IT security professionals and analysts have plenty of suggestions on combatting the biggest problems named in a recent SearchSecurity.com survey on Policies in the Workplace, which drew 174 responses. The most popular remedy, by far, is education to resolve the human-factors issues.
The top five security challenges identified in the survey: remote security; e-mail security; viruses/malicious code/distributed denial of service attacks; intrusion detection and human error. The top five most difficult security factors to enforce, survey respondents said, are: human error; passwords; email viruses/attachments/virus awareness; enforcing security policy; and personal use of the company computer.
Many of the problems cited are due to human error instead of technology. "That would argue that greater emphasis should be placed on mechanisms for dealing with your own people than on with dealing with machines," said Frank Prince, senior analyst at Forrester Research Inc. in Cambridge, Mass.
Some survey respondents agree. Many of the problems "can be alleviated by good training," says Chuck Lewis, manager of information technology at Lee Supply Corp. in Indianapolis, In. "Second, it is important for the IT group to cultivate good relations with the user community, so that they feel they can come to us with any question and we will answer it in a way that does not make them feel like 'Hey, they think I'm an idiot so why the heck should I bother asking them' and thus making them much less likely to ask a question in the future that could avoid who knows what kind of problem."
Technology does, however, have its place in security problem-solving, observers agreed. Don Baldwin, managing director of consultancy Auldenfire Sweden in Stockholm, suggested that "the industry needs to create automated mechanisms to help users know when their products are out of date and allow an easy way to get the update that is both secure and easy to use." This would work much like the way anti-virus products and some other software already do, but on a much broader scale, he said.
Dale Jackaman, survey respondent and director of the information systems group at BC Research Inc. in Vancouver, British Columbia, said he's been successful with having strict and easily enforceable policies. "We don't allow access to any other kind of e-mail system that's not protected by our firewall" or other protected systems. Also, all company e-mail must be directed to and sourced from their primary e-mail system -- Lotus Domino. "As we use Lotus Domino instead of Microsoft Exchange we haven't been hit as hard on the e-mail virus issues; in fact, the use of Outlook is banned at our facility," Jacaman explains.
A third policy at BC Research: "Trojans are our biggest nightmare -- and we do internal and external scans constantly for such exploits." Jackaman said.
Forrester's Prince suggested that IT professionals do a classification exercise to figure out where their greatest problems are and then to decide how to fix them. "That kind of evaluation to the responses is more significant than the responses themselves. You can't fix what you don't know about. And when you do know, the answers may not be technological."