As an Information Technology professional, one of the things you will find yourself doing is creating and enforcing security policies. You will need to support good technology security by creating policies at outline the things a good employee must do to support good corporate security. All the other employees are hired for what they are good at doing, and that usually means finding ways to get the job done, regardless of your security requirements. That means good employees may be your biggest security threat.
You can hopefully understand the reason for this effort to ignore the tedious security requirements published by various technology professionals. The average person has to now memorize numerous user accounts, understand document transfer policies, deal with applications with missing or buggy functions, and working with web site filtering. They must deal with all your controls and rules while trying to get their job done, and they know there is a “better” way. So what are some of the most common workarounds used by your company employees?
- Offline Bypass – Many security features are only enable while the device is online. In one case, users were blocked from attaching USB devices to their computer or laptop. The software was only able to alert the security team if the device was connected to the corporate network. The users simply disconnected the device from the network when they wanted to connect their USB hard drive or cellphone to copy files from their local PC to the external device.
- Bypass Session Time-out – Most systems and applications have automatic session time-out features, based on a defined idle period. Some organizations take this security feature a step further by using proximity detectors that time out a user’s session as soon as they step out of range of the detector. Many users of these systems “beat” this security feature by placing a piece of tape on the detector, or by placing something over the detector to defeat the security offered by these simple devices. Vendors will also employ utilities to make connections seem used, even if the vendor isn’t using the connection, so they don’t have to restart VPN connections.
- Simple Passwords – The average person today has scores of personal and professional accounts. Changing 30 or 40 passwords every ninety days (what is commonly recommended) results in creating and recalling more than 100 passwords each year. It’s understandable that people use easy-to-remember passwords, but simple passwords neutralize much of the security benefit of password-based authentication. Studies have shown people are horrible at selecting secure passwords. And beware of the clever users that bypass the password-reset problem altogether by calling the help desk claiming to have forgotten their password. Administrators will often reset problem user’s passwords by bypassing the regular password reset requirements. Some people my use various bypass methods to keep the same password for several years.
- Post-It Notes – One survey found that many people record their passwords somewhere, sometimes in a spreadsheet or text files, but usually on simple Post-It notes. This means someone with access to the device probably has access to the Post-It note with the users login information written down of them to use without delay.
- Internet Document Storage – You have strict security settings on network shares and documents stored on your network. You may think you have met corporate requirements on who gets access to specific data and information, but you probably don’t have any idea of the volume of data transferred outside the corporate network. Users will find ways to get the data to their coworkers, and that probably means storing the files on the internet. The mobile workforce demands anytime-anywhere access to their documents and data. Many mobile workers aim to streamline their productivity by circumventing your security protocols: emailing sensitive documents to themselves, storing files in a personal Dropbox account or other public cloud, and even taking photos/screenshots with a smartphone and texting those images to friends or vendors.
- Disabling Security – One of the most popular security workarounds is simply turning off security features that hinder your productivity. With the growth of BYOD environments, where employees have greater control over the enabled security features, it is common to find even the most basic security features disabled.
As an IT professional you need to assist the hard-working and well-intentioned employee get their job done without putting the network at risk. Your security policies should avoid restrictions without any explanation, leaving the end user with productivity loss and no apparent improvement to their lives. Your organizations should implementing security training for all employees, showing your team specifically how security protocols protect against data leakage, data breaches, and other threats while highlighting how workarounds put data (and their jobs) at risk. This will help the typical employee keeping security top-of-mind with regular communications and meetings with staff.