I’m often amazed how often the IT security industry claims “more security” lowers their risk. “More security” does not always mean more secure. Yet, the industry often doesn’t realize how several supposedly harmless aspects of security can unexpectedly raise risk. Let me explain with these examples.
DLP: First, let’s examine Data Loss Prevention (DLP) software and how it could raise your risk. DLP software markets itself as a technology that will stop any sensitive information from leaving your network or preventing certain employees from viewing certain information. It’s marketed as a one-stop fix to all your security problems. However, this software often creates a huge target on your network. In order to track all your sensitive information, DLP software often keeps a copy of it. It’s a one-stop shop for all your companies best kept secrets. Also, it is quite often easy to evade. Employees with Macs or Linux computers often don’t fall within the view of DLP software. Sensitive information can be encrypted or slightly modified and pass through DLP unnoticed. However, I’m not saying you should get rid of your DLP installation, just consider these other risks.
Email Forwarding and USB Drives: Many companies don’t allow employees to read their email from home or from mobile devices such as an iPhone or iPad. One would think this is more secure; the information cannot get onto these personal computers or devices. However, employees are crafty and often simply forward all their business email to a personal account to read it at home or on their mobile device. Now, you have all their email traveling across the Internet unencrypted, sitting on a third-party server, and on their home computer. In a similar way employees often use email to get around restrictions on USB drive policies. If employees are unable to use USB drives on their computers (usually good security policy) they can resort to emailing their work to their personal email. Sometimes DLP software or email filters can catch this, but as mentioned before, encryption can usually get around those. This example is currently playing out in the current Goldman Sachs case where a programmer (possibly with malicious intent) emailed sensitive code to his personal address. Again, please don’t take this as a recommendation to give all your employees USB drives and open your email servers to the entire Internet, but consider the ramifications of “closing things down.”
Policies, Productivity and Happiness: One of the most frequent comments we hear from non-security employees at companies we work with is how “everything is locked down” and therefore they “can’t get their job done.” Most security people brush this idea off as a necessity employees must deal with in order to work in a secure environment. However, I believe these people are missing one of the key areas of the CIA (Confidentiality, Integrity and Availability) security triad that is the basis for most Information Security. They are forgetting about availability. Information is worthless if you can’t get to it. If it takes employees to too long to access the information they need (because of policies or technical controls) your company will lose money. Losing money = higher risk = bad. However, you also need to maintain confidentiality and integrity of the information, but make sure you consider availability too. Along the same lines, putting more policies in place, while often providing a facade of security can also interfere with employee morale. Blocking access to sites like Facebook and YouTube might make you think your employees have more time to work, but they often go around these filters or visit these sites on mobile devices such as iPhones or Android phones. Blocking access to online games prevents employees from playing at work, but it also creates an atmosphere where they can’t have a fun break in the middle of their day. Be careful of the human side of security. Happy employees = productive employees = more money for your company = good.
Hiring Smart People and Good Communication: Often times the best security doesn’t come from great technical controls or all-inclusive policies, but from your company culture. In my experience, the places with the “best security” get there because of buy-in from an entire company of smart, security-minded people. Every employee understands why security is important to them personally and the company. They understand what is expected of them and the information they have access to. They are aware of the hostile world information exists in these days. All this often comes down to hiring smart people who don’t need a bunch of policies telling them to do the right thing. They already know what the right thing is. However, the most important aspect of all security-minded companies is open and ongoing communication between all employees about all aspects of security. This means meetings, training sessions, emails, casual conversations in the hallways, etc. Remember, you’re only as strong as your weakest link.