Day in and out we are reading and listening to news about how lost and stolen data, Virus attacks crippling organizations, unauthorized software that may contain malwares and so on. While it is impossible to eliminate IT risks altogether, certain steps can aid in placing less reliance on the persons and processes and more on technology. At the end of the day it is better to Push Security to End Users than to expect compliance.
One major pattern that is emerging in IT threats today is the internal threat that is repeatedly coming to fore. Internal threat need not mean a malicious internal user, it has also come to mean an external threat manifesting through the internal route. For instance a laptop that is stolen which is then used to access the network because the laptop user stored the access credentials on his VPN client.
The key to the success of any IT Security initiative is that it should enforce adherence rather than expect end users for compliance. For instance an IT Security Program that is likely to disable USB drives as a group policy setting is likely to be more successful than a Policy or process level initiative that simply states (without accompanying technology initiatives) that end users must not use USB drives. It is high time that along with policy level initiatives, organizations must implement IT Security measures using technology to the extent possible.
Domain controllers, Group policy settings, VLAN’s and Centralised Anti Virus controls are a few of the measures that organizations can build to ensure that IT Security is enforced internally. Today, generally Organizations fortify from external threats to such an extent that it is surprising to find the little or lack of similar measures that are deployed for internal threats. It has been found and proved often that insider threats are not only higher in number but also very difficult to control and trace. In such a situation organizations must not leave IT Security administration to the competence of an individual or strength of a process. At the end of the day, It does not matter where the weakest link is as long as it exists.