I got into a bit of an altercation in one of this week’s Advice Line postings. It was in response to an exceptionally snide episode of Roger Grimes’ Security Advisor column in InfoWorld. According to Roger, there is exactly one way that all companies should manage desktop computing, and that’s to lock all PCs down tight.
Roger hauled out all of the expected arguments: End-users are, to paraphrase, lazy slackers who will install anything so long as it has nothing to do with their jobs. One of his examples was GotoMyPC, which allows them to work from home (I’m not making this up) which gives you an idea of why I felt compelled to offer a critique.
To be fair, in other columns Roger has pointed out that in order for a total lockdown strategy to succeed, IT has to become highly responsive so that end-users can get the tools they need to do their work quickly and without a lot of fuss. Amen to that.
Roger also makes a useful point — that the nature of malware has changed, from attempts to shut you down to attempts to steal information. His conclusion — that the risk, in consequence, is now much higher — is questionable, akin to claiming that because bad guys now want to pick my pocket instead of whacking me on the noggin, I’m in more danger. But the shift in emphasis is nonetheless important to you as you formulate your security tactics.
Highly responsive IT coupled with total lockdown is one way to start securing the enterprise from information thieves, but it’s far from the only one and it’s sadly lacking in many important respects. It doesn’t, for example, protect your information assets, except from a specific type of threat.
Many are pointing to the theft of a Veterans Administration laptop computer that had a huge number of veterans’ social security numbers as evidence of the need for tighter security. That total lockdown wouldn’t have helped doesn’t seem to faze many of those who haul out this example.
Frank Hayes has written about this extensively, and his point is right on the money (as usual): The solution is to not put social security numbers, or credit card information, or any other highly sensitive but unneeded data field, into any downloaded data. If you don’t have it, nobody can steal it.
Next, encrypt all sensitive data fields. If an intruder or disgruntled employee downloads gibberish, there’s no harm done, and taking names, addresses and telephone numbers results in minor inconveniences, not identity theft.
Third, pay attention to physical security. Securing PCs might be fun, but it does little good if anyone can sit down at a desk in Payroll, after the employees have gone to lunch but before the login has timed out.
Fourth, institute disciplined procedures for identity management — for employee on-boarding, transfers, and departures. This helps ensure that employees only have access to the data they need, not all data they ever needed in all roles they ever held. If an employee doesn’t have access to sensitive data in the first place, malware on that employee’s desktop is less likely to transfer sensitive data outside the corporate firewall.
Fifth (of course): Install malware prevention on every desktop and keep it up to date. There is no shortage of choices, and all will do an excellent job of blocking most intrusions.
And sixth, go beyond being responsive. Anticipate what employees are likely to need and make it available … easily and without red tape. In various places in the company are employees who will be more effective if they can make use of: Digital cameras, MP3 players, a work-from-home solution, a work-from-hotel-rooms solution, PDAs/Treos/Blackberries, a real Personal Information Manager, Google Desktop, Instant Messaging, and a PDF writer (as just a few examples).
Don’t believe me? Property Management uses the cameras to document site visits. An increasing number of employees listen to podcasts while commuting. I’ve lost track of how many times Google Desktop has found files I’ve lost track of. Just for starters.
Few employees “need” these things. Need is a poor measure, though. Providing tools that make work incrementally easier is a good investment of your time and energy. That’s because, while there is no magical demarcation point, a pile of incremental improvements turns into a qualitative change. The proper test is always value, not need.
Want to make sure employees don’t install software on their own? There’s an easier and better solution than totally locking down their desktop and laptop computers.
That’s beating them to the punch.