There are a lot of frustrated IT managers out there. How do I know? Because a recent survey commissioned by Sungard Availability Services* revealed that the #1 thing IT managers said they would do if left in charge of their company’s information security program was enforce stricter security policies on employees.
What security policies are they talking about? Pretty much the full gamut. The survey noted the top 5 perceived security threats to information systems as:
- vulnerable web applications (noted by 55% of respondents)
- being overall security “aware” (51%)
- out-of-date security patches (50%)
- failure to encrypt PCs and sensitive data (47%)
- obvious or missing passwords (44%)
In studying this data, I believe it reveals something very key: the current concerns about security policies touch every level of an organization – and require positive action from every level if change is to be effective. Let’s take it from the top.
Top Level Management Needs To Set The Tone For Information Security
People are always going to resist anything that requires effort on their part. That’s just human nature. Most people would rather use their child’s name as their password than a meaningless combination of letters, numbers, and symbols like “C4*9shE2Z7#.” It’s just easier. And we like things to be easy.
That’s why, for countless millennia, people in authority have used the “carrot and the stick” approach to leading people. You entice them forward with a carrot, and you swat them with a stick if they don’t do what you want. Simple, but effective.
Executive teams today need to do the same. First, they need to publish specific security policies for the company (as outlined by the IT team). Those policies should be explained so that people understand the benefits (the “carrot”) they bring to the company. Most importantly, people need to know that these policies are not arbitrary or designed to make life difficult for them. They are there for a reason, and it is a reason that impacts everyone.
Then, leadership needs to make clear that there is a “stick.” If people don’t follow the rules, there will be consequences. And those consequences have to be more serious than a reminder email from IT telling them to please use a stronger password.
Mid-Level Management Cannot Consider Themselves “Above It All”
Now, let’s talk about mid-level management. These are the folk who are concerned about getting the job done. Marketers, financial people, sales teams, production managers, etc. Here’s what happens: because they want to get the job done – on time, at cost, with quality – they often bring in or use software applications without IT’s approval. This is shadow IT, and it’s a real problem.
The managers’ motives are pure: they don’t want to jeopardize the company. Their focus is solely on business operations. Why don’t they go through IT? Either they don’t realize that they should, or they get frustrated because IT takes too long to respond. So they bring in the technology themselves.
But shadow IT is a real information security threat. It can leave the company’s information exposed, and can introduce a way for hackers to penetrate the organization.
Ironically, even when the IT department finds instances of shadow IT, mid-level management often resists having the illicit systems hardened, patched, or otherwise made more secure. They complain, “I don’t want my application touched! It could go down, and then where would we be?”
It’s time to take a hardline stance against shadow IT – but IT can only do so if supported by top level management. The message needs to be clear: nobody is “above” information security.
Employees Have To Own Information Security On A Daily Basis
As a white hat hacker and penetration tester (that is, I break into companies to test their information security systems), I can tell you this: people are the weakest link in information security. I have broken into companies by pretending to be a FedEx guy making a delivery and by using the passwords thoughtfully jotted onto Post-it notes and left beside keyboards.
People don’t intend to jeopardize their company’s security. Most people are hard-working, conscientious employees. But when it comes down to it, they just want to do their job and go home at the end of the day. They’re not motivated to consider information security.
That brings us right back to the top level management again: we need to educate and we need to enforce. Educate employees about security policies: not just once, but consistently. Make them read and sign an information security policy, verifying their understanding of the requirements. Put up posters in the break room. Send emails about threats and risks. And make sure the consequences for failure actually hurt.
I recall one instance where my assignment was to break into a company that had a fantastic security program in place. Employees were aware and alert. The company assured me that I would never make it inside.
I timed my “attack” for 5:00 p.m. when everybody was going home. As I walked up to the building, no fewer than 11 employees questioned who I was, why I was there, and if I was trying to get into the building. It was impressive! I assured them that I wasn’t trying to get into the building; I was just waiting for a friend.
Once at the doors, I pretended to be talking on my cellphone. And I walked in as someone else walked out. Why? People don’t like to interrupt you when you’re on the phone - and they just want to go home.
Everyone – executives, managers, and employees – needs to understand that there are no exceptions when it comes to information security. The one time you lapse may be the one time a hacker is poised to strike.
*The survey, commissioned by Sungard Availability Services, was conducted by SurveyMonkey Audience. The survey reached 276 IT professionals and was completed in December 2014.
This article was previously posted on Forbes.
Other articles in this series: