Recently I've been thinking more and more about the problem of end user risk. It was prompted by some discussions with a small company here who lamented that they had to place extreme policy controls in place because their users would "wreck it " otherwise...
So I thought - I wonder why their users are so very dangerous to them? (Apart from the obvious of course...) So I went and spoke to a few of their users. They told me that the IT area used confusing words and couldn't explain why security was important to them so it wasn't seen as relevant. It seemed to me that this organisation forgot that People, Process and Technology need to work together to truly address security. The more I spoke to other people in IT, the more I realised that this is a consistent problem. In IT we always manage to get the technology side (more or less) right - and sometimes we do the Process side - but we always miss the People bit. In many cases - the security breaches we see in businesses are caused by users and their naivety or ignorance as to the correct procedure or safe practise and a lot of these cases stem from a lack of end user security education.
So I've recorded another blogcast/screencast/video thingy on the problems with motivating users around security and changing your perceptions in the eyes of the users.
After you're done watching that I've linked to some resources that you can download to begin this process of starting this conversation with the users and demonstrating some education that will not only help them at work but also at home.
While you're at it...I'm curious to know how many of you find this area of security challenging? Fill out my online anonymous poll so we can see if its a consistent theme.
Updated: 25/9 4:12pm - Embedded survey wasnt working properly so Ive replaced it with a direct link to it.
PingBack from http://www.gadgetgadget.info/?p=21938
It might be just me, but I can't access either the streaming link of the HTTP link. Both prompt for a password from wic245d.server-web.com.
Nup its just you Thommo....:) Two separate machines of mine work fine!
Actually Thommo you were right...
One of our guys installed WSS on the server and it changed the authN I had configured for the site...whoops....should be fine now.
end user security/policies/firewalls/proxy servers etc they all help contain the end users.
in some scenarios it's a definite must to have it in place, imagine a bank which allowed their staff to surf the internet ad hoc from their PCs in the office? the exposure to "bad" elements would be huge.
in some cases I think its merely put in place to curb users accessing youtube, facebook etc as it's common knowledge that you can spend hours there rather than working.
we have a strange scenario here atm... live.com is blocked..i'm not kidding..it went so far as to block live ID sign on at one point, but that's been resolved now. anything *live.com is simply blacklisted.
we've had scenarios where even microsoft.com was blacklisted...how smart is that!
anyways, this was all put into place to stop people from spending time doing things they shouldn't.
weighing up the pros and cons and finding a happy medium is where the challenge lies - don't know how many sites i've had to tell our IT Admin to unblock as it contained information that i needed..they've all been unblocked, except for *live.com (luckily www.tafiti.com gets me past that one!!)
uhmm..last note... anything mms:// related is blocked too :)
Im not saying that we shouldnt use technology to assist in ensuring business outcomes are met and to minimise unproductive time. But you cant block the entire internet! That actually causes a business impact through employees trying to find ways around the "security" to get their job done...as you did in using tafiti :)
What Im advocating is significantly improved end user education around mitigating security risk. Thats something thats rarely - if ever - done and needs to be. Security is more than a technology issue and more than anything a people issue. Technology solutions to people problems only go so far...