“Don’t look at me” - Who’s responsible for IT security?

Category: IT Security / Date: 4 July 2019

Responsible IT securityTo date, the question from the title remains unanswered. Because who is responsible for IT security in this modern age? Network users make a lot of unintentional mistakes, as they’re often unaware of the risks that come with privately owned laptops and unsafe Wi-Fi. But they’re no specialists, so can you really blame them? And what about you, the IT manager, that spends a lot of time and energy on chasing after co-workers, trying to make them aware of all the risks? How can you be held responsible for the IT security of your company when you don’t have control? It’s time to answer all of these questions and find out who’s actually responsible. Spoiler alert: it’s not who you think it is.

What about your colleagues?

IT security has been an issue since the very beginning of the Internet. But today, it’s game on. This is due to changes in the working space and the increasing technological savviness of people with bad intentions. And while their knowledge increases, their opportunities increase too. Colleagues bring their own devices to the office without having them checked on malware. If they work from home, you can neither control their device nor the security of their network. Same goes when they work from a café or take their phones and laptops on holiday, while logging in on a different unsafe public Wi-Fi every ten minutes. And even at the office, you can never be sure that you have everything covered. Many people know they should take into account IT security but don’t know enough about it to put their words into action. And again: can you really blame them? 

Or perhaps the company board?

So, let’s find another scapegoat. What about your company board? In large enterprises, IT security is often assigned to a Chief Information Officer or CISO that carefully follows the predetermined guidelines. But in smaller companies, boards often don’t even take security measures at all, as they believe they’re too unimportant to be hacked. People running these businesses often don’t realise that, if you have a company in this modern age, you don’t function without data. This data is often sensitive, as every company has information on its employees, customers and partners. But awareness is not all. There are many security problems in companies that do invest in IT security. Think about the many VPNs used by remote workers that are believed to be secure, but still create open connections between a network and the outside world. Also think about the many companies using WPA-Personal instead of the far better secured WPA2-Enterprise, as if they’re at home running a small household instead of an international organisation. And even the IT departments that do have the right tools, often don’t know how to monitor and control their network users, whether they work remotely or enter the physical network. But again: these company boards don’t have the knowledge required, so can you blame them?*

*Actually, you can. Company boards are responsible, period. However, you can't blame them for getting lost in the many IT security solutions that are out there. 

It must be you then

We already established that your co-workers and company board can’t be in charge of IT security, so it must be you, the IT manager! Again, no. Like we said in the introduction, you don’t have enough control over your co-workers to be held responsible. You can work night and day, trying to follow their every move and telling them about security risks; in the end, you never fully know what happens on your network. This is because digital security treats come in too many forms. There’s the man-in-the-middle, there’s malware, and what about phishing? You can have all the security measures you want; if hackers pick up the phone and pretend to be someone else, you still risk losing sensitive data because a colleague simply handed over the requested files.   

The answer is control

If you ask me, control is the only way you can make your company fool-proof. Colleagues can’t be made responsible as they don’t oversee the consequences, and company boards just don’t know about everything that’s going on. Neither do you, for that matter. So, don’t make anyone responsible for IT security; they’ll never be able to deliver. Instead, take on a proactive approach. If your company is sensitive to phishing, make sure only a couple of co-workers can access sensitive company data. If your colleagues work from home, make sure they get access to only those files they need, but deny access to the network so they can’t bring in any malware. Measures like these make it far easier to monitor users, as there’s only so much they can do. Second, they don’t require much action from your co-workers, meaning they can work in peace.

Your company is a ship- compartment it!

One way to do get all of this done, is through compartmenting. This means you divide your company network over several compartments that people can work in. Does someone log in from home? Then this user can only gain access to their email and some basic files. Is the CEO logging in from a cleared PC? Then the rights are extended. With this simple measure, you reduce risks to a minimum. Of course, you can always add reactive IT security measures such as virus scanners, but they would be complementary. All in all, this makes IT security more effective and less expensive.

Compartmenting is part of what we call Network Access Control, a concept that’s often seen as outdated. But in these times of constant digital treats, we believe it’s time to reconsider. Want to know more? Download the free white paper below.

White paper Network Access Control made easy