Products Training Support Downloads Partners Contact | About us | Press & Media | Investor Relations

Security gone bad

by Joona Airamo

The tighter the security policy, the better the security? Wrong. In the real world, if the corporate security policy is too tight, personnel will not comply with it. When the security rules clash with the task at hand, people tend to go around the rules rather than follow them. A tight and detailed security policy is also heavy to maintain. Here are some examples of the foolishnesses I have stumbled across:

You can only share out materials that have “public” written on them.
The security policy describes to the letter at which state each setting on each server should be at.
Do not EVER, even for a split second leave your laptop unattended when taking it outside the company premises.
Do not write down your passwords. At the same time, complex passwords are required, with very frequent change intervals.

(Almost) everyone knows that employees are slipping from abiding the rules if the rules are too tight. Usually, this derives from the fact that by abiding the rules, too much valuable time is wasted and efficiency suffers. Unreasonable rules are bypassed and employees prefer to rely on their own judgment. Here lies a risk that employees might do something actually harmful to the company, for instance by shutting down some security options from their computers. This is to say that even if the security codes would contain some useful guidance as well, they are postmarked “ Silly security rules, do not pay attention” all over because of their inherent stupidity.

Better results are achieved when the overall security code is made clear and understandable. The rules must support, not inhibit, performing everyday tasks. The employees must understand the overall picture and the goal and purpose of the security rules. This, of course, demands trust towards the employees.

Another common fault of corporate security policies is that they are often planned from the IT perspective, and thus do not support the company’s business processes or demands. So, when developing this type of policies, the organization should be interviewed from top to bottom, right from the start. This way the people whose daily jobs are directly affected by the rules can speak out and a situation where the security rules are blocking business growth can be avoided.

Nowadays you sometimes see human resources policies mixed with IT security. This may occur for example when social media services, such as YouTube or Facebook are banned on the grounds of security. Employees get annoyed when their freedom to receive information is limited “in the name of safety”. The fact is, however, that social media services are not a serious threat to organizations if their IT-security plan and equipment is up-to-date. The same bans coming from human resources department or because of productivity loss might be a more acceptable and cause far less irritation.

And about passwords: It is a good thing if passwords are never needed to share, to anyone. If, however, there are situations when the IT support needs to know an employee’s passwords, every employee should be informed of this in a well documented process. This way the security policies contain no inner conflict, but describe a smoothly operating process.

Mostly it is safer for the organization if the employees choose a good password and write it down, than trying to remember a bad password. Organizations should rather encourage their employees to use ‘password safes’, small applications that can hold hundreds of passwords behind one master key. The password on a piece of paper and the paper in your wallet is not the worst case scenario either, since people are generally accustomed of guarding their wallets and its valuable content.

The author is the CISO of Stonesoft Corporation.