Just ten years ago, security professionals had almost total control over what end-users ran on their computers. Today, the IT landscape looks very different and leading analysts and security experts are warning companies that, no matter what perimeter defenses and technologies they might implement, the biggest threat lies within the company - the system users, the human beings.
Paul Robertson, director of risk assessment at TruSecure, a provider of intelligent risk-management products and services, says companies that come to him for advice on security policies are either "those that don't have anything at all, or just the basics," or "those that have a lot of policies, but no tidy implementation."
A common weak area today, he says, is company usage policies. Having strong privacy and usage policies can go a long way to protect a company if someone does something wrong. "Policies need to be up-to-date and reflect the situation and culture of the company," says Robertson. "It should be understandable by the end-user, and have the buy-in of human resources."
Chris Cook, president of Security Awareness, says that some companies have even started linking raises and reviews to security-awareness programs.
Mykolas Rambus is the chief information officer at W.P. Carey, a real estate investment trust headquartered in New York. He is responsible for overseeing about 500 users, many of whom often access the system remotely.
Since the publicly traded company is subject to a variety of government regulations, including Sarbanes-Oxley, and overseen by the National Association of Securities Dealers (NASD) and the New York Stock Exchange, Rambus says he believes the user-base should be a reactive and integral part of security. Although he reviews all the company's information security policies quarterly, he says it is important not to flood users with so much information that it becomes difficult to absorb.
"I've found that small group discussions are the most effective way to get users to understand policies," he explains. "It's important to make it fun, use colorful examples, paint pictures in layman's terms. If you make it too tight, it becomes drudgery."
Rambus says his approach seems to be working well, and most users will call if they see something suspicious. But there are those who like to experiment with new technologies or test security themselves. Although he hasn't seen any major breaches of security, Rambus says that guilt and a chat with the users' manager is usually enough to re-educate them.
Rambus is in the process of putting together a master guide of security policies on a per application basis. He believes it is important to go through the process from a user's perspective. "If you make the application as easy to use as possible, you can push the envelope," he says. "Technology is important for the hard, external shell of the company but, if the inside of the shell is soft, you've got a problem."
Glenn Mendoza is the chief security office at Odessa College in Odessa, Texas. Together with a team of eight, he oversees some 2,200 desktop computers. "We have a highly effective means of patch management, anti-virus technology and filtering," he says. "Server-wise we're on top of things. We scan IP addresses daily, suspicious attachments are filtered out by the system, and we send out monthly emails informing users about the latest threats."
However, Mendoza says many users sometimes fail to read the emails and with limited resources it is often difficult to respond to threats in time. Recently, a user introduced Blaster into the network from a laptop and, because a few computers had not been patched, the network was flooded.
Since then, Mendoza has been working on updating security policies and encouraging users to think more about security, including their own home systems, but without any form of enforcement, security is not always a priority for end-users. "It can be extremely difficult introducing new ways of doing things, because people get used to working in a certain way. When we ask them to do it differently, it's like watching a trail of ants - you put something new in their path and they don't know what to do."
Brent Roberts works in the office of information technology for the State of North Carolina, a centralized IT shop for executive branch agencies throughout the state. As project manager for a new identity-access management system that will ultimately allow hundreds of thousands of users access to key resources and online government services, Roberts says he is well aware that the biggest threat comes from within.
The system, which uses Oblix Netpoint as its security framework, is currently used by 1,700 employees, but Roberts says the plan is to roll it out to more than 250,000 local government employees, followed by more than 280,000 businesses and, eventually, citizens. The first application of the system, continues Roberts, was a secure portal to a web page providing each agency's security liaison with information on how to keep the system secure.
No easy way
The biggest concern Roberts has is that there is no easy way to enforce policies regarding passwords and ID sharing and, as an IT expert, he knows how easy it can be to get a user's ID over the phone. "Even good intentions can threaten security. You have to do some reverse social engineering, because it's hard to get people not to be courteous and helpful," he points out.
Tim Burke is the infosec manager at CUNA Mutual Group in Madison, Wisconsin. With an IT shop of almost 600, and 5,000 employees, Burke oversees information security on the IT platform, as well as anything to do with information privacy. "We have a whole gamut of policies and standards, and security is the primary focal point of employee training," he says.
These policies are based on industry standards and are constantly updated, depending on the threat. Burke uses TruSecure for information and analysis, and regularly reviews IT security and privacy training programs for new hires. "We also require that a review of policies and standards is done as part of each employee's annual review, and they have to sign to acknowledge their awareness," says Burke.
When it comes to enforcement, however, Burke says that is left to the individual's manager and the human resources department. Burke, who is CISSP certified, attempts to educate users through email and quarterly articles to keep employees informed about security issues, and also holds 'lunch 'n' learns' - bag lunch sessions to discuss particular subjects.
Weak password creation used to be a big issue for James Pu, CSO at the Los Angeles County Employee Retirement Association, pension fund administrator for more than 135,000 members of the $29 million fund. Pu oversees IT security for around 325 employees at LACERA, working in a heterogeneous environment that includes mainframes and desktops. Like Mendoza, Pu is a big believer in employing as much practical technology as possible to enforce security policies. "You can run training programs and try and change the culture, but there are always people who slip, forget or deliberately violate policies," he says. "We've gone in the direction of putting technology in place that requires certain policies, like not allowing multiple logins."