Users offer 10 security tips to IT staff
- By Susan Miller
- Nov 05, 2013
The opinion many IT security people have of end users runs a narrow gamut, somewhere between lack of trust and healthy skepticism, according to a survey commissioned by Akamai Technologies. A commentary on the poll in GCN’s CyberEye blog sparked a number of comments from readers, including several recommendations on how to maintain this uneasy truce. Here’s a roundup.
1. Make it usable: If a system is secure but does not allow getting the work done, people will do an end-run around the policy.
2. Expect failure: People are fallible, expect it and plan for it. Your adversary does.
3. Just ask: Conduct a user/customer survey to ask what the users’ needs are before locking down the system further.
4. Make it easy: Systems and devices need to be engineered to automatically protect users by substantially reducing the attack surface, or in some cases, completely mitigating attack vectors like those on PCs targeted by Advanced Persistent Threats.
5. Conduct more end user training: There is a clear gap between end user knowledge relative to IT security and other risk mitigation strategies.
6. Put more cards on the table: If the users know what the threat is, they'll do what it takes to help defend the fort.
7. Foster teamwork: Work cooperatively with users to achieve the mission of the agency, which is the real Job 1.
8. Bake in security: Users have been and will continue to be the weakness as long as federal managers focus on FISMA compliance, conducting only "annual" security awareness training.
9. Plan for change: Every tool you buy, the bad actors buy too, so every solution you have now will soon become obsolete.
10. You're going to need a bigger boat: Don’t depend on simplistic user awareness campaigns and perimeter controls. Fund all the critical controls and the tools to help protect the users when they fall.
Susan Miller is the executive editor of GCN. Follow her on Twitter: @sjaymiller.