https://www.sikich.com

Security vs Convenience in IT

Jonathan Eddy

Jul 22 2019

3 min read

When it comes to security in IT, there is a balance between how secure a network and its endpoints are and how useable the system is in general. An example of the best security is to not have access to the internet but that would make using the system and interacting with anyone external virtually impossible. There are many companies out there who still rely on security standards based on out of date perceptions of just how many threats there are today, and re-aligning perceptions is one of the more difficult aspects to driving change.

Some companies, especially smaller ones, may have a culture that resists adding additional security simply based on fear of change, lack of understanding, or simply not wanting to deal with the inconvenience. Sometimes the hardest arguments to get beyond can be “It has never been an issue before,” or “We have always done things this way.” In some cases, it takes a drastic event before someone realizes that a change is needed. One of the more effective arguments for change is to ask what impact a breach would have. What would it cost both in financial and reputational value if data was lost or stolen?

It is important when proposing increased security that a proper review be done. The current state of controls in place need to be identified and a risk assessment should be completed. More and more companies have come to rely on their technology, so they need a solution that protects their systems with as little impact and complexity as possible. Using the evaluation and risk assessment as a guide, a balanced solution can be found.

The following are some examples of convenience vs. what is safe and secure.

IT Convenience

Internal machine firewalls off
All users are local admin
Logon hours unrestricted
No clearly defined security groups
Basic AV software installed
Users can visit anything on the web and install/run any local application

Makes access easy but any user can access more than they really need and can cause critical harm, intentionally or unintentionally.

IT Security

Internal PC firewalls are on and traffic is strictly controlled between workstations
Users access, even on local pc is restricted to work critical functions
Access hours for logon to PCs is restricted to working hours
Strict adherence to departmental or functional groups
Advanced and centrally managed AV installed network wide.
Additional controls/software to limit applications from being installed or run that are not on a white list
Firewall content filtering to protect users from accidental clicks
Internet / email threat awareness training.
Regular security review and controls in place to prevent unauthorized access.
Strict physical access controls on sensitive areas like switching and server rooms.

This method drastically reduces the risk from intentional or accidental damage but adds significant process and review to ensure compliance.

Have any questions about your organization’s IT security? Please contact us at any time.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Jonathan Eddy

Jon Eddy is the supervisor of Sikich’s Network Operations Center with over 20 years of experience in IT solutions. He has an MBA as well as Microsoft MCSE and VMware VCP certifications.