User engagement can help with training, but accidental breaches are hard to prevent
User ignorance is a bigger concern than outsider or internal attacks.
Speaking to SC Magazine about recent research by Clearswift, Lee Millest, technical architect of ICT services at Warwick District Council, said that insider and outsider attacks were both a concern, but external attacks were easier to deal with due to available solutions.
He said that the government code of connection (CoCo) helped ensure the security of its network, as well as penetration testing, and while disgruntled users were a concern, the concern was "ignorance of non-malicious" users.
Asked how he was able to deal with disgruntled or malicious insiders, Millest admitted that this is hard to defend and prevent but, as figures from the Clearswift research showed, data breaches are the result of human mistakes.
He said: “We have implemented policies on USB sticks but it is nonsense if you still use them, so we put in technology to authorise encrypted USB sticks so if they are lost we can say that the data is not accessible. Considering what we do, if we suffered a data loss the PR could be worse than the breach.”
Millest said that the perception of mobiles being the biggest problem is understandable, and current government connection rules require checks to be in place, so this requires user education as well as policy and technology.
“We need to dictate what the rules are, need to communicate effectively and determine where we need to put technology in place to back things up,” he said.
In terms of how to engage users, Millest said that it had some e-learning questions that appeared on user's desktops, but this could cause a problem for out-of-hours workers. He said: “IT is an enabler for professionals and technology to help them and it is our responsibility to do it in a secure manner.”
The research found that 53 per cent of respondents felt that users would continue to use their own devices on the network, whether it is sanctioned by IT or not. To enable mobile working, Warwick District Council has deployed mobile device management technology to do email in a secure container that it could control.
“We are a conservative organisation with a small ‘c', and while our users are not hammering down the doors to use their own devices, it is the same people who have no malicious intent that could cause the inadvertent breaches,” he said.
The Clearswift research found that 72 per cent of the 300 respondents were struggling with the change in the security landscape. Guy Bunker, senior vice president of products at Clearswift, said that there is a change from bring your own device to ‘choose your own device' for the IT manager to determine what is and is not allowed.
Bunker said: “You need to make sure that your information is secure and why you put mobile device management technology on is for the need to ensure you are secure at all times and add encryption to make sure it is safe.”