Why does computer security have to be so technical?

practical-safety

The problem I find with most cybersecurity talks is that the experts have little ability (or desire) to speak in plain English to folks that really need commonsense and practical explanations of security and why they should be worried about cybersecurity in their business.

That’s where practical computer security comes in!

What exactly is practical security?

Most IT Support companies (and internal IT Security officers) tend to make IT support work harder and make usability more complicated when adding layers of security. At its core, what most businesses need to stay competitive, compliant and secure is practical security.

What I mean by practical security is security applied to your everyday setting. I’ve been working in IT Security for years and have learned that making security an imposition for users leads to less buy-ins.

If users have more difficult times accessing files, sending emails (because they need to be encrypted), or printing secure documents, they likely will find ways to bypass security systems and processes, leaving your business more vulnerable than if you had no security process at all!

Practical security makes sure that usability keeps users above board when it comes to following protocols and procedures. Practical security is integrating security so seamless, that users cannot experience delays or annoyances when having to work with security measures (instead of against them).

The bottom line: most security frameworks forget the user and IT Support often doesn’t understand who they are supporting and why high-level security protocols actually impede progress to get work completed.  Practical security, on the other hand, gets users to complete their work inside of a secure environment that keeps them aware of risks and realize how to mitigate security risks while staying productive.

How to effectively help make enterprise IT Security better?

Let me first describe a couple of situations where IT security made business security worse!

Your antivirus is out of date—Your IT Support sends a memo around the office asking you leave your computer on after 5 pm tonight for antivirus updates.

You see the memo but decide your annual project report due on your CEO’s desk is more important than some silly update. You decide to work late in the night making sure the report has dotted every ‘t’. When you come in the next morning, with 15 minutes to spare, you try and connect your computer to the network in need of printing the report.

But you find IT Support has blocked your computer from the network and put it on a quarantine list.  Scrambling at the last minute, IT Support makes you go through hoops, perhaps in punishment for not abiding by their clear instructions the night before. Your report ends up printed and on your CEO’s desk an hour and a half late—not the best impression.

Your Windows updates aren’t complete— You have a presentation tomorrow morning and decide to practice the talk at home instead of staying at the office late at night. Again, IT Support has asked you to leave your computer on for updates, but you simply cannot give up your computer this time. You ignore the request and take it home anyway.

When you come in the next morning, you find IT Support has blocked your access to the network because you don’t have the required Windows patches installed. Instead of making the final touches to your presentation, you run around trying to figure out how to install the update yourself.

Strict IT Security policies may sound nice on paper when you have no stakes in the game other than enforcement, but from a user perspective, they can lead to disenfranchisement and resentment of IT in general. In fact, 43% of users end up troubleshooting and fixing IT Support problems themselves, which ultimately open bigger doors to hackers and cybercriminals—defeating the original purpose of your IT Security policy.

In both of these scenarios, someone needed to get work done fast, but couldn’t. All because IT Security worked as a barrier to productivity and usability.

So how could have practical security have helped this situation?

Your Windows Updates are out of date, but you have a grace period until it has to get done. IT Support sends you a reminder—if not today, tomorrow or the next day? You choose because it’s your computer. A grace period allows for continued work flow while ensuring that user computers are security. In fact, when given a hard deadline, over 55% of folks do not follow the rules. They work around the rules and keep business security at risk in the process.

When leeway is given with proper explanations and actionable tasks to be done, over 95% of users comply to IT Security requests—they get the update with IT Support and help keep your data safe.

Realize that securing computers are tough—especially ensuring all patches are updated. Setting flexible rules that work to be practical and usable, helps users maintain security standards.

And beyond making security practical, it needs to be understandable.

If your workers don’t realize why security policies are in place, they are more than 3 times more likely to break the rules. It could be as simple as sharing sensitive files via Dropbox or another collaboration software package (but see our discussion here for why Dropbox might not be good for business).

Making sure your users understand why they should use one platform over another or why using free software may be risky are just a couple of the hundreds of the risks your IT Support team should bring to their attention as they help keep their computers working.

There are two main reasons why we need security in my opinion:

We need to protect information. Intellectual property and personal information. We’ve seen countless attempts by hackers across the globe steal information for profit. Social Security Numbers. Bank Accounts. Maybe ransoming critical data that prevents our business from running.

But we also need to keep that data in safe places, enabling users to store their data in places where they can collaborate and share information securely, especially if any sensitive or protected information is involved (for one example, fitSync has consistently been a reliable way sensitive information and data can be shared within your network).

Safety, Safety, Safety. My second reason security exists is purely for safety. Safety of people and systems. What happens if your phone system isn’t working because it wasn’t backed up?

Or what if there was a power outage and we didn’t have an uninterrupted power supply in place for critical machines (our best practice is to have this set for clients).

This list could go on and on.

Both from the technical side, but also from the physical. What if something were stolen? Or destroyed because a server wasn’t set up in a secure place?  Keeping your systems secure encompasses keeping data and information safe, but also hardware secure and disaster-proof (or at least as close as we can possibly get to disaster proof!).

Keeping your business IT safe boils down to practical security. Security that ensures you can keep compliance, maintain operational efficiency AND ensure your users and data are safe.

Unsure whether you are making securing and integrated part of your business operations? Not sure your IT Support understands how to keep security and efficiency running at the same time? Need a second opinion when it comes to securing down your network? Contact Us for a FREE 3rd Party Security Assessment!