Users offer 10 security tips to IT staff
- By Susan Miller
- Nov 05, 2013
The opinion many IT security people have of end users runs a narrow gamut, somewhere between lack of trust and healthy skepticism, according to a survey commissioned by Akamai Technologies. A commentary on the poll in GCN’s CyberEye blog sparked a number of comments from readers, including several recommendations on how to maintain this uneasy truce. Here’s a roundup.
1. Make it usable: If a system is secure but does not allow getting the work done, people will do an end-run around the policy.
2. Expect failure: People are fallible, expect it and plan for it. Your adversary does.
3. Just ask: Conduct a user/customer survey to ask what the users’ needs are before locking down the system further.
4. Make it easy: Systems and devices need to be engineered to automatically protect users by substantially reducing the attack surface, or in some cases, completely mitigating attack vectors like those on PCs targeted by Advanced Persistent Threats.
5. Conduct more end user training: There is a clear gap between end user knowledge relative to IT security and other risk mitigation strategies.
6. Put more cards on the table: If the users know what the threat is, they'll do what it takes to help defend the fort.
7. Foster teamwork: Work cooperatively with users to achieve the mission of the agency, which is the real Job 1.
8. Bake in security: Users have been and will continue to be the weakness as long as federal managers focus on FISMA compliance, conducting only "annual" security awareness training.
9. Plan for change: Every tool you buy, the bad actors buy too, so every solution you have now will soon become obsolete.
10. You're going to need a bigger boat: Don’t depend on simplistic user awareness campaigns and perimeter controls. Fund all the critical controls and the tools to help protect the users when they fall.
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at email@example.com or @sjaymiller.