Call for Education or Need for Better Applications?

Posted by on January 2, 2011

The fallout from the recent VA issue http://www.nextgov.com/nextgov/ng_20101222_6852.php has made me think about one issue around software security. Is it a lack of security education or out-dated applications that lead to some of these breaches. In this example, the users apparently wanted to be able to share their calendar among multiple employees. I am sure there are many people that have had this same request. There are many solutions to this, but which one is right depends on your environment.

Education
Many users are not aware of all the compliance requirements that exist. With HIPPA, SOX and others, it can be difficult to keep up with it if you are not a security professional. Even some of the information protection standards that corporations may have can be difficult to interpret. Maybe more education on what type of data needs to be protected might have been successful.

How many users do you know that don’t have a strong understanding of the internet or what the “cloud” even is? We, as IT professionals are expected to understand this much more in-depth than those not in this industry. Just as those in the health care industry are expected to understand health more than us. Users may not understand how these technologies work, or how they may be susceptible. When a typical user thinks about sharing a password with a co-worker they do not share the IT concerns. IT is concerned with audit trails, non-repudiation, etc.. Is it possible for the general user community to have the understanding to really make legitimate decisions when it comes to using third party apps with internal data? The IT department must be involved to offer the experience, but that too can be difficult when the company is small or the IT department is limited.

Better Applications
Are many of the applications we use out-dated? Of course they are. Technology is moving fast, where most applications are updated more than once a year. There are new applications coming out every day to solve the problems of older applications. Workers want to do as little as possible, this is not a fault, but the way of life. Why work harder when we can work smarter? When a user sees a new application that solves their problem, and it is probably free, they want to jump on it. Why use an excel spreadsheet to track scheduling when you can use a nifty online application accessible by everyone from anywhere? The intent is not to cause a “breach” as stated in this case, but to make the user’s life easier. This was not malicious. It was a case of something better coming along, and how often is that happening these days?

Unfortunately, this problem is not easily solved. Many IT departments are small, with very limited resources to create new applications. Even if they did, they may be out-dated by the time they are completed. It is also difficult to even have staff to research or understand the offerings already available by third parties. How does a company, with limited IT resources, manage their data and control access to this type of “breach”? Until there is an answer to that question, I believe there will be many more of these findings.

Hopefully, as time goes on, users will become more knowledgeable about how these technologies work and how the data they work with needs to be protected. As IT professionals, we need to do a better job of assisting users with protecting their data. It is obvious that every application cannot list out all the uses, but there has to be a way some assistance can be provided.

Comments

Comments are closed.