There are two types of employees that I like to call Dennis the Menace and Alice in Wonderland. They are bright, motivated, friendly and have only the best of intentions. They can also be your worst nightmare.
Dennis, for instance, sees some problem with the production code you use for your core business. He knows theres an easy fix, it will only take five minutes, and everyone will be very glad at how much better the system runs once its fixed.
He rewrites the function, and replaces it in the module where he first identified the problem. What he fails to realize is that several other modules have dependencies and the change causes the production code to grind to a halt. Your network looks fine, everything should be working, but its not.
Certainly you dont want to be the one explaining to the CEO, CIO, or CTO what happened and why it took so long to do something about it. You also dont want to be the one responsible for informing customers about loss of data, down time and loss of revenue.
A change control process sets the framework for protecting all the parties involved. It allows for the identification and timely resolution of a snag in your code, but it also clearly identifies who is responsible for the change, and what the back out should be in case of difficulties.
In Dennis case, it also means that every time theres some difficulty, you wont be camped on his desk asking what he did this time. Hell be relieved to know that he isnt a scapegoat in bad situations.
Educating the Trusting
Then theres Alice. She will be the first to tell you shes not very technically inclined. She loves her computer, it lets her do so many things. Shes working on a novel, she thinks the world wide web is amazing for its ability to tell you everything you ever wanted to know about anything.
And she believes it all. If it comes to her in email from friends, then its obviously something she needs to see, sign, buy or try. After all, who on earth would know who she is and what her email address is?
Weve talked about this situation before, and well likely talk about it again. It is very difficult to educate the trusting to recognize the threats inherent in the virtual world. Teaching users to avoid suspicious sites sent in email and learning to recognize attempts to gain privileged information by unauthorized persons either via the web or email will go a long way to cutting down the number of compromises as the result of malicious web content.
The reason I bring this up is, if youll recall from last month, there are all these people who have access to you physical spaces that you have little or no control over. Cleaners, caterers, contractors. If Alice isnt going to protect her password, do you think shes left her user name lying around? Whats to prevent the hired help from taking advantage of the situation?
As we talked about before, in many situations, you have no ability to vet the employees of your contract labor. You also have limited ability to monitor work being done outside normal business hours.
You might be saying to yourself that Alices laxness with her password and user name arent really a major problem, since she doesnt have access to critical systems or data. But what does she have access to? Memos between the CEO and the CFO about the next round of venture capitalization? Plans for going public? What would the loss of this information mean to the organization?
In many respects, policy implementation regarding the use of the Internet, password strength, and replacement, minimizes certain aspects of these threats. Eliminating unauthorized software or applications improves the ability to control unanticipated vulnerabilities.
I want you to be able to look at your organization with an eye for security hotspots. Anyone can identify the unsecured fire door, or the modem tied into the office server. What you need to be able to identify is the invisible threat of the stranger at your door (contractors), the well-intentioned, and the dearly departed.
You can do a lot of things to handle these threats. Policy implementation can force updates to operating systems, enforce strong passwords and prevent the installation of unauthorized software. Education brings a better understanding to your employees about the threats they confronted with on a daily basis. Finally, knowing your employees as people with families, hopes and dreams, and problems as well. You can identify potential problem areas when you know the people who work with and for you.
On Wednesday, Sept. 27, I will be participating in a webcast discussing this subject. Youll hear about these employees and others in detail. Hopefully, you will gain better insight into identifying possible situations before problems arrive. I hope youll join me. For more information, check here.