Often, as securityÂ professionals, we tend to blame our users. Not all people are security aware and take the rightÂ decision when facing a potential security issue. Yes, we know: they click, they open, they answer questions, they trust, …
But let’s be realistic, sometimes they make bad actions just because of us. Our missionÂ is to protect our employer’s or customer’s data and their team members againstÂ more and more threats. To achieve this, we take decisionsÂ for their own sake: we deploy new tools, new controls and procedures. We get paid for this job as well as the users: they get paid too to perform other tasks. Today, computers areÂ everywhere and almost all people working in a company have to use themÂ and network resources.
I wasÂ browsingÂ through the huge amount of data leaked from HackingTeam, searching for juicy information about Belgium. I found an email with this signature:
>LASTNAMEÂ Firstname >Position >Department/Organization >Tel : +32-xxx.xxx.xxx >Tel : +32-x.xxx.xx.xx >Belgium >user@<organization>.be (without attachment) >nick@<well-known-isp>.be (attachment OK)
My first reaction was a big “WTF?!?“. He/she asks to send filesÂ to a private mailbox hosted by a well-known Belgian ISP. Is this mailbox properly protected? Does he/she use a strong password? Is the password share across multiple services? We know that attachments may potentially contain very sensitive information!
After the first reaction and a few deep breathes, IÂ took some time to think deeper. Maybe this is the only alternative for this user to receive files from external contacts. The system in place in his/her organization might be too restrictive, too slow, underÂ sized to handle the total amount of processed data. I don’t know the reason but one think is for sure: humans are excellent in finding evasive ways to get stuff. From his/her point of view, the employee isÂ just trying to get things done. Let’s go back to the example above. IMHO, trying to block everything at all costs is a wrong approach. We often forget that the IT department is offering services toÂ the end-users. It implements tools to help them to work efficiently and it goes in the same way regardingÂ security. We have to implement tools and procedures to help people to work in a safe environment.
The next time you reject a request from a user for “security reason“, don’t just say “No!” but “No, because…“. Explain why and propose an alternative matching at best his/her requirements and yours (from a security point of view). In the example describe in this post, if people mustÂ exchange files with external contacts, why not deploy a file sharing service coupled with a strong scanning of the incoming files? Everything is possible but requires to invest some time and money… Wait… That’s maybe the real problem? 🙁