Don't be lulled by the illusion of security
A corporate security policy are all very well, but many users simply ignore it. Neil McEvoy, a consultant at PinkRoccade, explains how to make it work
The biggest threat to corporate security today may well be the plethora of security products that are widely deployed.
This is not to say that companies should not invest in security, but rather that more attention needs to be paid to matching solutions to needs, ensuring that solutions are not patchworked, and administering them properly once they are installed. This is a theme that users will be discussing in depth at the upcoming Infosecurity conference in April.
There is no point in deploying a fantastic access control solution that requires a user to insert a smartcard if they are only going to leave the card on their desk when they go home.
However often security professionals rewrite the corporate security policy, and whatever penalties are imposed for non-compliance, users continue to break the rules.
It is time for a more practical approach. To make sure users take their access cards away from their machines, why not make the cards a necessity for leaving and entering the building? Users will then no longer view removing the card when the clock strikes five as an inconvenience. Another way of making staff secure their cards could be to make the cards support other applications such as electronic payment for lunch on the premises.
The key component in a security policy is planning. Decide what level of security is required and then decide what is realistic. With key players changing regularly, it is important to select industry standard solutions. Budgets are too tight for errors, so the design must make provision for future developments.
The solution must be well administered or it becomes a liability from day one. If staff believe that it is safe to open documents once they have passed the antivirus software, make sure the virus checker is up to date.
If cards are issued for secure access, ensure that they are all logged and accounted for and that the validation process for issuing them is stringent. One rogue cardholder could cause untold damage.
If your organisation is deploying digital certificates, ensure that the root key and administrator controls are secure; otherwise the solution will be a liability. If in doubt, outsource this function to a trusted third party.
The biggest threat to organisations today is the illusion of security. A security policy must be tight and properly thought through to ensure that essential actions such as logging off become a requisite for leaving the desk.
Key Points
- The biggest threat to businesses is the illusion of security
- The sheer number of security products on offer confuses the issue
- Security policy the most important factor in securing information