Weakest Link: End Users" virtual event on Wednesday, Ozzie Diaz from AirPatrol quoted some particularly disturbing statistics that came from a report published last year by IT World Canada and Harris-Decima. In "Freedom to Compute," 90 percent of Generation Y workers admitted to violating IT policies with no consequences -- yet not a single one was fired, and 7 percent had no clue that there could be repercussions.
So how do we get a handle on these problems? Dr. Rachna Dhamija had a great suggestion in her keynote at the virtual conference. She said we need to make the easy path the secure path, and make it hard to perform unsafe actions. For the most part, we can make the work path easy, but also allowing users to have the freedom to visit social networking sites immediately complicates security because it opens companies up for malware attacks and possible data exposure.
Companies need to focus their awareness efforts on end users' understanding of security policies and why they exist. Employees need to be made aware of the consequences of compromised credentials, a lost laptop, or a malware infection. Keeping with the theme of making security transparent, awareness efforts don't have to explain all of the controls underneath, but they do need to enlighten users to the dangers of using social networks, what company information can be shared, and how to better spot malicious messages and links.
Nontechnical issues certainly play a large part in the management headache, but technical issues shouldn't take a back seat. The number of data breach notifications from lost and stolen laptops and mobile devices should put system and data inventory at the top of many enterprises' short lists of technical issues that need to be addressed. Simply put, if you don't know what you have and where it is, then how can you put the proper security controls in place to protect it? And what do you tell management when they ask what was on the CFO's laptop when he left it in the taxi?
As one of the base functions, data loss prevention (DLP) solutions can assist with the task of data discovery to see just what is stored out in the enterprise. Data discovery should be used to determine the pervasiveness of sensitive data throughout the enterprise. Once found and classified, the process can begin for deduplication, deletion, and/or protection of the data as deemed necessary to prevent potential exposure that can lead to expensive notification costs, damage to public image, and customer loss.
Countless other issues can plague security professionals in a large enterprise, of course. But being able to define policies that users can understand and follow, and reining in data sprawling across the enterprise, can help maintain security pros' sanity -- and the security of their employers' data.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.