To Be Secure

There is a saying in IT, "The only secure computer is one unloaded, unplugged and locked in a closet." More or less a true statement, but with computers everywhere at the workplace and home, it is not a very realistic approach. Plus I would be out of work, and who would want to see me on a street corner begging for money, right? I would make a pitiful vagrant. Really.

Why do I mention this? Well, the issue of computer security came up when I recently helped a friend fine tune a paper for one of her graduate classes. The paper was on the misuse of company resources, in relations to IT and HR departments; and, as just about everything does, it got me thinking (I really need a short vacation from doing that).

In the Information Services industry, security and misuse prevention go hand and hand, or rather, are two sides of the same coin (where do these sayings come from anyway?). The practice of keeping an Internet-connected-network secure from outside threats falls in the same arena as keeping users from going to inappropriate websites. Preventing illegal software, or even spyware, from being loaded by an employee on a company computer is in line with keeping time-wasting games off the computers (solitaire anyone?). The same with phone services, email and any number of other IT sub sects. If you are hitting one side of the issue, odds are you are hitting the other. And hopefully, in this day and age, you are taking information security very seriously.

My friend had covered most of this in her paper when I first proof read it for her. She also went into the discussion of monitoring and surveillance of employees versus privacy issues. Basically, the arguments of big brother at work against “this is a private email to my sister that is very important” (blah blah blah). If you have ever heard an argument for employees' rights at work regarding technology resources, or perhaps even argued for them, you can disregard what you have heard or said. In the United States, Germany, and many other countries around the world you don't have those rights for privacy when it comes to company resources. Big brother can, and probably does, watch you. He reads your email. He tracks your phone calls. He knows what fetish porn sites you are into. And, to protect the company that both you and he work for, he should be able to do all of that.

But he shouldn't have to do so much of it. That is what I brought to the table with this paper. The point of view of increased training and awareness, and it is something that helps everyone out more than any other action (or inaction). I am not the first, and won’t be the last to say this but, proper training and awareness of employees regarding acceptable use is a must have for any company. Further, proper training and awareness on basic security risks should also be a must have. Two sides of the same coin.

Had I finished my paper on Six Sigma (procrastination really is an art form), I would probably be inclined to dig up statistics and facts on what I am saying. Instead I will go with the common sense approach. If you, as an employee, knew that not only could (and likely would) your emails sent to or from work be read by someone in IT, but also your manager and supervisor, wouldn't you be less inclined to use it for personal messages? What if you knew that your manager would be reading those little flirtatious chat messages you have been sending to that cute girl in accounting? Would you really be looking at that new teddy from Victoria's Secret during your lunch hour if some guy in IT and your supervisor knew you bought it?

For the other side of this coin there is just one phrase that rings home on why training and awareness of security issues is important for employees. "I didn't know." It’s been heard a million times, and a lot of the time they really didn't know. Instead, imagine if they did know about scam/phishing emails, the damage malicious software could do, social engineering attacks, why giving ANYONE (even IT members) your password is bad, the dangers of loading software from the Internet, or even just the dangers of browsing to the wrong website. Users would suddenly become your number one security defense, instead of a security breach waiting to happen.

Give it some thought when your budgeting rolls around this year. Instead of, or at least in addition to, looking at that multi-thousand dollar device or piece of software to track everything under the sun on your network (until that buffer overflow attack compromises it), look at setting up a proper *ongoing* employee training regime for your company. Or just unplug the computers and lock them away in the closet.