Decade by decade, the image of the ideal workplace shifts with technology and the internal work culture. Dream office spaces went from coordinating cubicles and paneled walls to open floor plans, co-working spaces, and company provided ‘perks’. Many desire a workplace where they can log in, put in their earbuds, and work without any restrictions. If the stereotype of ‘tree-hugger’ existed in network security, our users would want no policies, no bandwidth limitations, and freedom to access and consume any information they want.
To our users, this sounds like a fun place to work. In IT, that workplace and that mindset drives us up the wall.
Few departments tip-toe between what’s best for corporate culture and what’s best for corporate integrity like us in IT. We work in places where 43% of our users are “very unwilling” to give up access to entertaining and data-intensive apps like Pandora or Spotify, even if it frees up network resources (Exinda). “Entertaining”, “fun”, and “convenient” are rarely words that align with secure, high-speed, or productive. This is a lingering problem that we need to address.
Where do you begin when taking a good hard look at our user’s access?
1. First things first, get visibility.
Before we do anything, let’s take the time to dig into the visibility we have across our network. Sometimes when we have disparate coding languages, devices, and locations, we find that we are just piecing information together with little regard to consistency. The fabled “single pane of glass” of visibility is possible, but we don’t always budget for it. Utilize resources and gather all the logs possible and compile into one hyper-organized document. This will act as the foundation for our considerations and next steps.
*Pro Tip* – Many vendors provide security and network assessment reports that allow us to take a moment in time look everything that passes through the network. Additionally, tools like Splunk allow us to collect logs into one location and assist with gaining intel.
2. Involve HR and Legal
Given the situation that you may be restricting users’ access, bandwidth, or freedoms within the work environment, outside council should be involved. We recommend involving HR and legal in the roll-out discussions before announcing or implementing any company-wide changes. HR often takes the brunt of employee frustration and a reduction in morale will impact the corporate culture. Additionally, some of the decisions may have legal or ethical ramifications associated with them.
Additionally, it’s important to educate our users as to the reasons “why” we are making the changes. We may discover unexpected buy in from our peers, which creates a win-win scenario. When our users believe that changes and restrictions will have a positive impact on the organization, they’ll help champion IT and police their peers.
3. Keep compliance in mind.
Many times, users may be violating state and federal laws by transmitting data to cloud services. Technology manufacturers have introduced tools to give us the visibility we need to determine what is leaving our network. We’ve seen users uploading sensitive spreadsheets to cloud file sharing services when working with 3rd party organizations. While they think this is an easy way to collaborate on data, it can be a serious liability for your IT departments and your business. These documents remain in the cloud and are often forgotten. Tools like Palo Alto Networks’ Aperture is an example of how we can gather this information. We need to know that HIPAA, PCI, and other data frameworks are not being violated by our users.
4. Red flags are a black and white issue.
Some things are non-negotiable, but if we don’t have the proper knowledge of the red flags being raised, we’re left in the dark. I’m talking about user habits that cause deep legal, moral, and ethical breaches. Child pornography, violent websites, and peer-to-peer sites are a major red flag. Accessing these websites are never by accident and swift and aggressive decisions should be made. If we manage networks that permit non-employees from using our bandwidth to access the internet, we tend to find inappropriate activity taking place. Examples of this are in healthcare systems, nursing facilities, and higher education.
Bonus: Be Considerate.
Occasionally we make mistakes that may cause our co-workers to find dissatisfaction and remorse in their job. They feel IT is coming down on them and making their job feel “more like a job”. Some work environments allow additional internet activity as a benefit to the job. We see this a lot in Web 2.0, XAAS, and creative companies. Employees stream Netflix, SportsCenter, and even the Masters during the day as an entertaining filler while they do their work. Our advice is to be considerate such perks are being removed. We believe that security should always come first, but implemented in the wrong way can lead to organizations securing empty desks.
Making everyone happy is not realistic, but through careful communication and education, we find a happy medium with our users. Ultimately, they must understand that cybersecurity and network performance is everyone’s responsibility, not just us in IT.