The one-two of knocking out infosec issues
Security boffins and technology vendors alike have been saying that there needs to be a balance of technology and education for information security, but the order and manner in which you use them is just as important, according to two senior executives from WatchGuard Technologies.
(Boxing gloves image by Generation Bass, CC2.0)
Speaking with ZDNet Australia, WatchGuard vice president for Asia-Pacific channels and alliances Scott Robertson said that the typical sucker-punch approach of suddenly cracking down hard on security rarely ever worked and often made things worse.
"If you cage an animal, an animal always want to get out from the cage. It's likewise in the internet space. If you're trying to cage your employees from having access to certain things, more likely than not, they'll want to try and get out," he said.
He said that both parties needed to change their perspective of what security meant to them.
"A lot of people consider security as the overarching web that stop people from going out and doing things. I would ... argue that security is actually designed these days to improve productivity so that the organisation can function — that people aren't doing things that are going to pull the network down or take the company's website off the internet for a period, or import a virus."
The use of social media is one of those tools that could be used to increase productivity, according to WatchGuard CEO Joe Wang. He said that the company has seen a huge increase in companies interested or currently using LinkedIn, for example, as part of their recruitment drive, or Facebook as part of their marketing.
But he indicated that companies had not yet caught up with implementing the right security measures to enable safe social media use, restricting productivity when it was excluded entirely, or that those going ahead with its use might simply be ignoring the risks.
"96 per cent of companies are not using application control technology to manage their web application," he said.
That didn't mean that those using or thinking about using social media didn't think security was important.
"We've seen a big wave of customers wanting to have an application control technology."
Proper policy setting might set guidelines for proper social media use, but Robertson said it was only half the picture.
"Once you have policy distributed to employees, it's then technology which allows the IT department and the company as a whole to be able to enforce it," he said.
Wang also added that organisations needed to be mindful that not everyone was trying to do the wrong thing and that security issues sometimes occurred by accident.
"We have to assume that not all computer users are well educated, that not all of them are mindful of security threats," said Wang, adding that this was why technology was needed.
Rather than stumble head-first into a security fist-fight without a strategy, Robertson said that organisations needed to tackle the issue with softer, educational blows and have their knock-out technology punch ready.
"Give them a clear direction as to why you have these policies in place, why it's important that you educate them first, and then remind them that ... we have technology in place which allows us to enforce, that allows us to police if necessary."
"It's really that one-two punch that's required to protect networks better now and into the future."