The number one threat to IT system security has been identified and, unfortunately, it is us. Security breaches can usually be traced back to an employee who has opened a virus-infected e-mail or been robbed of a laptop, USB stick or iPOD containing important confidential business data.
Following this logic, IT would only be 100% secure if people had nothing to do with it, but, as we all know, IT, especially in the form of desktops, is an essential part of the productive working processes.
When it comes down to it, the security issue is just as contradictory as we are. Security is a fundamental human need, but it is people themselves who pose the greatest threat to security, especially when it comes to IT. To err is human, as they say, and it is therefore only natural that we are fooled by social engineering tricks such as e-mails which profess their love to us, or are careless with our jackets when a USB stick with sensitive data is in the pocket.
Lewis Taljaard, identity and security management specialist, Novell SA
Lock it all down, or a sense of responsibility?
So what can be done to reduce this human security threat? A complete block on human use of all IT resources would be the simplest solution – and this is not as counter-productive as it sounds, it would seem. Some companies have actually taken this strategy on board to some extent. For example, several businesses have taken the trouble to fit the USB ports on their computers and laptops with USB locks, in order to prevent employees inputting or taking away information using that particular user interface. But is this a good solution? Evidently not, as allowing employees access to their USB port can improve their productivity. The thinking behind these measures – if you do not use it, you cannot break it – is invitingly simple, but misguided, and certainly does not take human needs into account.
The opposite approach also has its flaws, however. A business certainly would not get very far if it relied solely on the personal sense of responsibility of its employees and did not put any controls in place at all. It is naïve to believe that every employee will show the initiative to install patches or update anti-virus programmes and, equally, that confidential company data will not be leaked if there are no controls on access. Reliance on this 'sense of responsibility' would most probably result in chaos.
Automated IT solutions
So what can we do? Perhaps the time has come to revive the wise old adage that technology was created for the benefit of humanity, not the other way round. Human needs should lie at the centre of the debate; IT is, after all, merely a work tool. And having established that, we can move on to another time-honoured concept: each of us is different, has different tasks and needs different tools.
Would it not be more economical as well as more secure to equip each employee with the set of tools, ie, IT resources, data pools, storage capacity, applications and USB ports, that he or she needs to work with maximum efficiency? But this customising of individual workplaces would demand considerable effort and expenditure. In view of the shortage of personnel and the increasing complexity of business IT systems, there is not a tremendous amount of enthusiasm for such ventures. This is where automated IT solutions can help.
Patch management ensures that all the programmes and applications employees use on their desktops are always fully updated and therefore as secure as it is possible for them to be. Automatic access and endpoint security management guarantee that the company’s network is always secure – no matter when, where or what resources are being accessed, and by whom. Furthermore, asset management solutions enable IT departments – without having to search or ask – to get a quick overview of all IT resources and their use, of licence expiry dates and of IT contracts and budgets, thus saving time and money and sparing the nerves of IT technicians whilst improving the company’s performance.
In this case, the saying 'what is good for a business is good for its employees' could not be truer. No one need worry about security and administration questions unless they want to and everyone can complete their work in the way that is best for them. IT is there simply for our benefit – just as it should be.