Fear users, says IDC security chief

Educating end users is not enough to successfully mitigate internal security threats and data loss, warns the analyst group
Written by Tom Espiner, Contributor

Analyst firm IDC has warned IT managers that education of end users in not enough to mitigate potential user threats.

Access to applications and systems needs to be centrally controlled and enforced, according to Eric Domage, IDC's security product research manager. "Businesses must fear the user," he said at IDC's Security Conference in London on Tuesday. "You have to control access, as well as educate the user."

User education could include IT managers forwarding media reports of security breaches at other organisations, said Domage, who also claimed there was "nothing you can do to stop a leaving employee vacuuming data", apart from closing their USB ports.

Ian Lackie, Novell's identity and security director, agreed with Domage that both education and enforcement are needed to mitigate user threats. "The security aspects of how you control the user [include their] loading inappropriate applications and malware prevention — there's a need to get control," he said. "Education is one answer, but you need enforcement as well. But it's a fine balance — obviously you don't want to alienate users."

Andy Bushby, Novell's identity and security principal, said that endpoint security was needed to enforce security policies, and that all sensitive corporate data should be encrypted. However, Bushby said that whole disk encryption would "slow things down", so businesses should only carry out partial encryption.

Richard Jacobs, chief technology officer of security vendor Sophos, agreed that user access should be controlled, but said that control should be light to lessen any impact on user productivity. "Application control can limit the use of unauthorised software, but a high level of control can paralyse the system," said Jacobs. "Avoid application whitelist paralysis — it's too intrusive."

Controlling network access needs a similarly light touch, according to Jacobs. "With network access control, the key is using it to assess both client and your security policy. You can't lock 70 percent of the users off the network — that is a career-limiting move. Network access control should be about understanding what's happening on your network," he said.

Businesses should "refresh their threat mix" to also take account of regulatory threats, malware and user threats, according to Domage.

Editorial standards