IT Security: Do As I Say, Not As I DoIT Security: Do As I Say, Not As I Do

IT departments concerned about their companies' ability to secure information need to look closely in the mirror. Security product, service, and market research supplier Orthus found them to be the biggest source of corporate data leaks.

The London-based company evaluated more than 100,000 hours of user activity and identified the ways that users accessed, processed, stored, and transmitted sensitive corporate information, including personal information, financial information, and intellectual property. The evaluation identified which users were removing sensitive data, where they worked, and exactly how and when it was removed.

The research identified if and when sensitive information was sent or copied to an unauthorized device (such as a PDA, MP3 player, USB flash drive, or mobile phone) or if it was uploaded or transferred through an unauthorized application (for instance, IM or social networking sites).

IT personnel were responsible for an overwhelming 30% of all incidents of data leakage identified during the research. So it's disconcerting that those entrusted with keeping information secure seem least likely to follow security best practices.

There are a number of possible reasons for the disconnect between what IT departments are trying to accomplish and their own business processes. The nature of security is hierarchical: While IT departments watch over all the other business units, there is usually no one monitoring them. Problems arise because they may be unaware of some of their own policies' shortcomings.

Second, the repercussions from IT security breaches are unclear. End users' transgressions are often flagged, collected, and rolled up into reports that are distributed at managers' meetings. Since security is the IT department's job, executives incorrectly assume that this group does not have to be included in this process.

Third, IT departments have the highest level of system privileges. They need them in order to perform their jobs. A network technician who does not have the ability to reset a user's password would not be able to do much work. The downside is that many of these individuals become a bit cavalier about using that information and may not follow best practices themselves.

Fourth, security issues have become complex and ever changing. Guarding against an attack at the firewall is much easier to understand than data leakage. In some cases, the IT department may not understand what the problem is and how to solve it. This issue can be quite common in small and midsize businesses, which typically have a small group of multitasking technicians rather than individuals skilled in certain areas.

There are steps these companies can take to help lower the risk of their IT departments springing a catastrophic security leak. One way to rectify the problem of the IT department monitoring itself is to have an outsider complete an evaluation. Consultants and systems integrators will be more likely to see problems than employees familiar with a company's typical procedures.

Training could also help. In some cases, IT departments need to understand many of the nuances in today's security market, which can be slightly or even radically different from what were the main concerns six, 12, or 18 months ago.

While these are potential solutions, they're not steps most businesses like to take. Auditing and training require taking time out from IT workers' already busy days, something that doesn't sound appealing when a company is struggling to deploy needed software suites or improve its e-commerce features.

In addition, finding the necessary funding is a challenge with these steps. Small and midsize businesspeople tend to be bottom-line oriented. When evaluating the payback from new projects, they feel more comfortable with items that have a tangible business impact, such as reducing head count or speeding up product delivery, than from more esoteric items, such as avoiding potential legal problems.

While the Orthus findings may seem surprising at first, they do make sense when one stops to think about how corporate security policies are established and enforced, especially in small and midsize businesses. Once companies understand these problems, the more difficult -- and interesting -- questions is: Will they do anything to fix them?

Paul Korzeniowski is a freelance writer who specializes in networking issues. His work has appeared in Business 2.0, Entrepreneur, Investors Business Daily, Newsweek, and information. He is based in Sudbury, Mass.