IT departments spend a large chunk of their time figuring out better security controls that will keep corporate information safe, creating a digital barrier between the network and the outside world that can only be lifted by permission. But for many companies, the largest threat may not be the attackers trying to get in, but rather, the employees just down the hall.
Palo Alto Networks (www.paloaltonetworks.com) recently released a report that shows some enterprise end users are intentionally evading IT security controls and ignoring acceptable use policies, in many cases to enable the use of new technologies such as peer-to-peer applications, Web video, and streaming audio. (See the “Risk Report” sidebar for more information.)
Opening up these network channels can create security havoc within a system but can also slow a network down because of significant spikes in bandwidth. One approach is to shut down all unauthorized use, but for companies that have hundreds of employees, babysitting every machine can be time-consuming and counterproductive.
Experts have noted that there are better strategies, such as enabling use of new technologies so that users feel comfortable coming to IT for support and following rules.
Security Issues Some users may be looking to outwit the IT department and deliberately break the rules of the security policy that they should have signed during new employee orientation. But the majority of users tend to be those who have an idea that watching a YouTube video at work isn’t the best use of time but do it anyway. Those who are more technologically savvy might be able to figure out a few ways around any security controls in place to prevent content downloading of video, games, or audio.
“In 80% of the sample we looked at, users were using proxies to circumvent controls,” says Chris King, director of marketing at Palo Alto Networks. “They use anonymizer tools that have been perfected by those in oppressive regimes; they download tools to get around limits on the size of email attachments; they use Web-based applications for downloading. All of it could represent substantial data leakage.”
In other words, whatever IT is afraid users are doing is probably exactly what they’re doing. Devices, too, can add an extra layer of concern, notes Jamz Yaneza, threat research project manager at Trend Micro (www.trendmicro.com). “Users may not see something like a PDA as a risk,” he says. “But they open windows of vulnerability, and by the time they realize what’s happening, it might be too late.”
Bandwidth Concerns Along with security, another major issue is bandwidth because many of the new applications that users like can be bandwidth hogs.
As the Palo Alto report found, video in particular has become a significant consumer of bandwidth.
The fact that some users will download an application from a site that doesn’t have information they can even read will likely not surprise many IT managers, King notes. “Users are a lot smarter than they used to be,” he says. “They can figure out security controls, and they care less about downloading risky applications.”
Balancing Act Being able to provide security and still allow users to download the newest application may be the trick that many IT departments have to perfect. Telling users that they can only access authorized sites or applications could backfire, King believes. “A company that expects an employee to answer email on a weekend is already communicating that there’s a blend of work and life,” he says. “If you give someone a BlackBerry, do you expect them to only use it at their desk? Of course not.”
A first step in enabling new technology is to look at the culture and expectations of the company, King adds. Also important is to understand how employees might be using the applications. For example, King points to a pharmaceutical company that’s using social-networking apps to market its drugs to physicians. Doctors go to the Web, research the drug, and can then ask questions in a chat room.
More companies are using instant messaging for company representatives to keep in touch with customers. Understanding the role of the applications is crucial in dealing with new technologies, King notes. “It requires a bit of a mind shift,” he says. “There are places where the security policy basically says ‘no’ to everything, yet the policy isn’t enforced, so it creates contempt. But if you give IT the tools, you can safely enable some applications and block others.”
Tools that monitor traffic, and particularly look at spikes in bandwidth usage, can be ideal for tracking down the location of particular users, but it’s equally important to start conversations about why and how employees are using the applications.
by Elizabeth Millard
Tidak ada komentar:
Posting Komentar