You’ve got All Your Security Technologies in Place… Now What?
Antivirus and firewall solutions? Check!
Regular vulnerability scans and patch management? Check!
Web security software? Check!
Security thinking? Ch-e…what?
When we think about security we automatically think in terms of software. Without a doubt, these solutions are a must to enforce an organization’s network security but the journey shouldn’t stop there. You can only achieve all-round security by applying ‘security thinking’ and identifying how your users behave towards your security setup and measures. User behavior should be taken in consideration throughout the design process of any systems that are implemented on your network.
So how can you put this security thinking process into practice?
When, for example, you are creating a security policy, you need to think of the various parameters that will apply to that policy. How will you develop your password policy? Will you instruct users to use complex passwords, long passwords or a password that is both complex and long? Will you expect users to periodically change that password? These questions may be obvious to some, but you need to understand that each option will impact differently on users or group of users. Long complex passwords that change monthly, for example, will push users to write the passwords down since it will be hard for them to remember it every time. Always evaluate how your choices will affect users, and how, in turn, your users’ reaction to your choices will affect the network’s security.
Another example of security thinking is when you’re deploying software. Once again, you need to evaluate how the software’s deployment can influence your users and their behavior. Let’s take a Content Management System (CMS) as an example. On a basic level, when choosing what solution to implement, a sys admin might just consider the security features of the software. User access control might be viewed as sufficient security if content on the CMS can only be accessed by specific user groups. There is however a lot more to the process. You must see how user access control will be implemented. Will your user access control setup prevent your users from seeing document titles or just prevent them from accessing that specific document? If your users will be allowed to view document titles, in certain cases this can be a security risk. Titles generally reflect the document content, and can therefore, possibly give notice of confidential information to the wrong recipients.
Once you take the time to consider how the relevant security policies will affect your users, and how these users are likely to behave as a result, you’ll be able to predict potential security risks and thus be in a position to proactively strengthen your security infrastructure and set up without additional expenditure.
If this seems out of your comfort zone as an admin, I always suggest cooperating with your HR department, as you can use your technical know-how and they can use concrete evidence of working with people to come up with a solution that is both a step forward in efficiency, and still keep security in mind and not overstep any boundaries.
To be able to define your user’s behavior, proper and constant communication and coordination between the sys admin and other departments should be put into practice. I strongly believe that with this method observed in any given situation, there is a guarantee of lesser mistakes.
It is also an obligation for both sys admin and their users to observe their security policies with utmost supervision and understanding.No matter how we try to secure our networks, it is inevitable to encounter problems along the way.That is why it is best to be always on guard and diligent enough to monitor each other.
I agree with Henry. The HR Department should be tapped so if there is any mandate to follow certain security measures, enforcement won’t be a problem.
Additionally, they can provide insights on how the staff works. As is often said, people still form 80% of any system. The machines, the technology and everything else form only 20%. Hence, user behavior should always be considered.
Consulting the different departments through their department heads would also be a good idea. Any proposed system should be discussed first before deployment to condition the users and get their feedback and avoid any resentment or deployment resistance.