Security, Poor Implementation ideas.
While studying security issues it is not uncommon to hear authors tout their view of the best possible security that could be implemented for a business. There is nothing wrong with these ideas, however I have experienced many times where this goal has created major issues within a business. I believe that IT exists to help push a business forward and to the next level. Two of the major facets of pushing a business forward and upward are productivity and level of service. Both of these areas will affect the bottom line of a business. Low productivity adds a higher cost to product production which will increase cost to the business and to the business customers. Slow response times to customers’ needs will hinder the productivity of that customer which will in turn affect perception of the overall business. It would be one thing if all IT customers were external, but IT also has to work with internal customers as part of their daily operations. These internal customers are the customers that help the business operator each and every day and thus have a heavy impact to the overall health of the business. Here are a few examples where IT has tried too hard to achieve highly secure systems, but affect overall business operations.
It is not uncommon for a security implementation to include locking out an account after three to five failed attempts and changing passwords every sixty to ninety days. This is good and most every security author and book will support this concept to reduce success rates of brute force, or password, attacks. However, if your business has remote staff, this could lead to a problem. If a user should lock the account, or have a laptop that is not used as much as their desktop, login problems will occur. This will lead to the issue “how do you fix a system where the user is not technical and IT has no access to the system”. Just a side note: even if the system connects to corporate network using a VPN, how do you get the system on the VPN when it cannot be logged into? This is a real problem. One solution could be to pack the system up and send it to the corporate office for IT to fix and send it back. The problem to this solution is that this leads to long down times for the team member and any customer that team member is working with. A second solution could be to pay for a local computer repair business to fix the system. This will add higher cost to the fix, but the down time is lower. A third solution could be to give the administrator password to the system. How sound is this option since the highest security risk comes from internal people? A forth options would be to set all remote users into a group and allow that groups to have full access to the system including an administrator password that does not affect other systems on the network. This way IT help desk personal can help talk through just about any steps that are needed to get the system and user back on line.
Looking at E-Mail, there are some IT professionals that will lock down E-Mail so that it can only be retrieved on the local network and not allow a POP retrieval. A reason might be given that E-Mail may contain sensitive information that has to be kept on the corporate E-Mail server. How about giving credit to non-technical users; most of which understand that E-Mail is the same thing as a post card. Even E-Mail travelling through the Internet can be read by anyone intercepting the E-Mail packets because they are clear text. How does this make our profession look when we as experts make such stupid comments? Today hindering access to E-Mail is like saying that the business does not need its customers. With all the communications today being done through E-Mail can we afford to look this foolish? Is it not possible for a user to forward sensitive E-Mail to others just by forwarding the E-Mail? Of course they can. There is no technology that will close the barn door before the horses get out. The only defense a business can have is to keep copies of all E-Mail traffic through the E-Mail server and audit the E-Mail periodically. This should be the process already in place to protect the business against improper use of E-Mail.
These are just a couple of the ways that we IT professionals may try to look like we are very security minded, yet fail to benefit the business. In fact a best case situation is that we just cost productive. The worst case situation we lost customers, or build a bad service reputation. Can we afford to do either?
Keep in mind, as professionals; we need to serve both our business and our business customers. If the goal is to have the most secure system, then the only way to do that is to lock the system behind heavily monitored doors and walls and remove external access to the system. Not only will this be the most secure system we can make, it is also the most unless system. How good is a system that cannot interface to any other system, or person? Would this type of system benefit your business?