Managing the permanent security issue of Top Management

Regardless of procedures and policies, a company can have a nearly permanent security issue in top management. This issue results from the speed with which top management requires their services delivered and, more than probably, their lack of an information assurance degree - or even an understanding of what information assurance is, for that matter. No top manager wants to be bothered with the problems and challenges that security and IT guys are facing with their wishes. They want them resolved, preferably yesterday.

The security issue of top management results from their lack of time and insistence that everything works when they request it. Usually that means that the security request aspects of the solution have not been researched or even familiarized with. All this results in a half-baked workaround solution.

We will provide two examples of security issues that can easily arise:

  1. The manager requests a new gadget - like a smart phone, tablet computer or a new 'bling computer' with a different OS. Procurement is quick to purchase the new device for the top manager that orders it. When the new gadget arrives procurement informs him in a CYA (Cover Your A*s) approach that they have done their job. The manager expects it to run immediately, so this is what usually happens:
    • the gadget is set-up as fast as possible, using the basic instructions from the Internet or what little experience an engineer has with the gadget.
    • help to install the gadget is solicited from any current users of the gadget, who also assist in set-up to the best of their knowledge, but with little concern about security or compliance to corporate standards
    • the gadget is configured to provide all or most corporate services as used by the manager on the standard corporate computers.
    • The end result is a device which can connect to most of the corporate services, but which is rarely properly secured. If the gadget is stolen, there will be a whole lot of grief for security guys.
  2. The manager wants to open photos on a foreign USB - a guest arrives at the managers office, and he/she has an USB stick with photos. The manager wants to see the photos on his computer.
    • If the manager's computer has permissions to open a USB, he/she will read the USB, possibly opening a virus or Trojan.
    • If the manager's computer doesn't have permissions to open USB, it will be rushed through operations to enable access. Again, the end result can be a executing a virus or a trojan
    • If not captured properly, a Trojan may enter the computer network of the corporation, and collect data or cause havoc

The harsh reality is that these situations will happen, and cannot be avoided in most corporate environments. So what can be done to mitigate these situations?
1. Have antivirus with very frequent auto-updating and realtime scanning installed on everything. Even if an infected USB is inserted, this mitigates the risk of the virus/trojan infecting a corporate compoter.
2. When configuring a new gadget, educate the IT team to first set up security - they should find out how to install/activate antivirus, put up a firewall and set up password protection for using the device. Even if you have limited amount of time with the gadget, it will have deterrents in place to reduce the risk of a stolen device.
3. Try to set-up the gadgets so they don't store corporate data locally - Access mail via IMAP or webmail, and computer services via VPN. Even if the gadget is stolen, all it takes is a password reset.
3. Have a good relationship to procurement - if they give you just a day advanced notice that there will be new gadgets, that is a day more to read up and prepare for a more proper configuration.

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
Brief reminder - The value of a stolen corporate laptop
Tutorial - Breaking Weak Encryption With Excel

7 comments:

Ch Adnan said...
This comment has been removed by the author.
Filip said...

something that really happens, very useful

Bozidar Spirovski said...

@Ch Adnan - don't use flagrant blog linking - if you have a useful link to share do so, don't do link dropping. Your first and final warning

Getit said...

Lovely blog it is. Download Zapya for PC to share files and folders easily from PC to Mobile

Sunmugam Chidambaram said...

I Pleased to Read to Read
Download xender for pc
Very good for share FILES ,PICTURES PC To any Android

zapya said...

Zapya for pc
Zapya download pc
Zapya app download
Zapya apk download
Zapya for Windows
mobdro for Windows
mobdro pc download
Shareit pc Download
Shareit download
Shareit download

Martin sam said...

JAC 12th Arts result
JAC 12th science result
JAC 12th commerce result
mp board 10th result
MPBSE 12th result

Designed by Posicionamiento Web