I have seen it happen time and again; I educate the people I support about proper security practices and they go on and do dumb things anyway. Trusting users with security is a bad idea. It’s a bad idea because it doesn’t work. Security is hard. It takes thought and effort. People don’t want to have to think about it. They want instant gratification and they want it to be easy.
So, what’s the solution? Do we lock everything down so it’s impossible to get in trouble? That has been proven unworkable. Do we switch to dumb terminals for mission-critical apps? Perhaps, but that’s cost prohibitive for small businesses.
The solution that works for my clients is a simple one:
- There is an Internet usage policy in place and incorporated into the employee’s employment agreement; it is strictly enforced.
- Server-based anti-malware with real time threat monitoring and notification is in place.
- Proven anti-spam filtering is in place.
- URL filtering is in place to block known malicious and prohibited sites.
In the last five years, where the above is implemented, I have had to respond to a security incident on only one occasion and that one was an internal breach by an employee who attempted to steal a customer list.