When it comes to security in IT, there is a balance between how secure a network and its endpoints are and how useable the system is in general. An example of the best security is to not have access to the internet but that would make using the system and interacting with anyone external virtually impossible. There are many companies out there who still rely on security standards based on out of date perceptions of just how many threats there are today, and re-aligning perceptions is one of the more difficult aspects to driving change.
Some companies, especially smaller ones, may have a culture that resists adding additional security simply based on fear of change, lack of understanding, or simply not wanting to deal with the inconvenience. Sometimes the hardest arguments to get beyond can be “It has never been an issue before,” or “We have always done things this way.” In some cases, it takes a drastic event before someone realizes that a change is needed. One of the more effective arguments for change is to ask what impact a breach would have. What would it cost both in financial and reputational value if data was lost or stolen?
It is important when proposing increased security that a proper review be done. The current state of controls in place need to be identified and a risk assessment should be completed. More and more companies have come to rely on their technology, so they need a solution that protects their systems with as little impact and complexity as possible. Using the evaluation and risk assessment as a guide, a balanced solution can be found.
The following are some examples of convenience vs. what is safe and secure.
- Internal machine firewalls off
- All users are local admin
- Logon hours unrestricted
- No clearly defined security groups
- Basic AV software installed
- Users can visit anything on the web and install/run any local application
Makes access easy but any user can access more than they really need and can cause critical harm, intentionally or unintentionally.
- Internal PC firewalls are on and traffic is strictly controlled between workstations
- Users access, even on local pc is restricted to work critical functions
- Access hours for logon to PCs is restricted to working hours
- Strict adherence to departmental or functional groups
- Advanced and centrally managed AV installed network wide.
- Additional controls/software to limit applications from being installed or run that are not on a white list
- Firewall content filtering to protect users from accidental clicks
- Internet / email threat awareness training.
- Regular security review and controls in place to prevent unauthorized access.
- Strict physical access controls on sensitive areas like switching and server rooms.
This method drastically reduces the risk from intentional or accidental damage but adds significant process and review to ensure compliance.
Have any questions about your organization’s IT security? Please contact us at any time.