Book A book icon Megaphone A megaphone icon Chat A chat bubble Calendar A calendar symbol Calendar alternative A calendar symbol Menu A menu symbol for navigation print A computer printer symbol Location A map location marker Location alternative A map location marker Phone A phone symbol User A human silhouette indicating login Document A document symbol Facebook Facebook social media icon Facebook Facebook social media icon Twitter Twitter social media icon Twitter circled Twitter social media icon YouTube YouTube social media icon YouTube YouTube social media icon YouTube Play icon YouTube social media icon Vimeo Vimeo social media icon Vimeo circled Vimeo social media icon LinkedIn LinkedIn social media icon LinkedIn circled LinkedIn social media icon Instagram Instagram social media icon Instagram circled Instagram social media icon Pinterest Pinterest social media icon Pinterest circled Pinterest social media icon Mobile A mobile phone Tablet A tablet symbol Laptop A laptop computer symbol Desktop A desktop computer display Pencil A pencil symbol Ok A checkmark symbol cancel-circle A X symbol Plus An addition symbol Minus A subtraction symbol Heart A heart symbol Star A star symbol Videocam A video camera symbol Caret A small triangle symbol Newspaper A newspaper symbol Cart A shopping cart Tools A hammer and a wrench symbol Flag A flag symbol home home-desc Photo A photograph symbol Audio A speaker with sound symbol Cog A group of cogs symbol RSS A RSS feed symbol Comment A speech bubble symbol Link A chain link symbol Export An export arrow symbol Envelope An envelope symbol Search A magnifying glass symbol Info An information symbol Info circled An information symbol Help circled A question mark symbol Clock A clock symbol Globe A globe symbol Globe alternative A globe symbol none none

IT Security and People: “I clicked on it. Was that bad?”

No matter how much money your company spends on security solutions, your most important defense is almost always the vigilance of your own team. The errant click on the malicious link, and the thumb drive found in the parking lot carrying malware have become almost cliché in this day and age. But the knee-jerk reaction can still be, “Somebody dropped their memory stick, so I’ll plug it in, see who it belongs to, and save the day for whomever lost their data.”

These exploits are designed to look legitimate; to get people to act before they think. It can happen to any one of us in a moment of weakness -- and I want to make sure I’m on the record with this merciful attitude in case it ever happens to me!

In addition to technology solutions, most Trusted Advisors are likely to recommend that companies require their employees to attend IT security related educational programs. A number of companies are already requiring such participation on an annual basis, frequently in the form of a third party-designed webinar that focuses on human behaviors such as identifying the characteristics of a likely phishing attack. The extent to which these initiatives are effective can be somewhat debatable, but most experts agree that if they prevent at least one person from compromising the IT infrastructure, then at least some value has been delivered.

“User education is critical to preventing phishing attacks, but you have to assume that you’re not going to get 100 percent effectiveness across your entire user base,” said Lee Pallat, vice president of cloud and security strategy at Stratacore, an IT consulting broker based in Seattle. “The phishers are getting more and more sophisticated, so even a well-educated user can fall victim to a well-crafted spearphishing campaign. So, it’s just as important to put some additional email security in place to either sandbox URLs or provide that extra layer on top of what’s already available.”

While security technologies can go a long way towards protecting your company, a comprehensive education campaign for employees is almost always the necessary next step.

There is one other important “people” aspect of IT security worthy of consideration. While security professionals play a crucial role in protecting the company and its data assets, they are often viewed by their colleagues in a less-than-favorable light.

 “There’s a battle between the security and the operations people because security tends to make things more difficult, and Operations’ goal is to get things done,” said Ben Thornton, CTO of Opex Technologies, a Trusted Advisor that offers managed security and “SOC”-as-a-service. “The security guys are seen as the “no” guys.  So we try to find out what their concerns are, change that impression and accomplish security goals in less obtrusive ways. This helps to build credibility and good will with other groups within the company. This way, when you do have to say no about something, they don’t just try to work around you. They need to see that you have solid reasons. Don’t be the “no” person or the “yes” person. Be the “solutions” person.”

Both technically and sociologically, effective IT security requires a balance that provides solid defense while also allowing your people to do their jobs with minimal obstruction. The exact location of that balance point depends on a variety of factors, including the nature of your attack surface, the overall value of the assets you are trying to protect, and your relative speed of business. Your Trusted Advisor can help you determine how to keep your business safe while also enabling you to focus more fully on your value proposition and the needs of your customer.