Toll Free: 877-379-8279Managing Risk in the IT Environment: Part 2
News / By Scott M. Lewis, President / CEO Winning Technologies Inc
News / By Scott M. Lewis, President / CEO Winning Technologies Inc
In this issue, we want to continue to explore other areas within your IT environment that present risk. This issue will examine today’s corporate environment and wade through the detail of what is necessary for corporate success and what is simply a cool toy for our employee’s. We are going to explore other threats and emerging threats as they relate to the corporate work environment, such as new gadgets, VOIP (Voice over IP), high end storage facilities and of course my favorite the human factor.
Before we get into the new gadgets and toy’s let look at the human factor first. The human factor is that variable that defines success or failure by how well the technology is accepted and what the technology is expected to produce by the humans that are affected by the new technology. We all have had technology initiatives that really looked good on paper, and all the research showed it was going to save the company thousands of dollars per year, but when it was deployed to the user community the initiative failed. This was because you could not gain the support of the employee base- they did not use it, they did not like it, pick your excuse but the initiative was a failure. This is the human factor at work, despite all your best efforts the project was a failure because nobody applied or accounted for the human factor.
A large part of our business is to help companies that, despite their best efforts in protecting themselves, are still having issues with SPAM, Viruses, Web Surfing and other security breaches. Upon review what we have usually found is a lack of motivation and knowledge among the user community to insure the safety and security of the network. When we review job descriptions rarely do employee job descriptions have a reference to maintaining the security and integrity of the network. We have found that companies that allow us to do security awareness training with their employees, along with strong policies regarding security and proper use of electronic communications, this apathetic trend can be reversed. We have found that when an employee’s job performance includes security compliance, and is tied to things like annual raises.
Network access and restricting the access a single employee has to corporate networks and data is a step that all companies should be undertaking but few do. Restricting access will reduce the impact that a single employee’s apathy or willful intent can have on the entire network. Workstation security and restricting the end users ability to load programs or manipulate settings will, in fact, reduce the impact and risk a single employee can have. These are all things that can help reduce the risk that is inherent in having employee’s that don’t necessarily have a vested interest in the success of your company, and might have an emotional reaction to any disciplinary or other human resources action against them.
Let’s move on to gadgets. Employees all love gadgets, when it comes to technology gadgets, we all love to have the new IPhone, or Tablet PC or whatever the next hot product is. We all love the gadgets!!! But what are all these new gadgets doing to your corporate security? The answer- It is opening the door and exposing your network! The challenge is that these gadgets, in many ways, are becoming valuable business tools and if used in a proper way with the proper controls they can be a powerful addition to your corporate technology initiatives. However the problem is that too often eager employees are purchasing or otherwise acquiring these devices and programs and integrating them into their networks without regard to the security of the network.
Other reason gadgets are becoming an increasing problem for many organizations is from human resources perspective- employee privacy. Many companies are now implementing policies and restrictions and are incorporating this into the standard corporate security awareness training programs.
Let’s look at USB storage devices or as I call them data with legs which is what can happen when you allow USB mini-drives and other plug in devices into your corporate environment. Many employers don’t realize that these devices have been brought into their computer environment. Employees simply bought them for data backup purposes on laptops or other workstation devices. These devices also make for a quick and easy way to exchange data from one computer to another. Which is exactly the problem, who says that it has to be your computer? Why not to a home computer, or a friends computer? You just never know where that data is going to end up.
So what are we saying? So what if that law suit regarding something somewhere outside of your control? So what if the emails regarding mistakes that were made resulted in a multimillion dollar lawsuit is out of your control? It could be costly! These USB mini drives are so small someone could walk into your business, download sensitive project data stick the USB mini drive in their pocket and walk out the door without being detected. It is happening with increasing frequency today!! This is a problem in corporate America and it is growing and it is posing an ever increasing risk to data security. Corporate espionage according to the FBI cost U.S. companies anywhere from $24 to $100 billion dollars annually, so don’t think that nobody wants your data.
It is important to remember that if convenience is important to users, they will often justify their decisions based on their perception of an increase in their productivity as the reason to install and utilize peer to peer programs such as instant messenger and web based services such as GoToMyPC. However, corporate executives must analyze and attempt to quantify the risk to return to your corporate network. We have found that when we do security awareness and risk awareness training many of these issues can be resolved simply by explaining the risks to employees and showing them how these convenience tools can put the entire organization at risk.
Security continues to be problems for American businesses .We simply are not spending enough to secure our systems and educate our users to protect our companies. When the Winning Technologies security experts perform security audits most organizations don’t realize that they have already been a victim of a security breach. Or, they are simply relying on their internal IT guy to secure their systems instead of bringing in experts.
Threats to your organization continue to grow and more and more businesses are finding themselves victims of complacency. Yes complacency. We wanted to fix it, we were going to fix it, and we just had not got around to it yet. It is time to get to it; it might cost you more than you think by continuing to be complacent regarding your security.
